Privacy Governance

It’s all about relationships

Our privacy governance offering provides a complete solution to your information and data privacy needs.

Through strategic and tactical relationships, we gain a comprehensive understanding of your compliance needs and objectives. This enables us to determine potential risks, identify control measures and make practical and appropriate recommendations that are tailored for your business.

In this way, we support your internal data privacy compliance team. It also ensures that privacy and data protection are integrated into your products and business processes that collect, use, disclose or retain employees’ and customers’ personal data.

Services

Compliance: We assist in ensuring that all business activities comply with the applicable privacy and data protection laws, including the Protection of Personal Information Act 4 of 2013 (POPIA), the European Union General Data Protection Regulation 2016/679 (GDPR), the Data Protection Act 32 of 2018 as amended (DPA), and the relevant subordinate legislation.

Training: We facilitate bespoke training and intervention initiatives to increase awareness among clients and internal legal and compliance teams, helping them to understand the impact and value of data and information.

Process Analysis: We analyse new and existing business initiatives to identify relevant privacy and data usage challenges. This provides us with an in-depth understanding of your business processes and allows us to guide you on how to comply with the applicable privacy and data protection laws and establish more efficient business processes.

Development: We develop and implement processes and controls to address regulatory requirements, including:

• access to personal information,
• managing privacy and data protection policies and notices,
• preparing and filing local regulatory registrations, and
• managing consumer and government requests for data.

Assistance: We support privacy protection due diligence exercises and integration initiatives for merger/acquisition and restructuring projects.

Discovery: We engage with business teams in marketing, finance, rewards and loyalty solutions, sales, technical, warehousing, cyber and intelligence processing, and digital platforms solutions, utilising a privacy-by-design methodology.

Legal Review: We support internal legal and compliance teams with reviewing the language in third-party and consumer agreements.

Packaged options

We offer four unique packages that can either be taken as standalone options or combined into a comprehensive Privacy Governance framework.

Each package is designed to be implemented over three to six months and will be rolled out based on your operational requirements while taking your current privacy governance structure into account. All options include a convenient folder containing the relevant legislation that has been published to date. The folder includes the Promotion of Access to Information Act (PAIA) and the Protection of Personal Information Act (POPIA), the Regulations to these Acts, Guidance Notes, Codes of Conduct and Government Gazettes.

Option A – The Fundamentals

• Assisting with the appointment of an Information Officer (IO) and a Deputy Information Officer (DIO) with the Information Regulator.
• Incorporating the duties and responsibilities of the IO and the DIO into their letter of appointment.
• Settling the Privacy Notice against the business – includes high-level privacy mapping of the client and the employee life cycle.
• Settling the PAIA Manual against the business and incorporating privacy mapping from the Privacy Notice.
• Incorporating the learnings from settling the Privacy Notice and the PAIA Manual into the Cookie Notice.
• Personalisation of the Privacy Policy.
• Settling the clause in contracts of employment regarding adherence to company policies and procedures, empowering you to introduce these from time to time, against the language of the current letter of employment (for new appointments).
• Introducing orientation videos regarding each notice and policy to serve as proof of training.
• Empowering sessions with the IO and the DIO regarding what was done and what should be considered as next steps.

Option B – Being empowered through your Personal Information

• Identifying every processing activity in the organisation where personal information is collected during the different client life cycles in rendering the respective service offerings.
• Identifying every processing activity of personal information within an employee’s life cycle, where personal information is collected within the organisation.
• Identifying the legal justifications for processing personal information.
• Ensuring that the processing of special personal information adheres to the conditions listed in POPIA.
• Settling the Privacy Notice against the learnings from the business (processing activities and its justifications).
• Settling the PAIA Manual against the business and incorporating privacy mapping from Privacy Notice’s populating.
• Incorporating the learnings from settling the Privacy Notice and the PAIA Manual into the Cookie Notice.
• Introducing orientation videos regarding each notice and policy to serve as proof of training.
• Access to and/or discounts on webinars on similar topics presented by Moonstone Compliance.
• Empowering session with the IO and the DIO regarding what was done and what should be considered as the next steps.

Option C: Prioritising your risk during your Privacy Governance Programme 

• Identifying any non-conformity in the processing of clients’ personal information during the client life cycle, against the eight conditions for lawful processing outlined by POPIA.
• Identifying any non-conformity in the processing of employees’ personal information during the employee life cycle, against the eight conditions for lawful processing outlined by POPIA.
• Performing an inherent risk rating on each processing activity, by looking at factors such as the volume of personal information processed; whether the personal information is valuable; whether the business will be disrupted if the personal information is lost; how easily the personal information can be recovered, etc.
• Identifying which remedial steps (control measures) will be implemented to address non-conformity, to ensure that the processing activity is brough in line with POPIA.
• Settling the Privacy Notice against the learnings from the business (processing activities and its justifications).
• Orientation session with the group of Risk Owners identified in the Regulatory Risk Register to empower them to continue with the process.
• Optional bi-monthly meetings with the individual Risk Owners on a retainer basis as ongoing support.
• Access to and/or discounts on webinars on similar topics presented by Moonstone Compliance.
• Empowering session with the IO and the DIO regarding what was done and what should be considered as the next steps.

Option D – Incident response management

• Settling the Incident Response Plan against the business – includes high-level privacy mapping of the client and the employee life cycle.
• Including the empowering clauses in your Data Sharing Agreements.
• Settling the Data Retention Template against your PAIA Manual and operational requirements, together with the justification grounds of POPIA.
• Settling the section 22 of POPIA notification pack against your business language.
• Orientation videos for staff on the implementation of the Incident Response Policy, Data Retention Policy, and section 22 of POPIA notification pack.
• Orientation session with the Incident Response Team to empower them to take control of the process.
• Access to and/or discounts on webinars on similar topics presented by Moonstone Compliance.
• Empowering session with the IO and the DIO regarding what was done and what should be considered as the next steps.