How to perform assessments of compliance with the POPI Act

AUDITING THE LAWFUL PROCESSING OF PERSONAL INFORMATION

The Protection of Personal Information Act requires compliance with eight conditions for the lawful processing of personal information, including the continuous improvement of the safeguards that give effect to these conditions. Regular auditing of compliance with these eight conditions is an important compensating control that the Information Regulator with consider when investigating reports of non-compliance.

Overview

This 2 day course provides delegates with an understanding of how to lead, plan, execute and report an organisation’s compliance with the eight conditions for the lawful processing of personal information. Delegates will learn about the audit objectives and scope, the audit process, tests to be performed when assessing the current status, the privacy practices and the controls.

Internal audits of the processing of personal information are an important compensating control that the Information Regulator will expect when investigating an interference with an individual’s right to privacy.

This seminar will help participants understand the business risks and audit process that is required to evaluate the processing of personal information and to provide assurance to the responsible parties, information officer and regulator.

Seminar Objectives

Participants will gain an understanding of the requirements of the POPI Act and the audit process to be followed to give assurance.

On completion of this seminar participants will be able to:

  • Demonstrate an understanding on how to lean, plan, execute and report on an audit of conformance with POPI
  • Understand of the POPI Act, its impact on the processing of personal information and the control objectives
  • Demonstrate an understanding of the audit scope and objectives
  • Demonstrate an understanding of the audit process
  • Conduct an audit of the POPI programme, the processing of personal information and the effectiveness of controls
  • Assess compliance with the POPI requirements.

Seminar Outline

Participants will learn through discussion and practical examples how to undertake an audit of the POPI programme, the processing of personal information and the privacy practices and controls necessary for the Protection of Personal information Act.

This seminar includes topics about:

  • Overview of the POPI Act
  • The scope and purpose of an audit of the Protection of Personal Information Act
  • The audit process for assessing POPI
  • Determining the appropriate audit objectives
  • Identifying the scope of the POPI audit and agreeing the audit approach with the responsible parties
  • Fundamental audit concepts and principles
  • Why follow the audit requirements of the ISO 19011 methodology when auditing POPI?
  • Communication during the audit
  • Preparing for a POPI audit
  • Audit test plans for the POPI programme, processing of personal information and the privacy controls
  • Using COBIT to conduct the POPI audit
  • Formulating audit findings
  • Documenting non-conformities
  • Recognising current capability in the processing of personal information
  • An audit of the POPI related documentation
  • Management’s review of the audit findings
  • Reporting to the stakeholders.