Overview of POPI Act

COMPLYING WITH THE REQUIREMENTS FOR THE PROTECTION OF PERSONAL INFORMATION

Privacy is the constitutional right of everyone in South Africa and is entrenched in the "Bill Of Rights". The Protection of Personal Information Act gives effect to this constitutional right of privacy by requiring safeguards for personal information processed by public and private bodies. Non-compliance may have serious consequences.

Overview

This 1 day course provides delegates with an overview of the Protection of Personal Information Act and the significant obligations placed on those business leaders identified as the "responsible parties" and "information officers". All public and private bodies will be affected by the requirements of this legislation. Various technical and organisational arrangements will be necessary.

Accountability for something as important as privacy protection and the protection of the organisation’s reputation rightly belongs with the Council and executive managers. Many functions (e.g. Legal, Operations, Information Systems, Public Affairs, Marketing) will need to bring their practices into line to ensure that the organisation’s response is consistent and serves the organisation’s enterprise-wide goals and strategies.

The collection of personal information must be for a specifically defined, lawful purpose related to a function of the responsible party. The processing of data must be for a legitimate purpose. Data subjects must be aware of the collection of the data. Adequate business controls are required to maintain data integrity and information security must meet international standards. data must be retained only for as long as necessary and then it must be destroyed.

Seminar Objectives

Participants will obtain an overview of the Protection of Personal Information Act and its implications for their organsations. On completion of this seminar, participants will be able to:

  • Articulate the requirements of the Protection of Personal Information Act
  • Demonstrate an understanding of the conditions for the lawful processing of personal information
  • Identify the technical and organisational measurements necessary for protecting personal information
  • Describe the various roles and the responsibilities of the personnel who should be concerned about the protection of personal information
  • Identify the effort required to meet the requirements of the Protection of Personal Information Act and the conditions for lawful processing and personal information contained therein.

Seminar Outline

Participants will learn through discussion and practical examples how to address the organisational, procedural, technical, and legal requirements for the Protection of Person Information.

This seminar includes topics about:

  • Overview of the legislation for the Protection of Personal Information
  • The duties of the Responsible Party and Information Officer
  • Summary of the eight conditions for the lawful processing of personal information
  • Working with the Regulator
  • Communicating with data subjects
  • The eight conditions for the lawful processing of personal information
  • How to differentiate between personal and other data
  • How to update the PAIA manual and what records to keep about the processing of personal information
  • Identifying and mitigating privacy related tasks
  • Organisational and technical arrangements necessary for the protection of personal information
  • Controlling the activities of service providers and operators
  • Trans-border exchanges of personal data
  • Building organisational capability to manage privacy
  • Challenges from the collection, profiling, cross-marketing, unstructured data, third party processing and secondary use of personal information.

Developing a compliance framework to address the obligations of the POPI Act

COMPLYING WITH THE LEGAL REQUIREMENTS FOR THE PROTECTION OF PERSONAL INFORMATION

The Protection of Personal Information Act requires all public and private bodies to ensure that how they use personal information is lawful, that there are systems in place for the protection of personal information, and there are processes for handling requests from the Information Regulator and individuals (i.e. data subjects).

Overview

The Protection of Personal Information Act has been finalised. All public and private bodies are required to record their processing of personal information in their PAIA Information Manual prior to actually processing it.

All public and private bodies are required to ensure that the processing of personal information is lawful and that personal information in their possession is always secure. Failure to do so could have serious consequences and may result in criminal proceedings and civil claims for damages.

The Protection of Personal Information Act specifies eight conditions for the lawful processing of personal information. Regardless of whether the organisation is a large corporate, government department, school or research organisation, it will have to ensure that the processing of personal information is lawful and all personal data in its possession is properly acquired, secured and destroyed when obsolete.

Seminar Objectives

Participants will obtain an understanding of the statutory requirements for the processing of personal Information. On completion of this 2 day seminar, participants will be able to:

  • Demonstrate an understanding of the requirements of the Protection of Personal Information Act
  • Be able to communicate the key aspects of the Protection of Personal Information Act
  • Articulate the activities necessary to address the legal requirements for the Protection of Personal Information
  • Clarify the roles and responsibilities of all parties required to be involved in the protection of personal information
  • Prepare a road map for the protection of personal information
  • Update the PAIA information manual
  • Perform a privacy impact assessment
  • Manage the privacy initiative in their organisation.

Seminar Outline

Participants will learn through discussion and practical examples how to prepare for and address the organisational, procedural, technical and legal requirements of the legislation for the Protection of Personal Information.

 

This seminar includes topics about:

  • The key components of the Protection of Personal Information Act
  • Accountability for the processing of personal information
  • Conditions for lawful processing of personal information
  • Identifying personal information and the category of special personal information
  • Processing that is subject to prior authorisations
  • Trans-border exchanges of personal data
  • Developing a Privacy Policy and educating staff
  • Conducting a Privacy Impact Assessment
  • Contracting with Operators and verifying compliance
  • Building capability to manage Privacy
  • Privacy by Design
  • Managing information throughout its life-cycle
  • The responsibilities of the CEO, the appointed “responsible parties” and appointed “information officer”
  • Records to be maintained in the PAIA information manuals regarding the processing of personal information
  • Handling requests for information and complaints from data subjects
  • The role and responsibilities of the Information Officer
  • The role of the Information Regulator
  • Assessments undertaken by the Information Regulator
  • Civil remedies, enforcement and criminal offences
  • The information security requirements
  • The need for records management and a legal register
  • Maintaining the information quality of personal data
  • Avoiding secondary use and unlawful processing
  • Developing an Action Plan to address the requirements for the lawful processing of personal information.

Protection of Personal Information Act: Impact on HR

COMPLYING WITH THE LEGAL REQUIREMENTS FOR THE PROTECTION OF PERSONAL INFORMATION

The Protection of Personal Information Act requires all public and private bodies to ensure that how they use personal information is lawful, that there are systems in place for the protection of personal information, and there are processes for handling requests from the Information Regulator and individuals (i.e. data subjects).

Overview

The Protection of Personal Information Act requires that responsible parties ensure that any processing of personal information conforms to all eight conditions for the lawful processing of personal information. The processing of human resources (HR) information of job applicants and employees are areas of high-risk.

Privacy is a human right, protected by the South African Constitution. Individuals whose personal data is misused may feel particularly aggrieved that there has been an interference with their individual right to privacy, request the Information Regulator to take action and seek compensation.

Just because you can do something doesn't make it legal. Obtaining consent from employees, most often, is pointless.

Seminar Objectives:

Participants will obtain an understanding of legislative requirements for the processing of personal Information that apply to human resource management.

On completion of this 2 day seminar, participants will be able to:

  • Demonstrate an understanding of the impact of the Protection of Personal Information Act on the processing of HR information
  • Communicate the impact of POPI on HR
  • Prepare a road map for the protection of personal information in the HR
  • Articulate the HR activities that require attention as a result of the Protection of Personal Information Act
  • Clarify responsibilities of HR personnel involved in the processing of personal information function
  • Develop a privacy impact assessment for HR information
  • Perform a risk assessment for HR data.

Seminar Outline

Participants will learn through discussion and practical examples how to prepare for and address the organisational, procedural, technical and legal obligations for processing human resources information in conformance with the protection of POPI Act

This seminar includes topics about:

  • Why the protection of personal information is important for human resource management
  • The key components of the Protection of Personal Information Act
  • Accountability for the processing of personal information
  • Conditions for lawful processing of personal information
  • Identifying personal information and special personal information processed within HR
  • The impact of the POPI Act on the terms and conditions of employment
  • Good privacy practices of the HR function
  • Common HR practices that do not comply with the Protection of Personal Information Act
  • Restricting HR personnel's access to personal data
  • Risks from photocopying, faxes, and emails
  • Securing employee information in the office, when being transported and processed at employee's homes
  • Keeping only what is allowed
  • Risks from using social media
  • The requirements for exchanging personal information
  • Staff data portability
  • Sharing employee data within a Group of companies
  • The cost of assurance.

Protection of Personal Information Act: Obligations of Responsible Parties

CEOs AND BUSINESS LEADERS ARE RESPONSIBLE FOR ENSURING THE PROCESSING OF PERSONAL INFORMATION IS LAWFUL

Responsible parties – those individuals who, alone or in conjunction with others, determine the purpose of and means for processing personal information – are required by the POPI Act to ensure compliance with the conditions for lawful processing of personal information, and the measures that give effect to these conditions.

Overview

The Protection of Personal Information Act requires accountability for any processing of personal information.  Heads of public bodies, CEOs of private bodies and the business leaders identified as “responsible parties” who control the purpose and means for processing information are required to ensure compliance with the conditions of lawfully processing personal information set out in the Act.

Business leaders and responsible parties who fail to fulfil their obligations defined in this Act may be charged personally with a criminal offence and face civil claims for damages.

It is the responsibility of the “Responsible Parties” identified by the CEO and listed in the PAIA to ensure that personal information is processed lawfully and in a reasonable manner that does not infringe the constitutional rights of individuals to privacy.

Seminar Objectives

Participants will gain a general understanding of the legal obligations placed on “Responsible Parties”. On completion of this 1 day seminar, participants will be able to:

  • Articulate the requirements of the Protection of Personal Information Act
  • Demonstrate an understanding of the conditions for the lawful processing of personal information
  • Describe the role, responsibilities and legal obligations of the responsible parties.
  • Describe the roles and the responsibilities of the other parties concerned about the processing of personal information
  • Identify the effort required to meet the requirements of the Protection of Personal Information Act and to fulfil the conditions for lawful processing personal information contained therein.

Seminar Outline

Participants will learn through discussion and practical examples how to address the obligations placed on responsible parties by the Protection of Personal Information Act.

This seminar includes topics about:

  • Recording details about Responsible Parties in the PAIA Manual
  • The duties of the Responsible Party
  • Implications of the Companies Act 2008
  • How to differentiate between personal and other data
  • The preparations required prior to updating the PAIA information manual about the processing of personal information
  • Mitigating risks
  • Documentation to be prepared prior to the processing of personal information
  • Processing details to be maintained in the PAIA manual
  • Communicating with data subjects
  • Implications of the conditions for lawful processing of personal information for business activities
  • Controlling the activities of Operators
  • Prior authorisation
  • Working with the Information Regulator
  • Working with the Information Officer
  • The role of Risk Management and Compliance
  • Trans-border exchanges of personal data
  • Consequences of failing to comply
  • Challenges – collection, profiling, cross-marketing, unstructured data, third party processing, secondary use
  • Case studies from industry – local and international
  • An Action Plan to fulfil the obligations of Responsible Parties.

POPI: The Role of INFORMATION OFFICERS

It is the responsibility of the "Information Officer" to encourage their organisation's responsible parties to process personal information lawfully and in a reasonable manner that does not infringe the constitutional rights of individuals to privacy. Information Officers need a sound understanding of the eight conditions for processing personal information and what is reasonable so that they are able to provide advice regarding compliance with the Protection of Personal Information Act.

Overview

The Protection of Personal Information (POI) Act requires head of public oldies and CEOs of private bodies to register with the Information Regulator their Information officers so that data subjects and the Information Regulator can contact, make requests and investigate the lawfulness of the processing of personal information.

Information Officers have specific statutory responsibilities which if not fulfilled have serious consequences, including the possibility of a jail sentence.

This 2 day course will assist Information Officers and Deputy Information Officers understand their role and responsibilities under the Promotion of Access to Information Act (PAIA), the Protection of Personal Information Act and other legislation.

Seminar Objectives

At the conclusion of this course, delegates will be able to:

  • Articulate the impact of the Protection of Personal Information Act on their organisation's activities
  • demonstrate an understanding of the duties and responsibilities of information officers
  • Describe the role, responsibilities and legal obligations of information officers and responsible parties.
  • Describe the roles and the responsibilities of the other parties concerned about the processing of personal information
  • explain the conditions for the lawful processing of personal information
  • Provide advice on complying with the eight conditions for the lawful processing personal information

Seminar Outline

Participants will learn through discussion and practical examples how to advise their CEO and responsible parties.

This seminar includes topics about:

  • Registering Information Officers with the Information Regulator
  • The duties and responsibilities of the Information Officer
  • Designation and delegation to Deputy Information Officers
  • Implications of the Companies Act 2008 for Information Officers and the possibility of Class action
  • How to differentiate between personal information, special personal information and other data
  • t=The content of the PAIA manual and why it is important
  • The preparations required prior to updating the PAIA information manual about the processing of personal information
  • Processing details to be maintained in the PAIA manual
  • Documentation to be prepared prior to the processing of personal information
  • The records that are to be available
  • The conditions for the lawful processing of personal information and their impact on the processing of personal information for business activities.
  • Working with the Information Regulator to conduct investigations
  • Handling requests from data subjects
  • Encouraging Compliance with the provisions of the POPI act
  • Requests to the Regulator by Information Officers to make an Assessment
  • Responding to Information and Enforcement notices
  • Applications to Court regarding decisions of information officers.

Protection of Personal Information Act: Managing Operators

RESPONSIBLE PARTIES ARE LIABLE FOR THE UNLAWFUL PROCESSING OF PERSONAL INFORMATION BY THEIR OPERATORS

The Protection of Personal Information Act stipulates that every public and private body making use of operators must ensure that operators who process personal information for the responsible party, establish and maintain generally accepted information security practices and procedures which may apply to it generally or specifically.

Overview

The Protection of Personal Information Act requires accountability for any processing of personal information. Heads of public bodies, CEOs of private bodies and the business leaders identified as "responsible parties" who control the purpose and means for processing information are required to ensure compliance with the conditions of lawfully processing personal information set out in the Act.

The responsible party must clarify, in written contracts with its operators and other service providers, the services the operators are commissioned to provide. The transfer of personal information to the operator must be limited to what is necessary for the operator to fulfil its contractual obligations.

Operators may not process personal information unless commissioned by responsible parties and the purpose is compatible with the original purpose of collection.

Seminar Objectives

Participants will gain a general understanding of the legal obligations placed on Responsible Parties to manage operators and other service providers. On completion of this 1 day seminar, participants will be able to:

  • Articulate the requirements of the Protection of Personal Information Act when commissioning operators
  • Demonstrate an understanding of how the conditions for the lawful processing of personal information apply to operators
  • Understand the typical content required in written contracts when engaging operators and other service providers
  • Communicate the responsible parties' role and responsibilities to ensure the lawful processing of personal information
  • Understand the need to validate operator procedures.

Seminar Outline

Participants will learn through discussion and practical examples how to commission and manage operators engaged by the responsible parties to provide services that process personal information.

This seminar includes topics about:

  • Why the responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical and organizational measures.
  • Why operators may not process personal information unless commissioned to do so and the purpose is compatible with the original purpose for which it was collected.
  • Content of the typical contract between the responsible party and the operators, including details of the technical and organizational measures that the responsible party may have identified as necessary for the operator to establish and maintain to address the internal and external risks to the processing of personal information, as identified by the responsible party.
  • The role and responsibilities of operators and other service providers when processing personal information
  • The technical and organizational capabilities operators are required to have before a responsible party can commission an operator.
  • Governance and management structures and systems to plan, organize, direct and control operators and the services they provide.
  • Verification that the operator has fulfilled its contractual obligations to maintain effective technical.

How to perform assessments of compliance with the POPI Act

AUDITING THE LAWFUL PROCESSING OF PERSONAL INFORMATION

The Protection of Personal Information Act requires compliance with eight conditions for the lawful processing of personal information, including the continuous improvement of the safeguards that give effect to these conditions. Regular auditing of compliance with these eight conditions is an important compensating control that the Information Regulator with consider when investigating reports of non-compliance.

Overview

This 2 day course provides delegates with an understanding of how to lead, plan, execute and report an organisation’s compliance with the eight conditions for the lawful processing of personal information. Delegates will learn about the audit objectives and scope, the audit process, tests to be performed when assessing the current status, the privacy practices and the controls.

Internal audits of the processing of personal information are an important compensating control that the Information Regulator will expect when investigating an interference with an individual’s right to privacy.

This seminar will help participants understand the business risks and audit process that is required to evaluate the processing of personal information and to provide assurance to the responsible parties, information officer and regulator.

Seminar Objectives

Participants will gain an understanding of the requirements of the POPI Act and the audit process to be followed to give assurance.

On completion of this seminar participants will be able to:

  • Demonstrate an understanding on how to lean, plan, execute and report on an audit of conformance with POPI
  • Understand of the POPI Act, its impact on the processing of personal information and the control objectives
  • Demonstrate an understanding of the audit scope and objectives
  • Demonstrate an understanding of the audit process
  • Conduct an audit of the POPI programme, the processing of personal information and the effectiveness of controls
  • Assess compliance with the POPI requirements.

Seminar Outline

Participants will learn through discussion and practical examples how to undertake an audit of the POPI programme, the processing of personal information and the privacy practices and controls necessary for the Protection of Personal information Act.

This seminar includes topics about:

  • Overview of the POPI Act
  • The scope and purpose of an audit of the Protection of Personal Information Act
  • The audit process for assessing POPI
  • Determining the appropriate audit objectives
  • Identifying the scope of the POPI audit and agreeing the audit approach with the responsible parties
  • Fundamental audit concepts and principles
  • Why follow the audit requirements of the ISO 19011 methodology when auditing POPI?
  • Communication during the audit
  • Preparing for a POPI audit
  • Audit test plans for the POPI programme, processing of personal information and the privacy controls
  • Using COBIT to conduct the POPI audit
  • Formulating audit findings
  • Documenting non-conformities
  • Recognising current capability in the processing of personal information
  • An audit of the POPI related documentation
  • Management’s review of the audit findings
  • Reporting to the stakeholders.

POPI: Technical and Organisation Measures for ERP Systems

THE PROTECTION OF PERSONAL INFORMATION ACT REQUIRES ALL PUBLIC AND PRIVATE BODIES TO IMPLEMENT EFFECTIVE TECHNICAL AND ORGANISATIONS MEASURES FOR ERP

A responsible party must ensure that the conditions set out in this Chapter 3 of the Protection of Personal Information Act, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.

Overview

Enterprise Resource Planning (ERP) systems process a wide variety of business information, including many types of personal information. ERP systems have many features that can assist responsible parties with the protection of personal information. Omitting to use the available features could become a problem when a non-compliance with POPIA is reported to the Information regulator.

Business leaders and responsible parties who fail to fulfill their obligations defined in this Act may be charged personally with a criminal offence and face civil claims for damages.

It is the responsibility of the “Responsible Parties” identified by the CEO and listed in the PAIA to ensure that personal information is processed lawfully and in a manner that does not infringe the constitutional rights that individuals have to privacy.

Seminar Objectives

Participants will gain a general understanding of the legal obligations placed on “Responsible Parties”. On completion of this 1 day seminar, participants will be able to:

  • Articulate the requirements of the Protection of Personal Information Act
  • Demonstrate an understanding of the conditions for the lawful processing of personal information
  • Describe the role, responsibilities and legal obligations of the responsible parties.
  • Describe the roles and the responsibilities of the other parties concerned about the processing of personal information
  • Identify the effort required to meet the requirements of the Protection of Personal Information Act and to fulfill the conditions for lawful processing personal information contained therein.

Seminar Outline

Participants will learn through discussion and practical examples about the typical technical and organisational measures available in ERP systems.

This seminar includes topics about:

  • Overview of the POPI Act requirements for technical and organisational measures to protect personal information and prevent unlawful processing
  • Privacy by design and default
  • Documented privacy-enabling practices and tasks
  • Environmental security
  • Resource protection
  • Random access memory protection
  • Temporary storage, trace and dump file protection
  • Network and data persistence encryption
  • Data dictionary, database security and blocks
  • Accuracy, integrity, completeness and validity checks
  • Pseudonymisation
  • System isolation, unlinkability and intervention
  • PKI and certificate management
  • Logical access control, segregation of duties
  • POPI compliant system development practices
  • System privilege, feature and command restriction
  • Identity management
  • User authentication, authorisation and single sign-on
  • Access permission, privilege management, de-registration
  • Event and incident logs, history, reporting and auditing
  • System updates, patch and change control
  • Records management, information life-cycle management
  • Organisational structures, roles, job descriptions
  • Availability controls and configuration management
  • Supplier management and verification
  • ISO 27001 and Privacy Management Systems.

Safeguards to Protect the Processing of Personal Information

GENERALLY ACCEPTED INFORMATION SECURITY PRACTICES AND PROCEDURES FOR POPI

POPI requires responsible parties to implement generally accepted information security. ISO 27001 is an internationally standard widely recognised as the reference for generally accepted information security practices and procedures. ISO 27001 requires that organisations establish, document, implement and maintain an information management system to protect personal information.

Overview

This 2 day course provides delegates with an understanding of the technical and organisational measures for the protection of personal information using ISO 27001. Delegates also learn about the integrated process approach for information security management and how to extend their current activities in line with international standards.

The Protection of Personal Information Act requires that effective information security be implemented and continuously improved in accordance with generally accepted standards. An ISO 27001 information security management system will ensure that the information security strategy and practices are aligned with the enterprise’s business needs and strategic goals regarding privacy. An appropriate implementation of ISO 27001 will assist responsible parties demonstrate their commitment.

Seminar Objectives

Participants will gain an understanding of the POPIA requirements and how to correctly implement an information security management system using ISO 27001. On completion of this seminar participants will be able to:

  • Demonstrate an understanding of the ISO 27001 specification for Information Security Management and its application to satisfy POPIA
  • Communicate the requirements for ISO 27001 standard
  • Plan the implementation of the safeguards for the protection of personal information in accordance with the needs of the POPI Act and IS 27001.
  • Assist an organization identify and implement the safeguards to protect personal information
  • Assess the extent an organization adheres to the ISO 27001 specification and fulfils the POPI Act requirements.

Seminar Outline

Participants will learn through discussion and practical examples how to design and implement the safeguards required to protect personal information in accordance with the ISO 27000 family of standards for information security management and the Protection of Personal Information Act.

This seminar includes topics about:

  • Overview of the ISO/IEC 27001 specification
  • The scope and purpose of an information security management system in the context of the POPI Act
  • Defining an ISMS policy and framework for setting objectives, risk management and regulatory compliance
  • Understanding an organization’s information security requirements for compliance with the POPI Act
  • Developing and implementing an information security management system to fulfil the requirements of POPI
  • Adopting a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation's ISMS.
  • Using the "Plan-Do-Check-Act" (PDCA) model for the continuous improvement of information security
  • Implement and operate the generally accepted organisational and technical controls to manage an organization's information security risks in the context of the organization’s overall business risks and the requirements of the POPI Act
  • Monitor and review the performance and effectiveness of information security management for the POPI Act
  • Evaluate the technical and organisational measures against the requirements of the POPI Act
  • Continually improve information security to satisfy the requirements of the POPI Act.

How to use COBIT to implement a compliance framework for POPIA

COBIT is an integrated Governance, Management and Operational process model comprising principles and enablers for processing information lawfully.

Few organisations have the experience and knowledge to effectively and efficiently plan a POPI programme. The COBIT 5 is an internationally recognised framework for the governance and management of information and related technology that can be used for the lawful processing of personal information.

Overview

This 2 day course assists attendees understand how the COBIT 5 enablers can be used to effectively and efficiently plan, organise, direct and control a POPI programme using the COBIT 5 framework. The seven COBIT 5 enablers can enhance the maturity, capability and performance of the protection of personal information within an organisation.

The COBIT 5 principles and enablers provide a set of common dimensions and structured approach to effectively address the conditions for lawfully processing personal information and allows organisations to manage a set of complex interactions between the enablers and successfully implement the technical, organisational, and operational measures that enable the protection of personal information.

Seminar Objectives

Participants will gain an understanding of what should constitute a POPI programme, and how to plan, organise, direct and control the various activities necessary to implement the relevant COBIT 5 principles and enablers. This course will assist participants:

  • Articulate the requirements of the Protection of Personal Information Act
  • Understanding how the conditions for the lawful processing of personal information an be addressed using the COBIT 5 framework
  • Use COBIT5 to determine the roles and responsibilities that responsible parties need to define.
  • Identify the activities that will be necessary and understand who the COBIT 5 framework should be used for the Protection of Personal Information.
  • Identify the effort required to meet the requirements of the Protection of Personal Information Act.

Seminar Outline

Participants will learn through discussion and practical examples how to adapt and use the COBIT 5 principles and enablers to address the business' requirements for the protection of personal information.

This seminar includes topics about:

  • Overview of the requirements for the lawful processing of personal informaiton
  • overview of the COBIT 5 Principles and Enablers
  • The COBIT 5 Governance, management, and operational processes and their importance for the processing personal information lawfully
  • Clarifying stakeholders and their respective needs relating to the lawful processing of personal information
  • Implementing the COBIT 5 Principles to improve the protection of personal information
  • Evaluating the COBIt 5 Enablers and the impact on the lawful processing of personal information
  • Establishing a POPI programme and using the COBIT 5 framework to identify and plan the work packages required
  • Applying the COBIT 5 Implementation methodology for the POPI programme
  • Mapping the conditions for lawful processing of personal information to the ISACA principles for privacy
  • Identifying the COBIT 5 practices appropriate for the lawful processing of personal information
  • Assigning responsibilities to the appropriate organisational functions
  • Measuring, monitoring, and evaluating the POPI programme
  • Using COBIT 5 to continuously improve the POPI programme.

The measures and standards required for the lawful processing of personal information

GENERALLY ACCEPTED INFORMATION SECURITY PRACTICES AND PROCEDURES FOR POPI

POPI requires responsible parties to implement generally accepted information security. ISO 27001 is an internationally standard widely recognised as the reference for generally accepted information security practices and procedures. ISO 27001 requires that organisations establish, document, implement and maintain an information management system to protect personal information.

Overview

This 2 day course provides delegates with an understanding of the International Organisation for Standardisation’s (ISO) standard for information security management – ISO 27001. Delegates will learn about the integrated process approach for information security management and how to extend their current activities in line with international standards.

The Protection of Personal Information Act requires that effective information security be implemented and continuously improved. An ISO 27001 information security management system (ISMS) ensures that the information security strategy and practices are aligned with the enterprise’s business needs and strategic goals regarding privacy. An appropriate implementation of ISO 27001 will assist responsible parties demonstrate their commitment to have properly addressed the POPI requirements.

Seminar Objectives

Participants will gain an understanding of the ISO 27001 standard, its requirements and how to correctly implement an information security management system for POPI. On completion of this seminar participants will be able to:

  • Demonstrate an understanding of the ISO 27001 specification for Information Security Management and its application to satisfy the Protection of Personal Information Act
  • Communicate the requirements for ISO 27001 standard
  • Plan the implementation of an ISO 27001 management system in accordance with the needs of the POPI Act.
  • Assist an organization implement the ISO 27001 requirements for information security management
  • Assess the extent an organization adheres to the ISO 27001 specification and fulfils the POPI Act requirements.

Seminar Outline

Participants will learn through discussion and practical examples how to design and implement information security in accordance with the ISO 27001 requirements for information security management and the Protection of Personal Information Act.

This seminar includes topics about:

  • Overview of the ISO/IEC 27001 specification
  • The scope and purpose of an information security management system in the context of the POPI Act
  • Defining an ISMS policy and framework for setting objectives, risk management and regulatory compliance
  • Understanding an organization’s information security requirements for compliance with the POPI Act
  • Developing and implementing an information security management system to fulfil the requirements of POPI
  • Adopting a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation's ISMS.
  • Using the "Plan-Do-Check-Act" (PDCA) model for the continuous improvement of information security
  • Implement and operate the generally accepted organisational and technical controls to manage an organization's information security risks in the context of the organization’s overall business risks and the requirements of the POPI Act
  • Monitor and review the performance and effectiveness of information security management for the POPI Act
  • Evaluate the technical and organisational measures against the requirements of the POPI Act
  • Continually improve information security to satisfy the requirements of the POPI Act.