What is a POPIA Compliance Seal?

It is important to know why you should get your POPIA certification. The European Union’s GDPR carries fines of up to 20 million Euro or 4% of company turnover – whichever is the greater. The GDPR further imposes criminal sanctions in certain instances. Similarly, POPIA imposes fines up to R 10 million and imprisonment for wrongful and intentional POPIA contraventions.

There is no uniform standard mandating the steps required to satisfy compliance with applicable Information Privacy legislation. However,  your business is required to do what is “reasonably practicable” under the circumstances to comply with POPIA and the GDPR.

This means your business should have already taken active steps towards POPIA compliance. The best way to implement this process is to have your privacy practices reviewed by independent experts.

How to get your POPIA Certification

SwiftTechLaw provides independent expert assessments of what would be considered “reasonably practicable” steps satisfying POPIA and GDPR compliance.

Upon completion, your business will receive a seal reflecting that your organisation has completed an Information Privacy compliance review program. This will assist in mitigating your legal risks under POPIA and the GDPR. It sends a strong message to your customers and suppliers that doing business with your organisation won’t compromise the integrity of their personal information.

The post How to get your POPIA CERTIFICATION appeared first on Swift Tech Law.

Business continues to move online and in any conversation you’ll come across the words “data privacy”, “cyber-crime”, “online retailer”, “App development” and many more.

So what exactly does a technology attorney do?

Basically – anything to do with the law and technology. Here at SwiftTechLaw we specialise in the following areas:

GRC (GOVERNANCE, RISK AND COMPLIANCE) – which includes PRIVACY LAW COMPLIANCE (POPIA & GDPR). Information privacy is a hot topic at the moment as the Information Regulator creeps closer to being established. Once this happens South African organisations will need to comply or face hefty penalties. We assist our clients with their compliance, which includes providing them with all required documentation, training and website updates.

DOMAIN NAME RIGHTS AND DISPUTES – Having a company website / online store in this day and age is becoming vital to the success of any organisation and securing your domain name is the first step. We assist with any matters relating to domain name registrations and disputes.

APP DEVELOPMENT – Have an idea for a new app? SwiftTechLaw can assist.

CRYPTOCURRENCY TRANSACTIONS – Crypto-currency investment remains the wild west of South Africa’s financial landscape. There is no cohesive regulation which restricts transactions or facilitates trade and this exposes investors to many risks. Organisations providing platforms for cryptocurrency transactions should also keep up to date with the latest regulations in order to minimise the risk for themselves and their investors. We assist by providing legal opinions and advise on how to minimise the risk of cryptocurrency transactions while the regulation thereof remains mostly unclear.

SOCIAL MEDIA RIGHTS PROTECTION / SEXTORTION / CYBERBULLYING / REVENGE PORN

START-UP / INCUBATOR ASSISTANCE – We assist start-ups with Non-disclosure Agreements, Non-compete Agreements, Registering different types of intellectual property (I.P), Contractual Terms of Business for each specific start-up, Website Privacy Policies and T&C’s, POPIA and GDPR Training.

TRADEMARK REGISTRATION – Trademark registration is a crucial first step for your start-up in order to ensure that you are able to continuously build your brand. If you decide that you don’t want to register your trademark, or that will get around to it once your company has become more established, it’s important that you understand the possible implications of not investing in the protecting of your intellectual property. Let us assist you in building your brand by with our trademark registration services.

COMMERCIAL TECHNOLOGY LAW – need to register a new company? Need assistance in the drafting of End User Licence Agreements? Software Agreements? Or Tech Deal Structuring? SwiftTechLaw provides a wide variety of legal services relating to commercial technology law.

TECHNOLOGY AND CIVIL LITIGATION – need to send a letter of demand? Don’t know what your options are in terms of legal recourse? We assist clients in settling or proceeding further with their legal disputes.

We also specialise in ARTIFICIAL INTELLIGENCE, CYBER CRIMES AND HACKING, ELECTRONIC SIGNATURES, GAMBLING AND GAMING TRANSACTIONS, CONSUMER RIGHTS AND DISPUTES.

Contact SwiftTechLaw here to assist you with your legal needs.

The post EVER HEARD OF A TECHNOLOGY ATTORNEY? appeared first on Swift Tech Law.

Since then, the digital age has presented major challenges to regulation. Technology enables the transfer of vast amounts of information across borders with many benefits. However, it simultaneously enables the citizens from countries governed by privacy legislation to transfer data outside their borders and bypass restrictions. In response, information privacy laws were amended to prohibit the transfer of personal information to countries with lower standards of legal regulation than their own.

In this context South Africa promulgated the Protection of Personal Information Act (POPIA). It ensures that South Africa is able to process information and conduct business with European countries for commercial benefit. Conversely, POPIA advances the right to privacy contained in the South African Constitution and imposes harsh sanctions for non-compliance.

In an expanding digital economy, stake holders within South Africa and the E.U increasingly process personal information across both jurisdictions. While South Africa and the E.U both have comprehensive laws in place, there are disparities and similarities between both. This creates a frequently asked, seldom answered question:

When are South African entities bound by the GDPR and when are European entities bound by POPIA? The answer is not always simple, but a basic understanding can assist.

What POPIA compliant organisations need to know about the GDPR

POPIA extends to the protection of personal information of juristic persons (i.e. legal entities) and not just individuals, making it more extensive and stringent than the GDPR which only applies to natural persons. It is therefore necessary for South African organisations to ensure that should they engage in business with organisations who are GDPR compliant, that these organisations extend their data protection to juristic persons in order to align with POPIA requirements.

POPIA is also more stringent in its requirement that an Information Officer should be appointed for all organisations, while the GDPR only requires the appointment of a Data Protection Officer for certain organisations.

Furthermore, the GDPR has much larger fines than POPIA. The GDPR carries fines of up to €20 Million or 4% of the global annual turnover, whichever is higher. The maximum penalties under POPIA are a R10 million fine and/or imprisonment for a period not exceeding 10 years, where the GDPR considers the latter to be a matter for member state law. Read more on POPIA requirements here.

What GDPR compliant organisations need to know about POPIA

While the concept of privacy by design is mandated by the GDPR, it is not mentioned in POPIA at all and remains a best practice option or voluntary approach for POPIA compliant organisations.

The GDPR furthermore provides data subjects with the benefits of data portability where data subjects may request that their data be transferred to another controller or service provider. This right is not extended to data subjects under POPIA.

The GDPR also mandates that data protection impact assessments be conducted and that evidence or documentation of such assessments be maintained. Currently there is no corresponding requirement under POPIA.

The best way forward

When it comes to information privacy compliance, there is no one-size-fits-all solution. As a point of departure, if you’re processing personal information (or personal data) regulated by POPIA and GDPR, you must satisfy the requirements of both jurisdictions. The good news is that adapting POPIA or GDPR for dual legal compliance is not onerous or invasive. It however requires expertise in both areas to ensure secure data-related commercial transactions.

Contact SwiftTechLaw here to enroll in our Privacy Law Compliance Program for 2020.

The post WALKING THE LINE BETWEEN POPIA AND GDPR appeared first on Swift Tech Law.

Many organisations are taking the stance that while the Protection of Personal Information Act (POPIA) is not fully enacted, there is no need for compliance. POPIA compliance is essential as there are currently serious risks associated with non-compliance with the Act. One such consequence is reputational damage which may entail loss of revenue, clients and service providers and increased business costs.

Earlier this year MiWay Insurance came under fire when a recorded MiWay conversation with Zulu King Goodwill Zwelithini leaked to the public. The Zulu King laid a complaint and the Information Regulator issued a media statement on 12 February 2018 stating that “despite certain sections of POPIA not yet operative, the Regulator intended to proactively engage MiWay with regards to the processes and measures they have put in place to comply with the conditions for lawful processing of personal information as prescribed in POPIA”. During 2018 the Information Regulator similarly engaged with Facebook, Aggregated Payment System (Pty) Ltd and Liberty Holdings (Pty) Ltd after major data breaches involving ordinary South African’s personal information came to light.

Nothwithstanding the reputational damage these organisations may have incurred, once POPIA is fully enacted organisations face penalties of up to R10 million and/or imprisonment for a period not exceeding 10 years.

DIRECT MARKETING

A big concern for organisations is the effect POPIA will have on direct marketing. Under Section 69 of POPIA a potential customer (“prospect”) must consent before electronic direct marketing can take place. However, in order to obtain such consent a direct marketer may contact a prospect once only. If they withhold consent, the direct marketer may not contact them again. This applies unless that prospect is an existing customer who gave their personal information to the supplier in the context of a sale for the purpose of direct marketing and “has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality”.

Customers have the right to complain to the Information Regulator should they believe organisations are not complying with POPIA. To date more than two hundred complaints have been received. Organisations should bring their direct marketing practices in line with Section 69 as soon as possible to avoid investigations and legal sanctions. Moreover, POPIA empowers customers to institute legal proceeds against non-compliant organisations directly as an alternative to lodging complaints.

DATA BREACH

Earlier this year the Facebook data breach made headlines worldwide. It is reported that the personal information of 59 777 South African users was potentially shared with the data firm called Cambridge Analytica. To investigate the alleged breach the Information Regulator convened a meeting of various government institutions. These institutions included the South African Police Service, specifically the HAWKS, the National Prosecuting Authority (NPA), the Department of Rural Development, the National Credit Regulator and the Association of Credit Bureaus. The meeting agreed to establish a Task Team comprising of the representatives of the abovementioned institutions to ensure a multi-disciplinary approach to the investigation.

Contact SwiftTechLaw here to ensure that you are ready for when the Information Regulator comes knocking.

The post POPIA COMPLIANCE: WHEN THE INFORMATION REGULATOR COMES KNOCKING appeared first on Swift Tech Law.

Information Privacy Regulations Finalised Recently

It is no secret that South Africa’s Protection of Personal Information Act (“POPIA”) regulates the processing of personal information domestically. As legislation has increasingly evolved to tackle a cross-border challenge, POPIA’s provisions are aligned to stringent international standards. POPIA is structured in two instruments, the POPI Act and POPIA Regulations. The latter providing supplementary details of what is required to ensure legal compliance. On 14 December 2018, POPIA’s final version Regulations were promulgated affecting the implementation of SA information privacy law in several respects.

Enforcement Date

Certain provisions of POPIA are already in force and have been since 2018. Furthermore the Information Regulator has already been knocking on the doors of companies who have been complained about by data subjects. However, the application of other legal obligations and restrictions only take effect on a date to be determined by the legislature. One of the issues causing the delay of full POPIA enforceability is the promulgation of its Regulations. The promulgation of the latter in December brings complete legal enforceability under POPIA one step closer.

Stricter Regulation of Direct Marketing

Section 69 of POPIA requires direct marketers to obtain consent from data subjects in order to lawfully conduct campaigns targeting them. Failure to do so is an offence which carries heavy fines and penalties. The Regulations impose details regarding how such consent must be obtained. Namely, direct marketers are required to obtain a signed form from the data subject before electronic direct marketing can occur. Depending on how the regulation is implemented in practice, imposing this obligation could create a significant challenge to the direct marketing industry. Although stringent regulation could appear attractive to consumers, they should be reminded that the direct marketing industry is a significant employer and job creator in South Africa. Should the industry down-size, the limitations prescribed in the Regulations could become a poisoned chalice. Direct marketers should familiarise themselves with POPIA Regulations and ensure their organisation is streamlined to comply with POPIA without damaging revenue streams.

The responsibilities of the Information Officer

POPIA’s Regulations also contain further detail on Information Officers. Organisations are required to appoint an individual responsible for ensuring information privacy legal compliance. Much like a company secretary the Information Officer will be involved with legal implementing within their organisation. Amongst other requirements, this involves creating a compliance framework, conducting an information privacy impact assessment and creating a manual which outlines their organisation’s information privacy and security policies. While this seems daunting in practice, the responsibilities of an organisation’s Information Officer will most likely be supplemented by technology and privacy attorneys.

Elevated awareness of importance

As incidents ranging from Facebook’s data abuse to COLLECTION#1 continue to make headlines, the importance of legal regulation will escalate further. The Promulgation of POPIA Regulations are an encouraging step in the right direction as information privacy continues to be of domestic and global importance.

If you have not taken the necessary steps to comply with POPIA, contact SwiftTechLaw here.

The post POPIA REGULATIONS: PRIVACY LAWS ARE TIGHTENING appeared first on Swift Tech Law.