Writing and Blog
A collection of my writing, musings, and opinion pieces. Please check back for updates!
Ross is available for technical and other writing.
Should you be interested, please get in touch!
Ross G Saunders Consulting is expanding! We are looking for a talented graduate with a year or two’s experience to join the team full time, complimenting and supporting outsourced consultants, clients, and partners.
There has been a lot of talk around Information Officers when it comes to POPIA (Protection of Personal Information Act) and PAIA (Promotion of Access to Information Act), with a guidance note recently released by the South African Information Regulator. The note details a lot of the who and what that you need to know in terms of this vitally important role in terms of the law.
We hear it all the time, "you have to have POPIA policies!", but what exactly does this mean? A number of companies that I've spoken to take policies as being the be-all-and-end-all of POPIA (though I suppose that's a step up from it being all about consent). Yes, you...
I work with a number of software and design agencies that host Software-as-a-Service solutions or other forms of web based applications. Part of what I do is assess how secure the application is, and how privacy may be affected. In performing these assessments, we dive in to how the application is put together, but also how it is secured from an infrastructure point of view. What I have found is that while companies are generally really good at taking security into consideration, the approaches to security are often out of date or based on bad advice.
What is the fastest way to shut down a privacy programme? It’s not a breach, breaches can make programmes stronger. It’s not budget, there’s a lot you can do with very little budget. Company culture, however, can reduce a privacy programme to nothing before it even gets out the starting gates.
Something that bugs me immensely in the quest for privacy and information security, is the vast chasm of disconnect between big corporate / enterprise and niche software companies when it comes to data protection. It’s something I tend to notice more and more in that I mostly deal with software companies, start-ups, and managed service providers.
In addition to advisory, I also run training courses around the Protection of Personal Information Act (POPIA). I will be running three public courses in the first week of March, the details of which are broken down below: Staff Awareness Training 2 March,...
In my experience, when most people think about POPIA, the first thing that pops to mind is that they have to consent to their data being processed. Sure, in some cases such as marketing, there needs to be consent. There are, however, other mechanisms that allow a company to legally process data without consent. Section 11(1)a of POPIA lists a number of legitimate justifications for processing data, only one of which is consent.
I’ve posted before about POPIA being more than software or a set of policies, but it occurs to me that I need to get a little more detailed as to what exactly you need to consider when bringing in a consulting firm / software house / cybersecurity provider to handle your compliance. I’m sure this won’t be the last time I’m posting something of this nature, as I am seeing more and more companies offering complete POPIA solutions that seem to be nothing more than extensive marketing budgets and equally extensive assumptions as to the law and its practical implications.
At the core of the Protection of Personal Information Act (POPIA) are 8 conditions (also referred to as principles by a number of practitioners) to legal processing of personal information. These conditions form the cornerstone of your privacy programme, and any claims of being POPIA ready means that you need to have hit all of them.