Protection of Personal Information Act Policy



This guide will answer your frequently asked questions (FAQ) about the impact the Protection of Personal Information Act (POPIA) on our business. At Rattlehub Digital we believe in the protection of personal information of data citizens. Our business is built on trust and security, it is our license to operate.

In the near future, everyone in South Africa will have to endeavour to protect the personal information they process. POPIA sets conditions that any person, or system, who processes personal information must comply with. POPIA aims to protect the personal information of people (like consumers and employees) so that they do not become victims of things like identity theft1, which can have very serious consequences. However, POPIA does not aim to stop the free flow of information. It recognises that there needs to be a balance.

By using our digital data exchange, Rattlehub Digital ensures that personal information is processed securely, lawfully and transparently.

Rattlehub Digital offers three main products, for:

  • the individual we offer permyssion2.
  • the financial advisor/business we offer our Advisor Console3.
  • the deceased estate executor we offer our Estate Console4.

Key points and possible actions

  • Be responsible when processing personal information.
  • Take practical effective steps to protect it whenever possible.
  • You cannot protect all personal information, all the time. But you should try.
  • It is very unlikely that anyone will go to jail for unlawfully processing personal information.

POPIA Myth Busters

A POPIA myth is a widely held but false belief or idea about the Protection of Personal Information Act (POPIA). Let’s set the record straight.

  • POPIA does not mean that you cannot process personal information.
  • It is very unlikely that anyone will go to jail for unlawfully processing personal information.
  • POPIA is not just an IT issue.
  • You can store personal information overseas and transfer it outside of South Africa, as long as the data protection laws and regulations in the jurisdiction are of an equal or higher standard than those in South Africa.
  • POPIA does not mean you cannot use the cloud.
  • POPIA also applies to public (not just private) personal information and the conditions for lawful processing apply.
  • No one can certify POPIA compliance.


What is POPIA?
It is the Protection of Personal Information Act, a law passed by the South African parliament, which sets the conditions that you must follow to lawfully process the personal information about persons.

Why did POPIA come in to existence?
POPIA protects people (like you and me) from harm (both physical and loss of money) by requiring those who process our personal information to protect it. For this reason, alone, POPIA is important.

The protection of personal information is definitely needed now, more than ever. With the rise of computing power and devices like smart phones/watches and tablets, personal information is at greater risk than ever before. POPIA will enable personal information to be transferred to South Africa. This is because, under POPIA, South Africa will meet international data protection standards as set out by the European Union. Therefore, businesses will prefer to store data in South Africa which will bring economic benefits for the country and businesses operating in South Africa.

Key points and possible actions:

  • POPIA is not going to change
  • Your processing of personal information only needs to comply with the conditions in POPIA in about mid 2018

What about the protection of state information?

The Protection of State Information Bill (POSI) requires people to protect state information and is different to POPIA. You may process state information or decide how to process state information and therefore POSI may be applicable to your organisation. According to POSI state information is valuable and must be handled according to specified procedures. State information may also be categorised as ‘classified’ when it is justifiable in terms of national security. The people that are able to handle, process and view classified state information are extremely restricted. If you think that you might be handling or processing state information you need to identify if you are authorised to do so and what that authorisation permits you to do.

However, at this point, the president has not yet signed the latest version of the POSI Bill. This means it is a long way from being enacted. POSI will replace Protection of Information Act 84 of 1982. Therefore, until that point the Protection of Information Act applies to state information. Once again, this Act places obligations on parties who handle and store state information. The Act includes people or entities that either knowingly or reasonably ought to know they are handling or storing state information. Violations of the provisions of the Act constitute an offence.

It is important to understand your position when it comes to state information under both the Act and the POSI Bill. These pieces of legislation might not permit you to store information with a third party such as Rattlehub Digital and it may be necessary to get a legal opinion for your business on this matter.

Does POPIA apply to everybody?

Yes, virtually everybody. POPIA applies to everybody who processes personal information. It applies to all public (like Home Affairs and SARS) and private bodies (like financial institutions and direct marketers). Process is defined extremely broadly. In terms of POPIA processing means any operation or activity (either automated or not) that involves the collection, receipt, recording, organisation, collation, storage, updating, retrieval, dissemination, distribution, merging and degradation or erasing of data.

Key points and possible actions:

  • POPIA applies to Government.
  • POPIA has a big impact on anybody in the financial services, marketing sectors or services that involve the storage of physical or electronic data.

 Who is exempt from complying with POPIA?

Very few people, but some are. For example, SAPS, Cabinet and journalists who process personal data for journalism.6 Some processing of personal information is exempt. For example, if you process personal information in the course of a purely personal or household activity.7

Do you have to comply with POPIA?

Yes, you must comply with POPIA (and the consequences for non-compliance are quite severe), but you also want to do it efficiently and get business value out of those efforts.

You must comply with the conditions of POPIA and protect the personal information that you process. If you are suspected of not complying with POPIA, the Information Regulator will notify you.

Key points and possible actions:

  • POPIA almost certainly applies to you and you are not exempt. You must comply
  • You should do what is reasonably practicable to protect personal information
  • You cannot protect all personal information all the time

What could happen if you do not comply?

In terms of section 91(2) of POPIA ‘the Regulator may make public any information relating to the personal information management practices of a responsible party that has been the subject of an assessment under this section if the Regulator considers it in the public interest to do so.’ This could lead to significant reputational damage. Your records management practices may be aired in public.

On the evidentiary front, the non-retention of records that had to be retained by law may lead to negative inferences to be drawn by the courts in subsequent litigation should they not be available as evidence.

There are significant consequences for non-compliance, including:

  • Suffer reputational damage.
  • Lose customers and fail to attract new ones.
  • Pay out millions in damages in a civil class action.8
  • Be fined up to R10 million or face 10 years in jail for committing an offence.9

The reputational damage is probably the biggest risk. There are not many offences in POPIA (for example it is not an offence if you fail to comply with the conditions) and generally speaking you will know when you commit one. It is quite hard to commit an offence, but if you do, the Information Regulator can fine you if it merely alleges you have committed an offence.
6POPIA, Section 6 and 7
7POPIA, section 6(1)(a)
8POPIA, section 99
9POPIA, section 109

What will happen to you, if you recklessly disclose a bank account number?

You could be fined R10 million or jailed for up to 10 years, if you:

  • Fail to comply with the conditions when processing account numbers
  • Knowingly or recklessly obtain or disclose an account number
  • Sell (or offer to sell) an account number

Key points and possible actions:

  • Focus on account numbers. It is especially important to secure devices that have account numbers on them or records that have account numbers in them.
  • It will be hard for you to commit an offence, but if you do, you will be in trouble.
  • It is unlikely that anyone will go to jail.
  • If you get fined, seriously consider paying the fine. If you don’t, you could get a criminal record, suffer reputational damage, have to pay huge legal fees, risk a Magistrate making an adverse finding against you.

How can we help you?

  • Rattlehub Digital processes financial information which includes bank account numbers
  • Rattlehub Digital has implemented various information security measures to protect unauthorised access to account numbers
  • Rattlehub Digital encrypts all personal information including account numbers

Who is the responsible party?

Whoever decides to process personal information in a certain way, is the responsible party. It is the person that, alone or in conjunction with others, determines the purpose of (why) and means for (how) processing personal information. 13 If you are processing personal information for somebody else, you are their operator and they are the responsible party.

Key points and possible actions:

  • The person who decides why and how the personal information is processed, is the responsible party.

Who is the operator?

If you are processing personal information for somebody else, you are their operator. If you do not determine the purpose and the means for processing the personal information you are the operator. An operator processes personal information for a responsible party under a contract. Operators are required to process information only under authorisation from the responsible party concerned.
Operators must also treat all information in their knowledge as confidential unless disclosure is required by law.
All Rattlehub partners are expected to provide the same stringent POPIA related controls within their environment and systems.

10 POPIA, section 105(1)
11 POPIA, section 106(1)
12 POPIA, section 106(3) and (4)
13 POPIA, definition of responsible party

Key points and possible actions:

  • In most cases Rattlehub Digital clients determine the purpose and means for processing, therefore they are the responsible parties.

Does POPIA only relate to consumer data?

No, it relates to all personal information. Almost all consumer data is personal information, but personal information is much broader than just consumer data. For example, personal information includes the personal information of employees.

Does POPIA apply outside of South Africa?

Yes, POPIA does apply outside of South Africa. A responsible party does not need to be domiciled in South Africa for POPIA to apply. If the responsible party uses equipment in the country to process information, then POPIA applies to that information.

What is personal information?

It includes information like race, gender, or age or relating to the education of a person. It includes the medical, financial, criminal or employment history of a person. And contact details like an email address, telephone number or location information.

It is any information that relates to an identifiable, living, natural person. In other words, it is information that identifies a human being. But in some circumstances, it can also be information, which identifies an existing juristic person like a company, close corporations or trust.

POPIA also applies to public (not just private) personal information and the conditions for lawful processing apply.

Key points and possible actions:

  • Personal information includes a broad category of information
  • Personal information will be amongst all of your records and on all of your devices
  • Information that has been de-identified is not personal information
  • Information about a company can also be personal information
  • Rattlehub Digital processes personal information on your behalf

Whose information must you protect?

It is any information that relates to an identifiable, living, natural person. In other words, it is information that identifies a human being. However, in some circumstances it can also be information that identifies an existing juristic person like a company, close corporation or trust.

Key points and possible actions:

  • Information about a company can also be personal information. Companies can be the owners of properties in the vicinity.
  • The responsible party must do what is reasonably practicable to protect personal information. This will depend on the nature of their business and the kind of personal information that they process. For example: it is not reasonably practical for a small company that does not have resources to encrypt all outgoing emails and documents.

What must be done to protect personal information?

There are different ways to protect personal information. How you protect personal information will depend on what form the information is in and how the personal information is processed.
By protecting personal information, you stop third parties from getting information and harming the person (data citizens) to whom it relates.

Key points and possible actions:

  • Store electronic documents on systems that are encrypted.
  • Save electronic documents to the cloud. Cloud storage is where data is stored on remote servers that can be accessed using the Internet. Working with cloud storage means that you are not working from a local drive but rather from a central drive that you can access from anywhere. Cloud storage means that you do not need to take up valuable office space with local servers and paper document storage.
  • Implement procedures within your company to address how the personal information of data subjects is used and who is allowed to use it.
  • File physical documents (that contain personal information of your customers) in cabinets that have controlled access and are secure.

How can we help you?

  • Rattlehub Digital stores all information electronically.
  • All Rattlehub Digital products use encryption to ensure the lawful and protected processing of personal information.
  • Rattlehub Digital uses trusted cloud storage to protect your personal information.
  • Rattlehub Digital has adequate policies in place to protect personal information in their system from unauthorised access.

When will POPIA come into force? When must you comply by?

The President has signed POPIA in 2013, so it is here to stay. The regulations will not be significant so we know that material we have available is what we need to comply with. The Office of the Information Regulator has been created and consists of Adv Pansy Tlakula as the chair, Adv Cordelia Stroom (PAIA) and Mr Johannes Weapond (POPIA) as full-time members, and Prof Tana Pistorius and Mr Sizwe Snail as part-time members. The Regulator has drafted the first draft of the POPIA Regulations and will announce a commencement date for POPIA.14 The Regulator published the draft Regulations for POPIA in September 201715. You will have a one-year grace period after POPIA commences. The best course of action is for responsible parties and operators to take action steps now.

14 https://www.michalsons.com/blog/popi-commencement-date-popi-effective-date/13109
15 https://www.michalsons.com/blog/popi-regulations-popia-regulations/12417

Key points and possible actions:

  • POPIA is not going to change
  • Your processing of personal information only needs to comply with the conditions in POPIA in about mid 2018

How can we help you?

  • Rattlehub Digital processes personal information in terms of the conditions of POPIA

When am I processing personal information?

You process information when you do anything with personal information. This includes processing using automatic means. For example, you are processing personal information:

  • when you collect it,
  • when you merge information,
  • when you organise information,
  • when you update or modify information,
  • when you archive records that include personal information.

Does POPIA apply to paper-based forms or paper documents?

Yes. POPIA applies to all personal information, including information found in paper documents. Personal information in electronic form is also covered by POPIA.

Does POPIA require me to have accurate data?

Yes, the responsible party must take steps that are reasonably practicable to ensure that the information is accurate and complete.

Does POPIA require me to make disclosures?

Yes, you must be open about how you process personal information.16 You must be able to provide people with a description of the subjects on which you hold records and the categories of records you hold on each subject.17 You also need to notify the data subject of lots of things when you collect their personal information, including the nature or category of the information you collect from them. 18

What is de-identified personal information?

Personal information is de-identified when you delete information about the specific data subject and you are then unable to link the information to the data subject. In other words, you cannot identify a specific person from the information you have. POPIA does not apply to de-identified information.19

16 POPIA, condition 6
17 POPIA, section 17 and PAIA section 14 and 51
18 POPIA, Section 18(1)(h)
19 POPIA, definition of “de-identify”

When can I use records for historical, statistical or research purposes?

When the personal information is de-identified and meets the purpose the information was collected for or the law requires you to retain the record.

When is personal information no longer personal information?

De-identified personal information is not personal information.
Personal information of a deceased person is not personal information, as it does not relate to a living natural person.

Does the law now require information security?

Yes, it does. You had been securing the information that you have for a long time already because it made business sense to do so. POPIA now also places a legal obligation on you to secure the information you process. You must secure both the integrity and confidentiality of your personal information by taking appropriate, reasonable technical (like using encryption) and organisational (like policies) measures to prevent loss and unlawful access (a hack).20

20 POPIA, section 19

What is appropriate and reasonable information security?

It depends. The question is what was appropriate and reasonable for you to do considering the type of person information that needs to be protected. What is appropriate and reasonable for some may not be appropriate and reasonable for others. But there are certain things that will be considered appropriate and reasonable measures for most people to take. One of those is to use encryption and policies to secure person information on mobile devices. Mobile devices contain lots of personal information, which is at higher risk considering that mobile devices by their nature move around a lot. You need to secure that information.

Key points and possible actions

  • The law requires you to take both technical and organisational measures
  • If you encourage or allow users to use mobile devices, you must take measures to secure them

We can help you?

  • Rattlehub Digital has taken both technical and organisation measures to ensure the information that is processed is done securely
  • Rattlehub Digital uses encryption to secure your documents
  • Rattlehub Digital stores information securely using the cloud

Does cost play a role in determining what is reasonable?

Yes, it does. To consider whether an organisation took reasonable measures the Information Regulator (or a court) would have to take into account how much money the organisation had available to it to protect its information.

Key points and possible actions

  • You must do what is appropriate and reasonable for you
  • The challenge is to take practical effect of action to protect personal information at the lowest cost. And to get business value out of those efforts

Must you encrypt your personal information?

Yes, because it is a key technical measure for securing data. Encryption is the first line of defence. Encryption is very important and is a key aspect of complying with POPIA.

As the data custodian for permyssion, Rattlehub Digital have embedded a conscious design principal which encrypts POPIA related data within the platform with the aim being “the data cannot be linked to any specific individual”.

Can the cloud help me to comply with POPIA?

Yes, it can. If many copies of personal information exist in many different places it is exposed to a greater number of risks. If you can consolidate their personal information into one central location in the cloud and then control the security and access to their personal information, you will be protecting personal information.

Key points and possible actions

  • POPIA does not mean you cannot use the cloud
  • Using the cloud can be an effective way of protecting personal information

How can we help you?

What about cybersecurity?

The Cybercrimes and Cybersecurity Bill 21 was first published on 28 August 2015 and was updated in January 2017. The Cyber Bill was introduced into Parliament on 22 February 2017. Cybercrime is increasing all the time and the Cyber Bill aims to keep the people of South Africa safe from criminals, terrorists and other states. It also consolidates South Africa’s cybercrime laws into one place. Essentially, it aims to stop cybercrime and improve the security of South Africa.

The Cyber Bill could also impact on the storage of electronic documents with third parties. The Cyber Bill imposes severe penalties, including prison sentences, for the disclosure and possession of classified state documents in various circumstances. This legislation is still in Bill format and therefore it is not yet applicable. However, you should familiarise yourself with its provisions relating to classified state documents.

Who regulates POPIA? Will it have teeth?

The Information Regulator regulates POPIA (http://www.justice.gov.za/inforeg/). Parliament has gone to great lengths to give this regulator teeth. The Information Regulator can ask an organisation to produce a record to enable the Information Regulator to investigate a complaint (section 81 of POPIA). You need to be able to comply with such a request.

21 https://www.michalsons.com/focus-areas/internet-law-internet-regulation/cybercrime-law

Key points and possible actions

  • The Information Regulator has great power in terms of the law
  • We will have to wait to see if it exercises that power

What laws are linked to POPIA?

There are various other laws that also protect personal information. The key ones are:
1. Consumer Protection Act (CPA): Regulates the relationship between suppliers of goods and their customers in many areas.
2. National Credit Act (NCA): Relevant to the receipt compilation retention or reporting of confidential information pertaining to a consumer and the protection of the confidentiality of that information. Section 68 of the Act prescribes what must be done in order to protect such confidentiality
3. Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA): Regulates monitoring and interception of communications including electronic communications in South Africa
4. Promotion of Access to Information Act (PAIA): Promotes the constitutional right to access personal information, by permitting individuals access to both manual and computer records containing pertaining information about them. It makes it an offence to destroy, damage, alter, conceal or falsify a record. It imposes duties on the information officers to publish a manual (the PAIA Manual) on the procedure for accessing records.
5. General Data Protection Regulation (GDPR): Legislation that is aimed at safeguarding a person’s personal information when it is processed by public and private bodies. This regulation applies to all European Union member states. It will be fully enacted in two years’ time.
6. The Data Protection Act (United Kingdom): The equivalent of POPIA in the United Kingdom that prescribes how personal information must be processed by public and private bodies.
7. The Protection of Information Act (PI Act): The Protection of Information Act is in the process of being amended. It regulates the protection of certain types of information in the interests of national security. It will be repealed by the Protection of State Information Act, once enacted
8. Protection of State Information (POSI): This bill aims to regulate the classification, protection and dissemination of certain types of information in the interests of national security. It attempts to weigh up state interests against transparency and freedom of expression. It will repeal the Protection of Information (PI Act) 84 of 1982. The National Assembly passed the Protection of State Information Bill and it was sent to the President to be signed. The President has now referred it back to Parliament for certain sections to be redrafted. The new version is currently sitting on the President’s desk waiting to be signed

If there is a conflict between POPIA and another law, POPIA prevails. But if another law gives greater protection to personal information, the other law will prevail. For example, if POPIA says you do not need to get consent to market to someone and another law (like the NCA) says you do, the NCA will apply and you will have to get the persons’ consent.

There are various other laws, rules, codes or standards that relate to IT.22

22 http://www.michalsons.co.za/it-laws-ict-laws-rules-codes-and-standards-list/3219

Key points and possible actions

  • Be aware of all laws, rules, codes or standards that relate to IT

When do you need opt in consent?

When you want to direct market by electronic means (like email and SMS) to prospects. You don’t need opt-in consent to market to your customers.

Opt-in for all

It is international best practice to obtain opt-in consent from everyone. It is a higher standard than what the Consumer Protection Act (CPA) currently states and what POPIA states. This option is bad for marketing purposes as customers and prospective customers need to actively choose to opt-in, which they are unlikely to do. Your existing databases will shrink dramatically.

Opt-out for customers and opt-in for prospects

You do not need to obtain opt-in consent for your existing database of customers, but you will need to obtain opt-in consent from prospective customers for direct marketing by electronic means. While this is not the current legal position, it will be the position soon.

Opt-out for all

You do not need to obtain consent for your existing database. If you belong to any association you must check their codes and standards as they may impose stricter conditions even before POPIA comes into force. Once POPIA is in force you should not be choosing this option.

Key points and possible actions

  • If you belong to associations first check what their codes and standards say.
  • If you do not belong to an association, then you can continue on an opt-out basis until POPIA is in force.
  • If you would like to start complying with POPIA then continue on an opt-out basis for your existing database, but obtain consent for direct electronic marketing.
  • Once POPIA commences you do not need to obtain opt in consent from your clients’ existing databases. These people have always had the option to opt out, but chose to remain subscribed, therefore they have tacitly consented and are happy to receive your clients’ emails.
  • You can choose to continue on an opt-out basis for all, but this is very risky and prospects are likely to complain.
  • Think of clever ways on getting opt-in consent, like a promotional competition, a loyalty program, or in exchange for access to great content (like a book or guide).
  • Ensure that the copy of the opt-in request is really good, including specifying clearly what the benefits are to the person of opting in. For example, “By consenting you will be the first to know of great deals”.

How must you get consent?

  • A person must have a choice whether to consent or not. (it must be voluntary)
  • The consent must relate to a specific purpose (for example, to contact me about insurance products). You must specify your purpose.
  • You must notify the data subject of various things as set out in section 18 of POPIA.
  • You must inform the person sufficiently to enable them to make a decision.
  • The person must express their will in some form. For example, tick a tick box, or click on a link or a button, or order something.
  • Another important point is that POPIA does not require you to get the consent of the data subject in all instances. There are many other justifications in section 11 that you can rely on to process lawfully. Consent can be very useful, but it is not the only justification. 23

Key points and possible actions

  • If possible, try to get the consent of people to market to them
  • Use opt-in boxes
  • Record when and how you got consent, and what it covers
  • Check your existing marketing consent clauses to ensure they comply with POPIA and allow you to market to people in the ways you want to

How can we help you?

  • Rattlehub Digital will not share information without the consent of the data citizen
  • Permyssion is built around receiving permission from the relevant parties to process their personal information
  • Permyssion allows the data citizen to access, update and control the personal information that is processed by Rattlehub Digital
  • These principals are embedded into the name of our product ‘permyssion’ which is formed from combining ‘my permission’ into one word

How long can I retain personal information?

You must not retain personal information for any longer than you need it to achieve the purpose (the reason why you collected it).24 In the case of a data storage service, your purpose will be related to retaining the information for lengthy periods of time. As long as this purpose is clear to the customer then you should be able to retain information for the required time period.
Once the purpose is complete, you must delete the personal information, unless you can find a justification for retaining it.25

23 http://www.michalsons.co.za/consent-POPIA-and-other-legal-requirements/12623
24 POPIA, section 14(1)
25 POPIA, section 14(1)(a)-(d)

Key points and possible actions

  • POPIA has an impact on how you retain information
  • You need to know what your purpose is and when you have achieved it
  • You want to define your purpose as broadly as possible

How can we help you?

  • Rattlehub Digital has data retention and destruction processes in place to avoid retaining information that has become obsolete
  • Rattlehub Digital will not retain personal information longer than is necessary or once the purpose for the collection of the information has been achieved

What happens if another law requires me to retain a record that includes personal information?

If another law requires you to retain the information for a longer period than POPIA prescribes, that law will prevail.

What about the rest of the world?

There have been data protection laws in the EU and UK for many years. South Africa is rightly following in the footsteps of the rest of the world – it is not trying to lead the way or be different. POPIA brings South Africa in line with the rest of the world.

The leader in data protection law is Europe. In April 2016, the European Union Parliament adopted the General Data Protection Regulation (GDPR) which prescribes a two-year transition period by which time member states must comply with the regulation which replaces the 1995 Directive. The GDPR applies to any data processing activities that are done by a controller in the EU. It also applies to all processing of the data of data subjects residing in the EU even if the entity processing the data is not in the EU. The GDPR will have far reaching consequences for all businesses. We will discuss the GDPR and how it applies to our business in more detail further in this document.

Prior to the Brexit decision the GDPR would have also applied to the United Kingdom. The UK Data Protection Act is in the process of being replaced. The UK government published the Data Protection Draft Bill 2017 on 14 September 2017 26. This Bill prescribes a similar set of data protection principles to POPIA and the GDPR. Like the GDPR this Bill also refers to data controllers and data processors. The Bill requires that if you are processing data this must be done lawfully, fairly, for a limited stated purpose and not transferred outside of the EU without adequate protection. The data must be used for in a way that is adequate, relevant, not excessive and kept secure for no longer than is absolutely necessary. The Bill will be similar to the GDPR but they are negotiating some exceptions.

The United States has limited data protection. They are in the process of legislating for data protection with The Consumer Privacy Bill of Rights Act (CPBORA).

Currently, the EU-US Privacy Shield provides data protection mechanisms for transfer of data between the EU and the US.27 The Privacy Shield replaces the Safe Harbour Agreement that was in operation between the US and Europe. The idea behind the EU-US Privacy Shield is that it will create a blanket permission that allows for the flow of data between the US and EU (like the Safe Harbour Agreement) but this time round the EU has demanded American intelligence agencies are limited in their collection of data on Europeans. The specific details are still being negotiated by the parties but it does look like they will reach a conclusion soon.

Key points and possible actions

  • The EU and the UK data protection laws prohibit the transfer of data to countries that do not have the same level of data protection as them.
  • A new safe harbour called the EU-US Privacy Shield has been agreed.
  • Trump recently signed an executive order that drew international speculation as to whether the new EU-US Privacy Shield was still in force28

26 https://www.gov.uk/government/collections/data-protection-bill-2017
27 https://www.michalsons.com/blog/new-privacy-shield-principles/22170
28 https://www.michalsons.com/blog/what-is-the-impact-of-the-executive-order-on-the-privacy-shield/24576

How we can help you?

  • Rattlehub Digital is taking effective steps to ensure compliance with the GDPR by the end of the grace period in 2018

Can data be transferred across borders?

You as a responsible party must protect the personal information of your data subjects when the data is transferred to a third party in another country. The other country may not have the same level of data protection as your country.
POPIA says that personal information may not cross borders unless there are measures in place, like:29

29 POPIA, section 72

  • There are binding agreements providing adequate protection between the responsible party and the third party;
  • The data subjects give their consent;
  • The transfer is necessary for the performance of a contract;
  • The transfer is for the benefit of the data subject.

Key points and possible actions

  • Rattlehub Digital transfers personal information across borders
  • Rattlehub Digital uses Microsoft Azure to process personal information in a secure environment

How we can help you?

  • Rattlehub Digital complies with the conditions of POPIA and the principles of the GDPR when transferring personal information across borders.
  • Data citizens consent to the transfer of their personal information across borders.
  • By using Advisor Console data citizens are assured that their financial information will be processed securely.
  • https://rattlehub.com/for-the-financial-advisor-business

Must you still notify regulators in the event of a lost or stolen encrypted device?

No, you do not have to notify the information regulator or the data subjects, because an unauthorised person is unlikely to have accessed the personal information.

Encryption is a way of using keys to lock access to electronic data. Security policies may make it so that if the device does not check-in with the server after a period of time, or a user enters an incorrect password too many times, the device is locked. These policies will execute even though the device is not connected to the Internet, and you are able to set custom rules. Rattlehub Digital takes protective actions even though the device may not be connected to the Internet.

What is the GDPR?

The General Data Protection Regulation or GDPR is a new data protection law Europe has enacted that will apply to the whole of the European Union (EU) as well as many organisations in other parts of the world. The GDPR sets out a number of requirements for anyone who controls personal data (aka the data controller) to lawfully process personal data. If you do business in Europe or target EU citizens, you will have to comply with these requirements.

Many European member states will now amend their data protection laws to be in line with the GDPR if their data protection laws provide less protection than the GDPR. 30

30 Germany has already passed its new Federal Data Protection Act Bundesdatenschutzgesetz or BDSG that takes the GDPR into account.

Key points and possible actions

  • If you do business in Europe, or if you process EU citizens’ personal information, then the GDPR does apply and you have to comply with its requirements

How can we help you?

  • Rattlehub Digital processes personal data in Europe and will implement the changes required to comply with the GDPR by the end of the grace period

What are the differences between POPIA and the GDPR?

The GDPR uses slightly different terms:
A data subject is a natural person, the GDPR does not provide protection for juristic persons. A data subject is a citizen of any EU country or of another country
A data controller is a natural or legal person. The controller determines the purposes and conditions for the processing of personal data. For example, profit companies, non-profit companies, governments, state agencies and people
A data processor is a natural or legal person who processes personal data on behalf of the controller. For example, an IT vendor

The GDPR does not create such serious penalties for failing to protect an account number. It deals with the right to be forgotten and data portability. The GDPR includes a definition of genetic data and requires data controllers to do data protection impact assessments. The fines are much bigger in the GDPR as they are in Euros.

Genetic data as a form of personal information is one of the new aspects of data protection brought about by the GDPR. Genetic data includes certain information about a particular data subject, gathered from blood or tissue samples, for example. It is protected as a special category of personal data under the regulation.

When will the GDPR come into force?

When must you comply by?
The GDPR came into force on 24 May 2016 and the two-year grace period will end on 25 May 2018.

Why is the GDPR relevant to me in South Africa?

The General Data Protection Regulation applies to any data processing activities that are done by a controller in the EU. It also applies to all processing of the data of data subjects residing in the EU even if the entity processing the data is not in the EU. So, if any entity is offering goods and services to EU citizens or monitoring their behaviour they will be required to comply with the GDPR.

What steps must I take to comply with the GDPR?

Data processing under the GDPR must be lawful, transparent and for a specific purpose.

Controllers will have to designate a data protection officer (some small and medium-sized enterprises (SMEs) are exempt). They will also have to keep documentation about their processing activities. Some controllers outside the EU will have to appoint a representative in the EU.

Controllers will have to implement data security requirements and build data protection safe guards into their products and services from an early stage of development (commonly known as privacy by design).

Controllers must perform a data protection impact assessment (some SMEs are exempt) for their high-risk processing activities and, in some instances, this may involve consultation with a supervisory authority before proceeding. Some controllers will have to obtain prior authorisation from a supervisory authority.

Controllers must explain to the data subject that they have the right to transparent and accessible policies that explain how their data will be processed. A data subject must be able to interact with the processing procedure (for example a mechanism for a data subject to request rectification or erasure). Controllers must identify themselves (or their representative) and their data protection officer.

The controller must tell the data subject in a clear and understandable way:

  • why they process,
  • how long they will store personal data,
  • how to request the rectification or erasure of personal data;
  • the right to lodge a complaint and the details of the supervisory authority and;
  • if the collection of personal data is obligatory or voluntary and the possible consequences if the data is not provided.

If there is a data breach, controllers must notify the supervisory author and the data subjects involved. Incident response and the need for a breach coach is going to become more important.

When am I processing personal data under the GDPR?

Processing is defined as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.31

Personal data is defined as ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.

Key points and possible actions

  • Personal data is very broad
  • Personal data will be amongst all your records and on all your devices
  • Records include customer information like profession, investment, accounts, health and social information

What is data portability?

It is about moving or copying personal data from one place to another, whether it be from one data controller to another or one IT system to another. Article 20 set out the right that the data subject has to data portability. This means that the information that the data subject has provided to the data controller must be able to be moved in a structured and commonly used format.33

Key points and possible actions

  • The personal data must be portable

Can data be transferred across borders?

Personal data can be transferred to a third country if the Commission has decided that the third country, territory or international organisation provides an adequate level of protection.  The Commission will take the following elements into account when assessing whether there is an adequate level of protection:

  • The rule of law and relevant legislation, data protection rules amongst others;
  • Whether there is an effective independent supervisory authority ensuring compliance with data protection rules; and
  • The international commitments the third country or international organisation has entered into, or other obligations arising from legally binding instruments in relation to the protection of personal data

Key points and possible actions

  • South Africa (once POPIA is in force) will provide adequate levels of protection.
  • The Commission will have to decide that South Africa offers adequate levels of protection for personal data to be transferred here.

How long can I retain personal information?

The data subject has the right to inform the data controller the erasure of their personal data, and the data controller is obligated to do so without undue delay.34

What is the right to be forgotten?

In the GDPR a data subject has the right to have their personal data erased and no longer processed if the personal data is no longer necessary for the original purpose for which it was collected, or if the data subject has withdrawn their consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation.35

33 Article 20.1 – 20.3
34 Article 4
35 Article 17

How can we help you?

Permyssion allows data citizens to:

  • Archive their data using the platform.
  • Download the archived data from the platform.

Rattlehub Digital :

  • Removes all your data from the platform at the end of a user’s last paid month;
  • Keeps a full audit trail from the time the user requested the cancellation until the information has been removed.

Does the GDPR require information security?
Yes, it does. The data controller as well as the data processor are responsible for ensuring that appropriate technical and organizational measures are in place (appropriate to the risk involved). This includes:

  • Pseudonymisation and encryption of personal data;
  • Ongoing confidentiality and resilience of systems and services;
  • The ability to restore access to the personal data in the event of an incident;
  • Regular testing and evaluating the effectiveness of the current security measures

In assessing an appropriate level of protection regard must be given to the risks presented by processing, in particular from destruction (whether accidental or unlawful), loss, alteration or unauthorised disclosure of personal data. Any person working for the controller and processor must only process on their respective instructions.

Who regulates the GDPR?

Each member state will create or provide one or more public bodies to be responsible for monitoring the application of the GDPR. These will be known as the ‘supervisory authority’.

Must I notify someone of a data breach?

Yes. The controller must without undue delay and if possible, within 72 hours of becoming aware of the breach, notify the supervisory authority of the breach. The notification must include:

  • The nature of the breach, the categories and approximate number of data subjects, and the categories and approximate number of personal data records affected;
  • The name and contact details of the data protection officer or another contact person where more information can be obtained;
  • The possible consequences of the data breach; and
  • The measures taken or measures that will be taken by the controller to address the data breach, including any measures to mitigate the adverse effects.

The supervisory authorities will act with complete independence and remain free from external influence and not take instructions from anybody.41

You must also notify the data subject of the breach if the breach is likely to result in a high risk to the rights of the person. This notification must also be without undue delay The notification to the data subject must be in plain language and contain the same points mentioned above.

36 Article 32
37 Article 43.1
38 Article 32.2- 32.4
39 Article 51
40 Article 51
41 Article 52
42 Article 34

What are useful links for more information?