Specialist Fields

Data Protection

Law (POPIA) (GDPR)

We assist businesses in all areas of Data Protection Law

In this day and age compliance with data protection laws is imperative. Not only could you face a fine or imprisonment, but recent examples have shown how a breach or failure to act swiftly can give rise to severe reputational damage and possible civil claims. This aside, data protection is becoming a smart and standard business practice in every day business operations.

Caveat’s various data protection offerings aim to provide pragmatic solutions that set your organisation up from a data protection compliance perspective. We aim to provide you with the tools you need to ensure compliance and to provide you with a solid grounding and knowledge of how to implement data protection within your organisation.

Data Protection is not a once-off compliance programme but an ongoing commitment to ensuring the integrity and security of the personal information your organisation holds. Accordingly, the key to any data protection compliance programme is ensuring expert advice and effective implementation measures from the start.

Data is often quoted as the ‘new oil’ and so compliance with Data Protection Law should never just be a tick-box approach. It should be about complying whilst also leveraging potential through understanding the role of – and restrictions on – data in the broader economy.

- Stormme Hobson, Caveat Panel Member

Data Protection LAWS & Regulations

Section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy and the right to privacy includes a right to protection against the unlawful collection, retention, dissemination, and use of personal information. On November 19, 2013, the Protection of Personal Information Act (POPIA) was approved to protect personal information of both natural and juristic persons and came into full effect on 30 June 2021. POPIA has brought considerable changes to data protection law in South Africa and includes potential imprisonment as well as fines for breaches of up to ZAR10 million.
Beyond POPIA, other laws that make up the data protection laws in South Africa include the Promotion of Access to Information Act, 2013, the Electronic Communications & Transactions Act, 2005 and the more recently passed Cybercrimes Act, 2020. Furthermore, the UK and EEA General Data Protection Regulations (GDPR) have extra-territorial scope. In some instances, South African businesses may need to comply with these laws, particularly where UK and EEA residents are being offered goods or services and/or their behaviours are being monitored.

Data Protection Packages

DIY POPIA Compliance Toolkit

Cost: R22,000 (excl VAT)

Recommended for:

Organisations with a limited budget but with available resources to complete and roll-out templates and appropriate procedures. This programme is a do it yourself programme whereby Caveat will provide training and templates only – accordingly it is not without risk and Caveat accepts no liability whatsoever for any loss suffered by the client in using the templates.

Package entails:

POPIA Training with Q&A on templates (2 hour session)
Provision of the following templates:
- Privacy Notice (external and employees)
- Promotion of Access to Information Act Manual
- Document Retention and Destruction Policy*
- Data Processing Contract Addendum
- Data Breach Response Plan
- Information Security Policy
- Privacy Impact Assessment Template
- POPIA Compliance Checklist

*Caveat will provide the policy and legislated retention periods. Client will need to consider retention periods for all personal information it holds.

This option is a Do It Yourself programme whereby Caveat provides training and templates only, and does not guarantee full and proper compliance with POPIA. There are risks inherent in the use of this option and it is offered in good faith to assist businesses that are unable to afford a bespoke solution, to use at their own risk.

Basic POPIA Compliance Package

Cost: R50,000 (excl VAT)

Recommended for:

Organisations that:

Have less than 20 employees.
Deal with limited personal information.
Deal with limited special personal information.
Send out nominal communications to customers / do not direct market.

Package entails:

Questionnaire and max 2 hour follow up call/meeting with one point of contact
Preparation of Policies – Privacy notice (external and employees), Promotion of Access to Information Act (PAIA) Manual, Document Retention*, IT Policies, Data Breach Procedures and Search and Seizure Guidelines
Provision of Privacy Impact Assessment Template
Provision of POPIA Compliance Checklist
Provision of Data Protection clause addendum template and guidance
Assistance with appointment of Deputy Information Officer and Registration of Information Officer and Deputy with the Information Regulator

POPIA Training (2 hour session)

*Caveat will provide the policy and legislated retention periods. Client will need to consider retention periods for all personal information it holds.

Intermediate POPIA Compliance Package

Cost: R75,000 (excl VAT)

Recommended for:

Small to medium size organisations that:

Deal with a fair amount of personal information;
Deal with special personal information; or
Perform a limited amount of direct marketing.

Package entails:

Data Mapping:

Questionnaire, meetings with one point of contact from each department (max 3 departments)
Master Data File – a template will be provided for completion by staff – Caveat will assist in respect of justification for processing of each category of information.
Preparation of Policies – Privacy notice (external and employees), Promotion of Access to Information Act (PAIA) Manual, Document Retention*, IT Policies, Data Breach Procedures and Search and Seizure Guidelines
Provision of Privacy Impact Assessment Template
Provision of POPIACompliance Checklist
Guidance on consent forms/mechanisms (if required)
Provision of Data Protection clause addendum template
Assistance with appointment of Deputy Information Officer and Registration of Information Officer and Deputy with the Information Regulator

POPIA Training (2 hour session)

*Caveat will provide the policy and legislated retention periods. Client will need to consider retention periods for all personal information it holds and capture same in the Master Data Template provided.

Comprehensive POPIA Compliance Package

Cost: R125,000 (excl VAT)

Recommended for:

Large organisations;
Organisations which process a substantial amount of personal and/or special personal information;
Organisations that are involved in direct marketing; or
Regulated organisations.

Package entails:

Data Mapping:

Questionnaire, meetings with one point of contact from each department (max 3 departments)
Master Data File – compilation of full data landscape in excel – Caveat will, together with the client, complete this as a data mapping exercise using the questionnaire responses
Preparation of Policies – Privacy notice (external and employees), Promotion of Access to Information Act (PAIA) Manual, Document Retention*, IT Policies, Data Breach Procedures and Search and Seizure Guidelines
Provision of Privacy Impact Assessment Template
Provision of Supplier Data Protection Due Diligence questionnaire template
Provision of POPIA Compliance Checklist
Guidance on consent forms/mechanisms
POPIA Compliance Manual for staff
Guidance regarding folder management and procedures to give effect to data subject rights (e.g right to access, objection, amendment)
Review of contract templates (max 10) and provision of data protection clause template addendum.
Assistance with appointment of Deputy Information Officer and Registration of Information Officer and Deputy with the Information Regulator

POPIA Training (two sessions of 2 hours each)

*Caveat will provide the policy and legislated retention periods. Client will need to consider retention periods for all personal information it holds and Caveat will capture same in the

POPIA Compliance Review Package

Cost: Quote to be provided

Recommended for:

South African subsidiaries within multi-national organisations; or
Organisations which already have certain policies and procedures in place but which want to ensure that they are fully compliant

Package entails:

Review of current/global data protection policies and procedures within organisation – Privacy notice (external and employees), Promotion of Access to Information Act (PAIA) Manual, Document Retention, IT Policies, Data Breach Procedures and Search and Seizure Guidelines
Review of contract templates and provision of data protection clause template addendum
Review of consent mechanisms (if any)
Provision of intra-group transfer agreement
Assistance with appointment of Deputy Information Officer and Registration of Information Officer and Deputy with the Information Regulator
POPIA Training

GDPR, UK & POPIA Compliance Package

Cost: Quote to be provided

Recommended for:

South African organisations which offer products or services to UK and/or EEA residents or monitor the behaviour of UK and/or EEA residents

Package entails:

Option 2 or 3 including:

Provision of POPIA, UK Data Protection and GDPR compliant privacy notice (external and employees), Promotion of Access to Information Act (PAIA) Manual, Document Retention, IT Policies, Data Breach Procedures and Search and Seizure Guidelines.
Review of contract templates and provision of POPIA, UK Data Protection and GDPR compliant data protection clause template addendum.
Assistance with appointment of Deputy Information Officer and Registration of Information Officer and Deputy with the South African Information Regulator. As well as assistance with appointment of EEA Representative if required.
POPIA and GDPR Training.

Data Protection Due Diligence

Cost: Quote to be provided

Recommended for:

Organisations in the due diligence phase of a merger or acquisition

Package entails:

Review of current data protection policies and procedures within the target organisation
Review of contract templates from a data protection compliance perspective
Review of consent mechanisms (if any)
General review of data protection procedures and training

FAQs

Frequently asked questions on Data Protection Law

What is personal information?

The definition of personal information in POPIA is broad and extends to various types of data. Information that relates to an identifiable living natural person or juristic person (such as a company) qualifies as personal information. It includes all information about a person, their characteristics and identifying information, and extends to all confidential correspondence about the person or in reference to the person. Information includes any recorded information regardless of form or medium, including:
tape recorded information;
information produced, recorded or stored on computer equipment or other devices;
written text;
printed material;
filmed material;
books;
maps; and
photographs.

What constitutes special personal information?

Special personal information includes that of:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- health or sex life;
- biometric; and
- allegations of criminal behaviour (criminal convictions, however, are not special personal information).

Is special personal information and information of minors treated differently under POPIA?

Yes, to an extent special personal information and personal information of minors is treated differently to other categories of personal information under POPIA. The reason for this is there is a higher level of risk to the data subject when processing this type of information.
Accordingly, there is a general prohibition against processing this type of information. There are exceptions to this prohibition which require careful consideration whenever an organisation processes special or child personal information.

Does POPIA apply to personal information collected before POPIA became fully effective?

Processing includes storage of information, and accordingly any information which an organisation had in its possession at 1 July 2021 would fall under POPIA.

What is the difference between POPIA and the Promotion of Access to Information Act (PAIA)?

The best way to think of them is that POPIA relates to the protection of personal information and PAIA relates to the access of records (which may include personal information).

When does POPIA not apply to processing personal information?

POPIA does not apply in the following instances:

When personal information is processed in the course of purely personal or household activities;
When the personal information is de-identified:
- There must be no information which would identify the data subject;
- There must be no way of manipulating the information to re-identify the data subject;
- There must be no way of linking the information with other information which would enable re-identification of the data subject;
Certain functions of public bodies are exempt:
- Where processing by that body relates to national security or defence of public safety;
- Where the public body is involved in preventing, detecting, investigating or proving offences, prosecuting offenders or executing criminal sentences;
- The processing of personal information by Cabinet and its committees or the Executive Council a province; or
- The processing of personal information by a court.

My organisation is gathering information that is in the public domain, do we need to comply with POPIA?

Yes, even though the information is in the public domain, you are still obliged to comply with the eight conditions for lawful processing including the duty to notify the data subject (privacy notice) and to secure the data. If personal information is already publicly available you must establish that it was deliberately made public by the data subject, otherwise it may not be lawful to process it.

My organisation wants to outsource certain services to a service provider (Operator), must a contract be concluded?

Your organisation must ensure that service providers establish and maintain security measures to protect personal information. POPIA specifically states what obligations should be imposed on an Operator and requires a formal agreement to be concluded.

Can my organisation transfer personal information of a data subject outside the borders of the Republic of South Africa?

The short answer is yes, but certain requirements need to be met.

Note: where there is an intention to transfer personal information of a data subject to a foreign country or international organisation, the data subject must be made aware of the level of protection afforded to their personal information by the foreign country or international organisation in a foreign country.

What is considered a data breach?

Data breaches are not specifically defined in POPIA. However, if you have reasonable grounds to believe that personal information of a data subject has been accessed by an unauthorised person, then you are required to notify the Information Regulator and the data subject.

Examples of breaches include:

Where a system or portal has been hacked.
Loss or theft of laptops, storage devices such as USB sticks or mobile devices.
An unauthorised person gaining access to a organisation laptop, email account or computer network.
Sending an email with personal data to the wrong person.
A disgruntled employee copying a list of contacts for their personal use.
A break-in at the office where personnel files are kept in unlocked storage.

What are some of the things that organisations can do to mitigate risks?

Ensure that privacy notices are prepared and placed on all forms (electronic and hard copy) in which personal information is collected;
Ensure that all forms (electronic and hard copy) in which personal information is collected only request the minimum amount of personal information required for your organisation’s purposes;
Keep personal information inventories up to date;
Ensure that all records of personal information are retained in accordance with a Record Retention Schedule time periods and securely destroyed;
Ensure that only those employees that require access to personal information have access to the information and are aware of their obligations of confidentiality;
Ensure that any hard copy documents containing personal information are in a locked drawer or room;
Ensure that all Operators have signed data processing agreements in compliance with section 19 of POPIA;
Design and implement appropriate folder management within the organisation;
Ensure that personal information is stored in folders on the server and not on desktops or external drives;
Ensure that when a data subject exercises one of its rights, they are referred to the Information Officer;
Ensure Personal Information Impact Assessments are carried out when necessary; and
Regularly review the data protection practices and the above policies and procedures, and update them to ensure continuous protection.

When thinking about data protection don’t just think about the compliance journey, think of the endless possibilities that truly understanding your organisations’ data processing activities can unlock.

- Louella Tindale, Caveat Panel Member

Get in Touch

"*" indicates required fields

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Data Protection

Law (POPIA) (GDPR)

We assist businesses in all areas of Data Protection Law

Data Protection LAWS & Regulations

Data Protection Packages

FAQs

Get in Touch

Automotive Aftermarket: Overhaul expected from 1 July 2021

M&A Deals: Have you thought about POPI?

POPI: 10 Compliance Tips for Companies

POPI is Finally Here and its Year of Grace will Fly By