Data Privacy (POPIA and GDPR) Gap Assessments, Audits and Implementations
Introduction
Section 14 of the South African constitution guarantees all citizens the right to privacy, meaning that South Africans do have the right to protection against unlawful collection, retention, dissemination and use of their personal information. The Protection of Personal Information Act (PoPIA) requires widespread reforms that both the private and public sectors must introduce to ensure that the personal information and data they collect are protected.
The Act also provides strict guidelines, among other things, on what data can be obtained, how that data can be obtained and used, and the requirements that it should be kept up to date as well as permanently deleted when it reached its “end of life” or processing purpose. The Act enforces eight (8) conditions (Chapter 3), regulating the processing of personal information. In addition, Chapter 9 also regulates trans-border information flow. These chapters are the most important sections of the Act for any business. Evenly important to remember is that the Act is relevant to both digital data and data to be found in other forms, e.g., hard copy documents.
It is also important to keep in mind that, unlike the EU’s GDPR (General Data Protection Regulation), PoPIA also considers legal entities’ data (e.g., a company’s intellectual property) as personal data (unless that data is in the public domain, of course).
PoPIA’s appropriate, reasonable, technical and organisational measures
Condition 7 of PoPIA (Chapter 3) stipulates that a “Responsible party” must secure the integrity of personal information in its possession or under its control by taking appropriate, reasonable, technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information, as well as to prevent the unlawful access to or processing of personal information.
When considering appropriate, reasonable, technical, and organisational measures, it is important to follow a holistic approach to address privacy risks and implementing privacy controls. A holistic approach will address the following:
- People with the integrity and competency to enforce and manage controls.
- Processes and process controls to ensure that the objectives of data processing are achieved, without compromising the integrity of personal data.
- Structures – e.g., segregation of duties to ensure appropriate and limited access to personal data. (Limited access refers to the principle of access that is founded on a “need-to-know” and “need-to-do” basis.)
- Technology, enforcing security controls (e.g., user access rights and user authentication, just to name a few).
It goes without saying that technology is only one aspect of risk mitigation; data security must be designed in a holistic manner, and security must leverage people, process controls, and structures too.
Furthermore, most international best practice guidelines (e.g., ISO 27001/2, NIST, COBIT, the Five Trust Principles (TSP section 100)) deal with three control aspects of information security and confidentiality, namely:
- To prevent data breaches in the first instance.
- To detect data breaches if prevention measures have failed.
- To correct breaches or perform damage control once breaches have been detected.
The fundamental idea is to place adequate focus on all three of these types of controls. However, in the past, much focus was placed on preventing unauthorised persons from accessing and stealing personal data. In the future, more focus is needed on detection and correction measures. Although the first prize will always be to prevent security incidents, IT budgets will have to focus more and more on detection and correction. (See Michiel Jonker’s (Futura International’s founder and director) article on the role of detection and correction: http://www.accountancysa.org.za/analysis-embracing-complex-systems-thinking/?Reference_ID=52320014)
Service level agreements (SLAs): Right to audit clause
PoPIA is clear that an SLA is considered by the Data regulator as a main control for the responsible party to enforce data privacy compliance by their service providers (called by PoPIA as the “Operator”).
In normal circumstances, a responsible party should at least consider including clauses in the SLA, establishing, amongst other, specific performance requirements.
However, with PoPIA now effective, over and above these performance requirements, a responsible party has to define minimum (IT) security and data privacy compliance standards in their SLAs with their service providers. The objective of the “right to audit” OR the “right to receive an independent assurance report” clause is to allow the responsible party the right to obtain (at least annually) assurance that their service providers do comply with their data privacy standards (e.g., compliance with their relevant data privacy policies, procedures, and standards).
In the future service providers (operators) might be requested to provide their corporate clients with an independent assurance report, expressing an audit opinion on the status of their privacy practices and controls. Outside the USA, this audit opinion can be expressed and issued under the “International Standard on Assurance Engagements (ISAE)” – which is the ISAE 3000: “Assurance engagements other than audits or reviews of historical financial information”. (This standard has been issued by the International Auditing and Assurance Standards Board (IAASB)).
However, we expect that some Responsible Parties might insist on a SOC 2 report. The SOC 2 report is an independent, annual, assurance report by an audit firm, expressing an audit opinion on a service organisation’s internal control (and in a SOC 2 scenario, internal control over IT security, data and system availability, data privacy, data confidentiality, and processing integrity). This might be unavoidable, as PoPIA requires organisations to ensure that their service providers comply with best practices. Outside the USA, the SOC 2 audit opinion can also be expressed under the ISAE 3000 audit standard, but by using the “Trust services criteria for security, availability, processing integrity, confidentiality and privacy”, as set forth in the TSP section 100, 2017 (updated March 2020), as a framework. (TSP 100 was established by AICPA (AICPA is the American Institute of Certified Public Accountants.))
Futura International, in association with an audit firm, assists clients to obtain either an ISAE 3000 or SOC 2 report.
Responsible parties might decide to request either an ISAE 3000 or SOC 2 report, covering at least the security, availability, and privacy principles. In cases where the responsible party is concerned about their own data (i.e., legal entity’s data), like the protection of their intellectual property (which comes in different shapes and forms), they might also insist that the report covers the confidentiality principle.
It is also important to note that without proper IT security, privacy is non-existing. Because most data are today in an automated form, IT and cybersecurity have become critical to achieve data privacy objectives. Security is the foundation of data privacy.
High level summary: Important PoPIA requirements
Futura International also assists clients to achieve compliance with PoPIA, by focusing on the following PoPIA (Chapter 3) conditions:
- Condition 1 (Accountability): This condition deals with, among other things, the governance framework for data privacy (e.g., policies, procedures, and standards), awareness creation, and the appointment of the Information Officer or Data Privacy Officer, responsible for the monitoring and enforcement of data privacy practices.
- Condition 2 (Processing limitations): Deals, mainly, with lawful processing – i.e., what data a responsible party or operator may collect, why they collect it (i.e., what do they want to do with it), the limitation on what and how data is collected, and if the processing of data is in an authorised manner.
- Condition 3 (Purpose specification): Information must be collected for only explicitly defined and lawful purposes– and only for a limited time period.
- Condition 4 (Further processing limitation): If there is to be further processing, it must be compatible with the purpose for which the information was originally collected.
- Condition 5 (Information quality): Relates to data integrity – the responsible party must take reasonably and practicable steps to ensure that information is complete, accurate, not misleading and updated where necessary.
- Condition 6 (Openness): The “Data subject” must be made aware that information is being collected.
- Condition 7 (Security safeguards): Condition 7 is the most important condition in the Act and deals with the security of personal information. A responsible party must secure the integrity of personal information in its possession or under its control by taking appropriate, reasonable, technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information, as well as to prevent the unlawful access to or processing of personal information.
This condition also deals with the operator (i.e., the service provider delivering a service to the responsible party); among other things the responsible party must ensure, by means of an SLA, that the operator enforces confidentiality and security controls.
Extremely important is that condition 7 stipulates that where security breaches do occur, the data subject (i.e., an individual or juristic person) and regulator must be notified; meaning that criminal proceedings might follow and also civil claims from the data subject’s side.
- Condition 8 (Data subject participation): The data subject has the right to request whether personal information is held by the responsible party, including: a description of the type of personal information held; and the data subject has the right to request correction of information.
Chapter 9 (Trans-border information flows): A responsible party in the republic may not transfer personal information about a data subject to a third party who is in a foreign country unless:
- The recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection.
- The data subject consents to the transfer.
- Transfer is necessary for the performance of a contract between the data subject and the responsible party.
- Necessary for the conclusion or performance of a contract.
- Concluded in the interest of the data subject.
- Transfer is for the benefit of the data subject.