Information Privacy Archives

Posts

How to get your POPIA CERTIFICATION

What is a POPIA Compliance Seal?

It is important to know why you should get your POPIA certification. The European Union’s GDPR carries fines of up to 20 million Euro or 4% of company turnover – whichever is the greater. The GDPR further imposes criminal sanctions in certain instances. Similarly, POPIA imposes fines up to R 10 million and imprisonment for wrongful and intentional POPIA contraventions.

There is no uniform standard mandating the steps required to satisfy compliance with applicable Information Privacy legislation. However, your business is required to do what is “reasonably practicable” under the circumstances to comply with POPIA and the GDPR.

This means your business should have already taken active steps towards POPIA compliance. The best way to implement this process is to have your privacy practices reviewed by independent experts.

How to get your POPIA Certification

SwiftTechLaw provides independent expert assessments of what would be considered “reasonably practicable” steps satisfying POPIA and GDPR compliance.

Upon completion, your business will receive a seal reflecting that your organisation has completed an Information Privacy compliance review program. This will assist in mitigating your legal risks under POPIA and the GDPR. It sends a strong message to your customers and suppliers that doing business with your organisation won’t compromise the integrity of their personal information.

WALKING THE LINE BETWEEN POPIA AND GDPR

Nov 21, 2019/in Governance risk and compliance (GRC), Information Privacy, Uncategorized /by SwiftLaw

Where did POPIA and GDPR originate from? A lesser-known fact is that the European Union is the birthplace of modern information privacy laws. The right to privacy has existed for centuries. However, E.U countries experienced first-hand how the abuse of personal information can lead to detrimental (sometimes fatal) consequences. This led to the adoption of the European Union Data Protection Directive (EUDPD) in the mid-1990’s in an effort to regulate the use of information.

Since then, the digital age has presented major challenges to regulation. Technology enables the transfer of vast amounts of information across borders with many benefits. However, it simultaneously enables the citizens from countries governed by privacy legislation to transfer data outside their borders and bypass restrictions. In response, information privacy laws were amended to prohibit the transfer of personal information to countries with lower standards of legal regulation than their own.

In this context South Africa promulgated the Protection of Personal Information Act (POPIA). It ensures that South Africa is able to process information and conduct business with European countries for commercial benefit. Conversely, POPIA advances the right to privacy contained in the South African Constitution and imposes harsh sanctions for non-compliance.

In an expanding digital economy, stake holders within South Africa and the E.U increasingly process personal information across both jurisdictions. While South Africa and the E.U both have comprehensive laws in place, there are disparities and similarities between both. This creates a frequently asked, seldom answered question:

When are South African entities bound by the GDPR and when are European entities bound by POPIA? The answer is not always simple, but a basic understanding can assist.

What POPIA compliant organisations need to know about the GDPR

POPIA extends to the protection of personal information of juristic persons (i.e. legal entities) and not just individuals, making it more extensive and stringent than the GDPR which only applies to natural persons. It is therefore necessary for South African organisations to ensure that should they engage in business with organisations who are GDPR compliant, that these organisations extend their data protection to juristic persons in order to align with POPIA requirements.

POPIA is also more stringent in its requirement that an Information Officer should be appointed for all organisations, while the GDPR only requires the appointment of a Data Protection Officer for certain organisations.

Furthermore, the GDPR has much larger fines than POPIA. The GDPR carries fines of up to €20 Million or 4% of the global annual turnover, whichever is higher. The maximum penalties under POPIA are a R10 million fine and/or imprisonment for a period not exceeding 10 years, where the GDPR considers the latter to be a matter for member state law. Read more on POPIA requirements here.

What GDPR compliant organisations need to know about POPIA

While the concept of privacy by design is mandated by the GDPR, it is not mentioned in POPIA at all and remains a best practice option or voluntary approach for POPIA compliant organisations.

The GDPR furthermore provides data subjects with the benefits of data portability where data subjects may request that their data be transferred to another controller or service provider. This right is not extended to data subjects under POPIA.

The GDPR also mandates that data protection impact assessments be conducted and that evidence or documentation of such assessments be maintained. Currently there is no corresponding requirement under POPIA.

The best way forward

When it comes to information privacy compliance, there is no one-size-fits-all solution. As a point of departure, if you’re processing personal information (or personal data) regulated by POPIA and GDPR, you must satisfy the requirements of both jurisdictions. The good news is that adapting POPIA or GDPR for dual legal compliance is not onerous or invasive. It however requires expertise in both areas to ensure secure data-related commercial transactions.

Contact SwiftTechLaw here to enroll in our Privacy Law Compliance Program for 2020.

5 REASONS YOU NEED A TECHNOLOGY ATTORNEY FOR YOUR BUSINESS WEBSITE

Jul 17, 2019/in App Development, Domain name rights and disputes, Technology Law, Trademark Registration /by SwiftLaw

Whether you like it or not, if you conduct any type of business activity online there are information technology laws affecting you. Are your current practices are exposing your business to potential liability? Here are 5 reasons you need a technology attorney if you have a business website:

1. Domains

Secured your domain name? Thinking – wow that was easy. Think again. Having a company website / online store in this day and age is becoming vital to the success of any organisation and securing your domain name is the first step. However, once your e-commerce business starts to flourish, competitors and online criminals might be looking to take advantage of your success. It is important to obtain legal advice from a specialist in technology law to ensure that your website domain name is protected. Click here to read more about the importance of domain names.

2. Trademarks

What’s in a name? whether you’re a start-up about to commercialise or an established company in the market – now is the time to consider if features that define your business are capable of trademark protection. A distinctive name goes a long way in doing so.

3. Web Developing

Imagine spending thousands on your website, only for your web developer to hold it hostage. Therefore, web development contracts are a must! The contract must clearly state that upon final payment for services rendered you will have 100% ownership of all assets which may include web design, images, code and content. Make sure you can access your website times, analytical data and backups at all times.

4. Content & Copyright

It is important to make sure that you are not including content on your website that you are not entitled to use, may be illegal, defamatory or otherwise infringe on the rights of third parties.

5. Data Privacy and Security

Cookie banners, Privacy Policies, Terms of Service/Sale, Terms of Use, Information Privacy Manual – do these terms ring a bell? With the new Information Privacy Laws (the European Union’s General Data Protection Regulation (GDPR) and South Africa’s Protection of Personal Information Act (POPIA) it is vital to ensure that your website complies therewith. Prevention is better than cure – as these laws carry fines of up to 20 Million Euros / 10 Million Rand or even imprisonment!

SwiftTechLaw is able to conduct a business website audit for you to ascertain the extent to which your website complies with applicable law. To book your audit or for any related enquiries, you can contact us here.