caveat legal logo

Specialist Fields

Data Protection

Law

gold circle

We assist businesses in all areas of Data Protection Law

In this day and age compliance with data protection laws is imperative. Not only could you face a fine or imprisonment for non-compliance, but recent examples have shown how a breach or failure to act swiftly can give rise to severe reputational damage and possible civil claims. This aside, data protection is becoming a smart and standard business practice in everyday business operations.

Caveat’s various data protection offerings aim to provide pragmatic solutions that set your organisation up from a data protection compliance perspective. We aim to provide you with the tools you need to ensure compliance and to provide you with a solid grounding and knowledge of how to implement data protection within your organisation. 

Data Protection is not a once-off compliance programme but an ongoing commitment to ensuring the integrity and security of the personal information your organisation holds. Accordingly, the key to any data protection compliance programme is ensuring expert advice and effective implementation measures from the start.



Data is often quoted as the ‘new oil’ and so compliance with Data Protection Law should never just be a tickbox approach. It should be about complying whilst also leveraging potential through understanding the role of –  and restrictions on – data in the broader economy.

- Stormme Hobson, Caveat Panel Member

caveat legal panel attorney stormme

Data Protection LAWS & Regulations

Section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy and the right to privacy includes a right to protection against the unlawful collection, retention, dissemination, and use of personal information. On November 19, 2013, the Protection of Personal Information Act (“POPIA”) was approved to protect personal information of both natural and juristic persons and came into full effect on 30 June 2021. POPIA has brought considerable changes to data protection law in South Africa and includes potential imprisonment as well as fines of up to ZAR10 million for breaches.

Beyond POPIA, there are other laws that make up the data protection laws in South Africa, including the Promotion of Access to Information Act, 2013, the Electronic Communications & Transactions Act, 2005 and the more recently passed Cybercrimes Act, 2020. Furthermore, the UK and EEA General Data Protection Regulations (“GDPR”) have extra-territorial scope. In some instances, South African businesses may need to comply with these laws, particularly where UK and EEA residents are being offered goods or services and/or their behaviours are being monitored.

Data Protection Packages

Recommended for:

Organisations with a limited budget but with available resources to complete and roll out templates and appropriate procedures. This programme is a do-it-yourself programme whereby Caveat will provide training and templates only – accordingly it is not without risk and Caveat accepts no liability whatsoever for any loss suffered by the client in using the templates.

Package entails:

  • Data Protection Training with Q&A on templates (2-hour session)
  • Provision of the following templates:
    • Privacy Notice (external and employees)
    • Document Retention and Destruction Policy*
    • Data Processing Contract Addendum
    • Data Breach Response Plan
    • Information Security Policy
    • Privacy Impact Assessment Template
    • Data Protection Compliance Checklist
    • Any additional policy required by the relevant country’s data protection law

 *Caveat will provide the policy and legislated retention periods. Client will need to consider retention periods for all personal information it holds.

This option is a do-it-yourself programme whereby Caveat provides training and templates only, and does not guarantee full and proper compliance with Data Protection. There are risks inherent in the use of this option and it is offered in good faith to assist businesses that are unable to afford a bespoke solution, to use at their own risk.

Recommended for:

Organisations that:

  • Have less than 20 employees.
  • Deal with limited personal information.
  • Deal with limited special personal information.
  • Send out nominal communications to customers/do not direct market.

Package entails:

  • Questionnaire and max 2-hour follow-up call/meeting with one point of contact
  • Preparation and assistance with implementation of the following templates:
    • Privacy Notice (external and employees)
    • Document Retention and Destruction Policy*
    • Data Processing Contract Addendum
    • Data Breach Response Plan
    • Information Security Policy
    • Privacy Impact Assessment Template
    • Data Protection Compliance Checklist
    • Any additional policy required by the relevant country’s data protection law

POPIA Training (2-hour session)

 

*Caveat will provide the policy and legislated retention periods. Client will need to consider retention periods for all personal information it holds.

Recommended for:

Small to medium size organisations that:

  • Deal with a fair amount of personal information;
  • Deal with special personal information; or
  • Perform a limited amount of direct marketing. 

Package entails:

  • Questionnaire, meetings with one point of contact from each department (max 3 departments)
  • Master Data File – a template will be provided for completion by staff – Caveat will assist in respect of justification for processing of each category of information.
  • Preparation and assistance with implementation of the following templates:
    • Privacy Notice (external and employees)
    • Document Retention and Destruction Policy*
    • Data Processing Contract Addendum
    • Data Breach Response Plan
    • Information Security Policy
    • Privacy Impact Assessment Template
    • Data Protection Compliance Checklist
    • Any additional policy required by the relevant country’s data protection law
  • Guidance on consent forms/mechanisms (if required)
  • Data Protection Training (2-hour session)

*Caveat will provide the policy and legislated retention periods. Client will need to consider retention periods for all personal information it holds and capture same in the Master Data Template provided.



Recommended for:

  • Large organisations;
  • Organisations that process a substantial amount of personal and/or special personal information;
  • Organisations that are involved in direct marketing; or
  • Regulated organisations.

Package entails:

  • Questionnaire, meetings with one point of contact from each department (max 3 departments)
  • Master Data File – compilation of full data landscape in Excel – Caveat will, together with the client, complete this as a data mapping exercise using the questionnaire responses
  • Preparation and provision of a comprehensive Compliance Framework Manual for staff
  • Preparation and assistance with implementation of the following templates:
    • Privacy Notice (external and employees)
    • Document Retention and Destruction Policy*
    • Data Processing Contract Addendum
    • Data Breach Response Plan
    • Information Security Policy
    • Privacy Impact Assessment Template
    • Data Protection Compliance Checklist
    • Any additional policy required by the relevant country’s data protection law
    • Supplier Due Diligence questionnaire
  • Guidance on consent forms/mechanisms (if required)
  • Guidance regarding folder management and procedures to give effect to data subject rights (e.g right to access, objection, amendment)
  • Review of contract templates (max 10) and provision of data protection clause template addendum.
  • Data Protection Training (2-hour session)

*Caveat will provide the policy and legislated retention periods. Client will need to consider retention periods for all personal information it holds and Caveat will capture same in the template provided.



Recommended for:

  • Subsidiaries within multi-national organisations; or
  • Organisations which already have certain policies and procedures in place but which want to ensure that they are fully compliant

Package entails:

  • Review of current/global data protection policies and procedures within organisation with a view to localise and ensure compliance with local laws
  • Review of contract templates and provision of data protection clause template addendum in compliance with local laws
  • Review of consent mechanisms (if any)
  • Provision of intra-group transfer agreement
  • Data Protection Training

Recommended for:

Organisations situated outside the UK or EEA which offer products or services to UK and/or EEA residents or monitor the behaviour of UK and/or EEA residents

Package entails:

Option 2 or 3 including:

  • Provision of UK and/or EEA-compliant policies and procedures
  • Review of contract templates and provision of POPIA, UK Data Protection and GDPR-compliant data protection clause template addendum.
  • Assistance with appointment of EEA Representative if required.
  • Data Protection Training covering local laws as well as UK and/or EEA laws.

Recommended for:

  • Organisations in the due diligence phase of a merger or acquisition
  • Organisations requiring an audit of their data protection compliance

Package entails:

  • Review of current data protection policies and procedures within the target organisation
  • Review of contract templates from a data protection compliance perspective
  • Review of consent mechanisms (if any)
  • General review of data protection procedures and training

FAQs

Frequently asked questions on Data Protection Law

The definition of personal information in data protection laws generally covers a piece of identifiable information

It includes all information about a person*, their characteristics and identifying information, and extends to all confidential correspondence about the person or in reference to the person. 

Information includes, but is not limited to, any recorded information regardless of form or medium, including among others:

  • tape-recorded information;
  • information produced, recorded or stored on computer equipment or other devices;
  • written text;
  • printed material;
  • filmed material;
  • books;
  • maps; and
  • photographs.        

*Unlike in most other countries, in South Africa the personal information of companies, trusts, and closed corporations is protected in addition to natural persons.

  • Special personal information includes:

    • racial or ethnic origin;
    • political opinions;
    • religious or philosophical beliefs;
    •  trade union membership;
    • health or sex life;
    • biometric information; and
    • allegations of criminal behaviour (criminal convictions are not special personal information).

     

    The above list is not exhaustive as some countries have additional information which is deemed special (e.g. financial information or familial information) and so it’s always important to check your country’s data protection laws.

  • Yes, to an extent special personal information and personal information of minors is treated differently to other categories of personal information under data protection laws. The reason is there is a higher level of risk to the data subject when processing this type of information. 

You would need to check your local data protection laws but generally, data protection laws do not apply in the following instances:

    • When personal information is processed in the course of purely personal or household activities;
    • When the personal information is de-identified:
      • There must be no information which would identify the data subject;
      • There must be no way of manipulating the information to re-identify the data subject;
      • There must be no way of linking the information with other information which would enable re-identification of the data subject; and

Sometimes certain functions of public bodies are exempt

Some of the service providers that would be Processors include payroll providers, recruiters, cloud service providers, IT support providers, email marketing/survey providers. Researchers could also be Processors but it would depend on whether it is the organisation or the researcher who is determining the scope, ways and means of the research activity. If it is the organisation determining this, then the researcher would be a Processor.

Yes, even though the information is in the public domain, you are still obliged to comply with the conditions for lawful processing, including the duty to notify the data subject (privacy notice) and to secure the data. If personal information is already publicly available you must establish that it was deliberately made public by the data subject otherwise it may not be lawful to process it.

  • Ensure that privacy notices are prepared and placed on all forms (electronic and hardcopy) in which personal information is collected;
  • Ensure that all forms (electronic and hardcopy) in which personal information is collected only request the minimum amount of personal information required for your organisation’s purposes;
  • Keep your personal information inventories up to date;
  • Ensure that all records of personal information are retained in accordance with Record Retention Schedule time periods and securely destroyed;
  • Ensure that only those employees that require access to personal information have access to the information and are aware of their obligations of confidentiality;
  • Ensure that any hard-copy documents containing personal information are in a locked drawer or room;
  • Ensure that all processors have compliant contractual terms in place;
  • Design and implement appropriate folder management within your organisation; 
  • Ensure that personal information is stored in folders on the server/cloud and not on desktops or external drives;
  • Ensure that when a data subject exercises one of its rights, they are referred to the Information Officer or Deputy Information Officer;
  • Ensure Personal Information Impact Assessments are carried out when necessary;
  • Regularly review your data protection practices and policies and procedures and update same to ensure continuous compliance.
  •  

When thinking about data protection don’t just think about the compliance journey, think of the endless possibilities that truly understanding your organisations’ data processing activities can unlock.

- Louella Tindale, Caveat Panel Member

caveat legal panel attorney louella t

Get in Touch

"*" indicates required fields

Hidden
Optimized by Optimole