We provide a full range of data protection outcomes. You can outsource various actions to us so that we take them for you. We have various data protection solutions (which we tailor for your specific requirements) to help you comply with global data protection laws, especially the GDPR and the POPI Act. Below are the actions we can take for you to help you protect personal information and therefore protect people from harm.

Billing options

If you are interested in our data protection outcomes, please enquire and we can either quote you:

  1. a fixed price for one or more of them, or
  2. agree a retainer.

You can also read more about what the whole process is going to cost and top tips for data protection programmes.

Who is going to do the work?

You can do the work yourself with our guidance, or we can do most of it for you. Whichever option you choose, you will need to do some of the work yourself. External service providers alone can’t make you compliant, because there are some actions that you cannot outsource. But we can implement most of the necessary actions for you to comply, either through the solutions we describe here, or by outsourcing your information officer. The rest you have to do yourself, or through other external service providers. This is why we often say that data protection is like personal fitness. We simply perform some of the actions to help you achieve compliance. It is important to work out who is going to do the actual work. If you’d rather comply with our guidance (by joining a data protection programme), you can read more about these alternative options.

Data protection solutions process

We follow the Michalsons Four-Step Compliance Process. Our process is insightful, entrepreneurial, and will reduce your overall costs. We have a “faster to market” practical approach. We have developed an approach to compliance projects that is both rigorous and pragmatic. It is simpler and quicker than most others. We help you to achieve the most, at the least cost. The benefits of using Michalsons include:

  • Take practical effective action to protect personal information at the lowest cost and get business value out of those efforts.
  • Get expert practical legal advice, support, guidance, tools and templates.
  • Fast track your efforts.

Below is a description of the data protection outcomes you want to achieve for each step in the process and how you achieve those outcomes. This is not a complete list of outcomes but merely those outcomes from our data protection programme that we can do for you.

Introduction

The introduction sets the scene before you start with the steps in the process that you’ll need to follow to ensure that you comply with the relevant data protection laws.

  1. Have an effective compliance programme or framework by asking us to design one for your specific organisation.
  2. Implement an effective compliance programme by asking us to work through one of our programmes and apply it to your specific organisation.
  3. Implement a compliance programme by asking us to do parts of it for you.
  4. Check how effective your compliance programme or framework is by asking us to audit yours.

  1. Know what laws apply to you by getting a list of data protection laws from Michalsons that is specific to your organisation or by asking Michalsons to help you determine which laws you must comply with.
  2. Know what you need to comply with by determining the overlap between the different data protection laws and the overlap between data protection laws and other laws (like credit, consumer, freedom of information, and record retention laws). This will help you to find the overlap between your various compliance projects (like TCF or PCI) and work out if you can kill many birds with one stone.

  1. Know the impact of data protection laws on your organisation by asking Michalsons to do an impact assessment. This involves someone from your organisation answering a questionnaire. Us doing research and then a 30-minute workshop. We then draft a summary setting out our findings.
    1. Govern your risk by asking Michalsons to do a data protection legal risk assessment on your organisation or a particular activity or offering.
    2. Identify your regulatory hot buttons and identify where to focus by asking Michalsons to analyse the various decisions of courts and information commissioners across the world focusing on where companies have been penalised with a view to identifying risk trends which are then used to give an indication of where companies should be focusing their efforts.
  2. Know how ready your organisation is to start by asking Michalsons to do a readiness assessment. This involves someone from your organisation answering a questionnaire. Us doing research and then a 30-minute workshop. We then draft a summary setting out our findings.
  3. Have a recorded compliance strategy for the organisation through helping the governing body of your organisation to determine its data protection compliance strategy by asking us to workshop it with you and record the strategy in a data protection policy. This involves someone from your organisation answering a questionnaire. Michalsons doing research and then a 30-minute workshop. If necessary, we then record the strategy in a data protection policy.
  4. Have a programme strategy for your organisation. This involves someone from your organisation answering a questionnaire. Michalsons doing research and then a 30-minute workshop. If necessary, we then record the strategy in a programme charter (to chart a course for the programme for the organisation).

We can do all four of these aspects as part of one data protection strategy assessment.

Step One: Learn

The first step is for the relevant people in your organisation to learn more about data protection.

  1. Delve into particular issues relevant to your particular organisation to extract the areas you need to pay attention to by getting Michalsons to facilitate a private workshop or training for people in your specific organisation. Private in-house workshops are tailored to your needs, are held online, and on a day that suits you, for an unlimited number of delegates. We also specifically offer POPI Act training.
  2. Know what data protection compliance is and how to do it practically and effectively, what the law might require your organisation to do, and what the timeline is by joining a data protection programme.

Ensure your governing body is aware of their responsibilities and executive buy-in (and budget approval) by asking Michalsons to give a board presentation or executive briefing. Executive briefings are accurate, high-level views on a topic. These briefings can be held online.

Step Two: Plan

Planning is vitally important. You need to know who is going to do whatwhen. And what you are not going to do. We will help you plan. Planning involves doing various things, like discovering (researching, asking questions), workshopping and documenting. Planning often involves private planning workshops for a group of people from all functions of your organisation (or for a specific function). Planning workshops are mainly to map activities and plan implementation actions.

  1. Ensure your governing body is aware of their responsibilities and executive buy-in (and budget approval) by asking Michalsons to give a board presentation or executive briefing. Executive briefings are accurate, high-level views on a topic. These briefings can be held online.
  2. Ensure good governance of data protection by asking Michalsons to create the right governance model.
  3. Identify the role players, like project sponsor and manager, and current information officer.
  4. Appoint your Data Protection Officer (or Information Officer) properly by getting a job specification or letter of appointment from Michalsons.

Identify the best data privacy management software or platform for your organisation by asking us to consult with you, give you demos, workshop the options and make a recommendation.

  1. Reach clarity on an issue or interpretation of the law by getting Michalsons’ expert practical legal advice or opinion on various issues, especially around cross-border data flow issues, cloud computing, legitimate interests, and the application of laws.
  2. Ensure there is a common interpretation of data protection law in your organisation by running private workshops where we delve into particular issues relevant to your particular organisation to extract the areas you need to pay attention to.

  1. Map your activities and create your record of processing activities by asking us to map your activities and create your record of processing activities for you. We have various visual aids, tools, templates and software that us do this. Sometimes people refer to this as creating a data inventory.
  2. Find the right software to help you do this by asking us to give you a demo.
  3. Know who is responsible in law by asking Michalsons to do a responsible party assessment for any activity where it is unclear whether you are the responsible party or the operator.

  1. Analyse the degree to which your organisation complies with the data protection laws (or a particular one) that apply to it and identify the gaps by asking Michalsons to conduct a gap analysis. Ask Michalsons to conduct a gap analysis for you by asking us for a quote. This is sometimes referred to as the consultant-led approach and is best for comprehensive gap analysis and for larger organisations. Michalsons will work closely with the legal team or information officer in your organisation to effectively do the gap analysis. You need to appoint a champion (or project manager) in your organisation to help drive it from within. To accurately quote we will need an accurate scope and SOW.
  2. Ask Michalsons to scope the gap analysis for your organisation by asking us to carry out a requirements assessment (scoping exercise) with you and produce a statement of work (SOW).
  3. Identify actions and assign responsibility by getting a tailored list of actions from Michalsons.
  4. Check whether your sharing of personal information with others (excluding operators) is lawful to find the gaps where you are not processing lawfully and identify implementation actions.

  1. Identify and assign your implementation actions, including identifying some quick wins. Given limited resources and time, you need to follow a risk-based approach first to decide what you need to do and in what order. For each action item, you must determine how important it is, who is responsible for it, the resource that will actually do it, what it will cost, and what the deadline is. We have great tools to help you do this fast. Where possible, we will help you find the right external resource to help you implement. Our implementation actions template is a key tool for doing this.
  2. Identify your roadmap and project plans. Our Project Status Report template is a key tool for doing this.
  3. Identify and do some quick wins by asking for our guidance.
  4. Identify and take some actions to take first by asking for our guidance.

Step Three: Protect

This is the most important step – it is the step where you take action to protect personal data.

  1. Determine whether your customer (or user) is lawfully processing personal information when they use your product by asking Michalsons to assess your product.
  2. Include privacy by design into your applications, products or services by getting input from Michalsons whilst you are preparing application specifications (i.e. from day-one of the development of a new application to ensure that privacy needs are address properly, i.e. the Privacy by Design concept).
  3. Ensure your application complies with the law by getting Michalsons to audit it.

  1. Put controls in place by asking Michalsons to draft or review your Information Security policies.
  2. Formulate, draft or revise your protection of personal information policies, procedures, and practices (the policy provides high-level statements of your positions on particular issues, whereas procedures bring those positions down to earth by laying out specific actions and responsibilities).

Respond to data breaches lawfully and effectively by getting advice from Michalsons, asking Michalsons to be your breach coach or formulate, draft or revise your Incident Response Policy and procedures.

  • Manage your relationships with the people for whom you process personal information (otherwise known as controllers or responsible parties) and the people who process your personal information (otherwise known as processors or operators) by asking Michalsons to help you.
  • Update your existing policies, agreements, terms or contracts (like your data processing agreements or operator agreements) to ensure they comply (or are aligned) with applicable data protection laws by asking Michalsons to review them.
  • Update your agreements between responsible parties and operators in a South African context by asking Michalsons to fix them.  Prepare appropriate contract clauses – certain terms must be included in certain agreements.

  1. Train the people who process personal information (on what is privacy, and how to implement it, how to react to certain events, etc) by doing in-person or online awareness training (for example, POPIA awareness training).
  2. Protect the privacy of employees by asking Michalsons to draft an internal privacy policy (aka Human Resources Data Protection Policy) for employees.
  3. Know how to deal with specific circumstances (like confirmations, recruitment) by getting an Employment Practices Code from Michalsons.

  • Achieve cross-border data transfers from one country to another in compliance with the law by asking for our assistance.
  • Lawfully transfer personal information from South Africa to other countries by getting our assistance.
  • Comply with the laws relating to using the cloud by asking Michalsons to help you with cloud compliance.

Clearly articulate how you respect people’s privacy by asking Michalsons to draft a Privacy Policy for you or reviewing your existing Privacy Policy.

  • Manage your records lawfully by getting our advice.
  • If you already have a PAIA manual, make sure it is up-to-date by asking Michalsons to review it to check that it complies with the latest law.
  • Update your PAIA Manual to comply with POPIA by asking us to make the necessary changes.
  • Comply with your legal obligation to have a PAIA Manual by asking Michalsons to draft a PAIA Manual for you.

Get the right insurance by asking us to help you compare the options and apply with insurance companies.

Enable people to access information in accordance with your legal obligations by asking Michalsons to draft or review your Access to Information Manual (or PAIA Manual).

  • Educate our customers about data protection and how it impacts your offerings by drafting a branded guide.
  • Help victims of identity theft by referring them to ways to rehabilitate their identity and protect themselves.
  • Review all your customer-facing documents (like application forms, agreements, and disclosures) for compliance. Doing this early makes sense because you want to build trust with our customers and be seen to comply.
  • Clearly articulate how you respect people’s privacy by asking Michalsons to draft a Privacy Policy for you or reviewing your existing Privacy Policy.
  • Deal with enquiries and complaints effectively by asking Michalsons to draft (or review) standard responses to customers and prospects that comply with the law.
  • Notify your data subjects about your processing by asking Michalsons to draft a data protection or privacy notice to notify data subjects of the processing of their personal information.
  • Develop a strategy around building trust with customers, including the use of privacy seals and certification.
  • Prepare appropriate contract clauses and templates – the law requires that certain terms be included in certain agreements.

Ensure that the consents you obtain are lawful by getting Michalsons to draft them for you or review them or getting a guide.

Deal with requests from data subjects to access or verify their information effectively by asking Michalsons to draft a data subject request process document to help you.

Shape your Industry by asking Michalsons to make representations to your industry body or draft or comment on a Code of Conduct.

Assess the impact of your activities on the privacy of data subjects by asking Michalsons to conduct an in-depth Privacy Impact Assessment (PIA), Data Protection Impact Assessment (DPIA) or Personal Information Impact Assessment (PIIA).

Comply with laws related to email marketing by getting an email marketing checklist.

Have good data protection policies and procedures in place (and get them right) by asking Michalsons to review or draft them for you.

Step Four: Sustain

Sustain your compliance status by checking that the relevant resource has correctly implemented the actions.

  • Check actions have been done correctly by asking Michalsons to review (or audit) that the relevant resource has correctly implemented the implementation actions that you identified in the plan step.

  1. Ensure you don’t infringe someone’s privacy whilst you monitor their communications, location or movements by asking Michalsons to formulate, draft or revise your Monitoring Policy.
  2. Set up structures and processes to ensure ongoing sustainable compliance.

Other

Other outcomes we can help you achieve.

Ensure you lawfully process personal information when merging or acquiring another entity by getting Michalsons assistance on obtaining permissions, combining different privacy practices and privacy cultures, transferring customer files, or the transfer of employee records.

Why we will Deliver

  • We have a team of practical privacy and data protection lawyers. Many of our attorneys are IAPP certified. They also have access to and use our data protection programme.
  • We are members of the Lexing Network – a global network of IT and data protection lawyers.
  • We are members of the Legal Practice Council, which regulates and ensures that we provide quality legal services. It takes about seven years and significant qualifications to be admitted as a legal practitioner. The Legal Practice Council has lots of rules and codes that we follow.
  • We have deep knowledge and expertise in helping organisations comply with data protection laws. We are independent professional legal advisors with expertise on how to implement the changes required to comply with data protection laws. Our advice is privileged and the regulator cannot seize it.
  • We have worked through our process with many clients by increasing their awareness of data protection laws across the organisation from the executives to the data capturers, planning their projects, and implementing their plans towards compliance.
  • We are currently working with many organisations, from dual-listed multinationals to start-ups in various industries, including financial services, marketing, FMCG, oil, healthcare, retail, and mining.
  • We have successfully done many large projects on data protection, governance, risk and compliance (GRC), information security, and records management. We have also done many IT Legal Compliance Audits on many organisations.
  • We wrote a chapter for a Global Privacy and Security Book.
  • We have participated in many legislative processes to enact information laws.

Our experience with data protection compliance

  • We are currently helping many organisations with data protection compliance by following our four-step process.
  • We have advised a large variety of businesses, both domestic and international.
  • We have presented to thousands of people on hundreds of different occasions on the topic.