You can outsource some actions to us so that we comply for you. We have various data protection solutions (which we tailor for your specific requirements) to help you comply with global data protection laws, especially the GDPR and the POPI Act. Below are the actions we can take for you to help you protect personal information and therefore protect people from harm. If you are interested, please enquire and we can either quote you:
- a fixed price for one or more of them,
- work on a time and materials basis, or
- agree a retainer.
External service providers simply can’t make you compliant. You cannot outsource many of the actions. I know you’re busy and that you’re stretched but external service providers simply can’t do it all for you. We can’t implement all the necessary actions for you to comply – in fact, we only perform about 35% of them. You have to do many yourself and many are provided by other external service providers. Remember that the responsibility to comply with the law remains with you. This is why we often say that data protection is like personal fitness. We simply perform some of the actions to help you achieve compliance. It is important to work out who is going to do the actual work.
- Analyse the degree to which your organisation complies with the data protection laws (or a particular one) that apply to it and identify the gaps by asking Michalsons to conduct a gap analysis.
- Assess the impact of data protection laws on your organisation by asking Michalsons to conduct an in-depth Privacy Impact Assessment (PIA), Data Protection Impact Assessment (DPIA) or Personal Information Impact Assessment (PIIA).
- Delve into particular issues relevant to your particular organisation to extract the areas you need to pay attention to by getting Michalsons to facilitate a private workshop at your offices.
- Save time by asking Michalsons to run a practical and effective data protection compliance project for you.
Governance and Responsibility
- Ensure your board is aware of their responsibilities and executive buy-in (and budget approval) by asking Michalsons to give a board presentation or executive briefing.
- Ensure good governance of data protection by asking Michalsons to create the right governance model.
- Record your privacy compliance strategy by workshopping it with Michalsons and recording it in a Data Protection Policy.
- Appoint your Data Protection Officer (or Information Officer) properly by getting a job specification or letter of appointment from Michalsons.
- Know what laws apply to you by getting a list of data protection laws from Michalsons.
- Be able to apply data protection law to your organisation by getting the Michalsons Privacy Legal Framework, which is all the aspects of our IT Legal Framework that are relevant to privacy and the protection of personal information.
- Know what you need to comply with by asking Michalsons to determine the overlap between data protection and other laws that apply to your organisation and the overlap between different data protection laws. This will help you to find the overlap between your various compliance projects (like GDPR, POPI, TCF or PCI) and work out if you can kill many birds with one stone.
- Limit the use and disclosure of your confidential information by getting Non-Disclosure Agreement (NDA) or Confidentiality Agreement templates from Michalsons.
Incident Response (Data Breaches)
- Respond to data breaches lawfully and effectively by getting advice from Michalsons, asking Michalsons to be your breach coach or formulate, draft or revise your Incident Response Policy and procedures.
Codes of Conduct
- Shape your Industry by asking Michalsons to make representations to your industry body or draft or comment on a Code of Conduct.
Map Activites and Identify Action Items
- Map the processing of personal information in your activities by asking Michalsons to do it for you.
- Know who is responsible in law by asking Michalsons to do a responsible party assessment for any activity where it is unclear whether you are the responsible party or the operator.
- Identify actions and assign responsibility by getting a tailored list of actions from Michalsons.
- Check whether your sharing of personal information with others (excluding operators) is lawful to find the gaps where you are not processing lawfully and identify implementation action items.
Opinions or Interpretations
- Reach clarity on an issue or interpretation of the law by getting Michalsons’ expert practical legal advice or opinion on various issues, especially around cross-border data flow issues, cloud computing, legitimate interests, and the application of laws.
- Govern your risk by asking Michalsons to do a data protection legal risk assessment on your organisation or a particular activity or offering.
- Get the right insurance by comparing the options.
- Identify your regulatory hot buttons and identify where to focus by asking Michalsons to analyse the various decisions of courts and information commissioners across the world focusing on where companies have been penalised with a view to identifying risk trends which are then used to give an indication of where companies should be focusing their efforts.
Data Subject participation (servicing)
- Deal with requests from data subjects to access or verify their information effectively by asking Michalsons to draft a data subject request process document to help you.
Access to Information and Disclosures
- Enable people to access information in accordance with your legal obligations by asking Michalsons to draft or review your Access to Information Manual (or PAIA Manual).
HR and Employees
- Train the people who process personal information (on what is privacy, and how to implement it, how to react to certain events, etc) by doing in-person or online awareness training (for example, POPIA awareness training).
- Know how to deal with specific circumstances (like confirmations, recruitment) by getting an Employment Practices Code from Michalsons.
- Educate our customers about data protection and how it impacts your offerings by drafting a branded guide.
- Help victims of identity theft by referring them to ways to rehabilitate their identity and protect themselves.
- Review all your customer-facing documents (like application forms, agreements, and disclosures) for compliance. Doing this early makes sense because you want to build trust with our customers and be seen to comply.
- Deal with enquiries and complaints effectively by asking Michalsons to draft (or review) standard responses to customers and prospects that comply with the law.
- Notify your data subjects about your processing by asking Michalsons to draft a data protection or privacy notice to notify data subjects of the processing of their personal information.
- Develop a strategy around building trust with customers, including the use of privacy seals and certification.
- Prepare appropriate contract clauses and templates – the law requires that certain terms be included in certain agreements.
- Put controls in place by asking Michalsons to draft or review your Information Security policies.
- Formulate, draft or revise your protection of personal information policies, procedures, and practices (the policy provides high-level statements of your positions on particular issues, whereas procedures bring those positions down to earth by laying out specific actions and responsibilities).
Processors or operators (third party processing)
- Manage your relationships with the people for whom you process personal information (otherwise know as controllers or responsible parties) and the people who process your personal information (otherwise know as processors or operators).
- Prepare appropriate contract clauses – certain terms must be included in certain agreements.
Collection of personal information
- Ensure that the consents you obtain are lawful by getting Michalsons to draft them for you or review them or getting a guide.
Records Management, including record retention
- Manage your records lawfully by getting our advice.
Marketing (including direct marketing and electronic communications)
- Comply with laws related to email marketing by getting an email marketing checklist.
- Ensure you don’t infringe someone’s privacy whilst you monitor their communications, location or movements by asking Michalsons to formulate, draft or revise your Monitoring Policy.
Cross-border transfers and Cloud Computing
- Lawfully transfer of personal information across borders – for example from the EU to other countries or from one country to another – by getting our advice or opinion.
- Comply with the law whilst using cloud computing by getting advice from Michalsons.
Product Development and Applications
- Determine whether your customer (or user) is lawfully processing personal information when they use your product by asking Michalsons to assess your product.
- Include privacy by design into your applications, products or services by getting input from Michalsons whilst you are preparing application specifications (i.e. from day-one of the development of a new application to ensure that privacy needs are address properly, i.e. the Privacy by Design concept).
- Ensure your application complies with the law by getting Michalsons to audit it.
Mergers & Acquisitions
- Ensure you lawfully process personal information when merging or acquiring another entity by getting Michalsons assistance on obtaining permissions, combining different privacy practices and privacy cultures, transferring customer files, or the transfer of employee records.