Privacy Audits (POPI, PAIA & GDPR)
BDO’s privacy audits focus on compliance with both the regulations of the Protection of Personal Information (POPI) Act and the Promotion of Access to Information (PAIA) Act – acts that have been promulgated to protect South African citizens’ personal information. In cases where an organisation also processes European Union (EU) citizens’ personal data, the audit should include compliance verification with the General Data Protection Regulation (GDPR) as well.
BDO makes use of GAPP (General Accepted Privacy Principles) to perform gap assessments, and privacy audits. The following are key areas covered by BDO:
- Management. Management defines documents, communicates, and assigns accountability for its privacy policies and procedures.
- Notice. Management provides notice about its privacy policies and procedures and identifies the purposes for which personal or company information is collected, used, retained, and disclosed.
- Choice and consent. Management describes the choices available to the individuals and customers/clients (companies or organisations) and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
- Collection. Management collects personal information only for the purposes identified in the notice.
- Use, retention, and disposal. Management limits the use of personal information to the purposes identified in the notice and for which the individuals and customers/clients (companies or organisations) have provided implicit or explicit consent. Management retains personal information for only as long as necessary to fulfil the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
- Access. Management provides individuals and customers/clients (companies or organisations) with access to their personal information for review and update.
- Disclosure to third parties. Management discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individuals and customers/clients (companies or organisations).
- Security for privacy. Management protects personal information against unauthorized access (both physical and logical).
- Quality. Management maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
- Monitoring and enforcement. Management monitors compliance with its privacy policies and procedures and has procedures to address privacy related complaints and disputes.
Given that these days many organisations provide critical services to other organisations, demanding that their data is protected against privacy breaches, BDO can assist service organisations to obtain an independent assurance report (ISAE 3000 report), expressing an opinion on the privacy controls at the service organisation. A service organisation can then provide BDO’s report to their clients, who may rely on and gain comfort from the opinion expressed in the independent privacy report.
BDO can also be contracted in an advisory role to advise on or to develop privacy control frameworks.