Why is privacy and data protection so important?
Personal data has arguably become the greatest asset of our generation. Given the rapid rise of innovative technologies, cloud mobility, and the internet of things, companies are becoming increasingly aware of the regulatory considerations regarding their use, storage, and cross-border transfer of personal data. Non-compliance can have significant financial and reputational repercussions.
We have a core team of data privacy lawyers and certified data privacy practitioners operating at the intersection of technology and law.
We are dedicated to advising clients across multiple industries on some of the most significant privacy-related regulatory challenges and reforms affecting their operations in South Africa and abroad – especially the European Union General Data Protection Act and the South African Protection of Information Act.
O’Reilly Law understands that data is one of your key assets, driving insight and enabling the development of new products and services.
Leverage our knowledge of South African and European privacy laws to design a comprehensive risk-based compliance program for your business. We work with you to strengthen compliance and implement risk management procedures that create a robust control environment to build and maintain trust in the market.
Many of our clients’ operations span multiple countries, and they rightly expect the convenience of one contact point for all their legal needs, including privacy compliance.
Your Compliance Roadmap
O’Reilly Law is uniquely positioned to spearhead your organization’s privacy compliance program. By analyzing your information systems, and questionnaire responses, and interviewing and engaging in strategy discussions with key individuals, O’Reilly Law will effectively operationalize a risk-based compliance strategy for your organization.
POPIA Compliance Program
Our comprehensive POPIA compliance program is a cost-effective way to operationalize the POPIA within your organization. We consider and leverage any POPIA work already performed or in progress to reduce costs and increase efficiencies. The program includes:
Data mapping is an exercise to record your organization’s processing activities with sufficient detail and clarity. This is a process that is required by both the POPIA and the Promotion of Access to Information Act (PAIA). Your “data map” will become an essential piece of information for POPIA and PAIA compliance purposes.
We will conduct an analysis of your organization’s current data collection points and recommend ways to implement consent management (where necessary). O’Reilly Law will review your organization’s privacy policy and consent forms and propose improvements to existing documents or draft new ones as required.
The POPIA creates various rights that data subjects can exercise, including the right to be notified, the right to correction, erasure, and the right to object. We will analyze your personal data processing practices and identify compliance gaps, such as instances where data subject rights cannot be supported. Once these gaps have been identified, we will help you mitigate all compliance risks and develop risk-based solutions to close critical gaps.
The POPIA includes specific contractual, security, and confidentiality obligations you must pass down to any service provider (i.e., operator) your organization engages to process personal data on your behalf. With O’Reilly’s vendor management methodology and experience in negotiating POPIA-compliant data processing agreements, we will ensure your vendor engagements are compliant. Additionally, we will assist you in accessing vendor compliance with the necessary security safeguards required by the POPIA.
Your organization must conduct a privacy impact assessment (PIA) before starting any new personal data processing initiative. A PIA ensures that adequate measures and standards have been implemented to comply with the conditions for lawful processing, as provided for in the POPIA. O’Reilly Law can provide complete assistance or partial advice on your PIA, in addition to a PIA template and documented PIA procedures for your Information Officer to conduct your own PIAs.
Our library of extensive privacy and data protection-related standard operating procedure (SOP) templates can be customized to fit your organization’s circumstances. O’Reilly Law is also experienced in reviewing and refining existing procedures and policies your organization has implemented to ensure compliance with the POPIA. To ensure compliance with the POPIA’s eight conditions of lawful processing, implementation of the following SOPs and policies are recommended:
· Privacy Impact Assessment | · Information Security Policy |
· Personal Data Breach SOP | · Records of Processing SOP |
· Vendor Management SOP | · Data Subject Rights Request |
· Record Retention SOP | · Privacy Governance Policy |
To comply with the POPIA’s accountability requirement, O’Reilly Law will assist with the appointment and registration of your organization’s Information Officer and create and implement the necessary documentation to demonstrate your compliance with the POPIA.
O’Reilly Law can provide tailored privacy and security training for your organization, assisting you in creating a culture of privacy awareness.
All cross-border transfers of personal data must comply with Chapter 9 of the POPIA. O’Reilly Law will analyze your transborder flows of personal data to ensure that a valid data transfer mechanism is in place to ensure personal data is transferred lawfully and securely.
According to Section 51 of the PAIA, all organizations must maintain a PAIA Manual explaining how certain interested parties can obtain access to records held by your organization. Our data mapping exercise lets us easily assist you with creating or updating your PAIA Manual.
GDPR Compliance Program
EU privacy law experts lead our GDPR compliance program to provide a comprehensive yet cost-effective solution for your organization to comply with the GDPR. If your organization must comply with the GDPR and the POPIA, we will operationalize a program that addresses compliance with both laws. The program includes the following:
Data mapping is an exercise to record your organization’s processing activities with sufficient detail and clarity. This is a process that is required by Article 30 of the GDPR. Your “data map” or “records of processing activities” will become an essential resource to achieve and maintain compliance.
We will conduct an analysis of your organization’s current data collection points and identify which legal bases your organization can rely on to process personal data lawfully. If consent is the most appropriate legal basis, we will recommend ways to implement consent management. O’Reilly Law will review your organization’s privacy policy and consent forms and propose improvements to existing documents or draft new ones as necessary.
The GDPR provides data subjects with extensive privacy rights, including the right to be notified, the right to correction, erasure, and the right to object. We will analyze your personal data processing practices and identify compliance gaps, such as instances where data subject rights cannot be supported. Once these gaps have been identified, we will help you mitigate all compliance risks and develop risk-based solutions to close critical gaps.
Article 28 of the GDPR includes specific contractual, security, and confidentiality obligations that you must pass down to any service provider (i.e., processor) your organization engages to process personal data on your behalf. With O’Reilly’s vendor management methodology and experience in negotiating GDPR-compliant data processing agreements, we will ensure your vendor engagements are compliant. Additionally, we will assist you in accessing vendor compliance with the necessary security safeguards required by the GDPR.
Your organization must conduct a data protection impact assessment (DPIA) before starting any new personal data processing initiative. A DPIA ensures that adequate measures and standards have been implemented to comply with the conditions for lawful processing, as provided for in the GDPR. O’Reilly Law can either provide complete assistance or partial advice on your DPIA, in addition to a DPIA template and documented DPIA procedures for you to use in conducting your own DPIA.
Our library of extensive privacy and data protection-related standard operating procedure (SOP) templates can be customized to fit your organization’s circumstances. O’Reilly Law is also experienced in reviewing and refining any existing procedures and policies your organization has implemented to ensure compliance with the GDPR. To ensure compliance with the requirements laid down in the GDPR, the following SOPs and policies are recommended:
· Data Protection Impact Assessment | · Information Security Policy |
· Personal Data Breach SOP | · Records of Processing SOP |
· Vendor Management SOP | · Data Subject Rights Request |
· Record Retention SOP | · Privacy Governance Policy |
O’Reilly Law can provide tailored privacy and security training for your organization, assisting you in creating a culture of privacy awareness.
All cross-border transfers of personal data must comply with Chapter 5 of the GDPR. O’Reilly Law will analyze your transborder flows of personal data to ensure that a valid data transfer mechanism, such as the European Union Standard Contractual Clauses, is in place to ensure personal data is transferred lawfully and securely.
Need help with your POPIA and or GDPR Compliance?
Get in touch:
Email us at: Info@oreillylaw.co.za
Call us on 021 9488 273