Maintaining P.I with Caroline Mouton

Executive Summary

This webinar covers key considerations for managing personal information compliance, with a focus on the roles of the Responsible Party and Operator. Caroline Mouton emphasises the “Account Number Red Flag” as a critical risk indicator and presents three pillars for safeguarding personal data: 1) Purposeful documentation through Records of Processing Activities (RoPA) and Configuration Management Databases (CMDBs); 2) Ensuring data quality to mitigate risks; and 3) Encouraging active participation from data subjects for transparency. A compliance checklist is also provided to help organisations evaluate their adherence to these principles.

Webinar Details

Title: Maintaining P.I with Caroline Mouton
Date: 2023-06-14
Presenter: Caroline Mouton
Meetup Group: Data Protection for Data Management Professionals
Write-up Author: Howard Diesel

Introduction

In the latest instalment of the “Life of Pi” webinar series, Caroline Mouton of Clearwood Consulting, under the guidance of Howard Diesel from DAMA Southern Africa, delves into the crucial “Maintain” phase of the data lifecycle. This session uniquely employs the metaphor of personal information as a tiger, akin to Richard Parker from the novel ‘Life of Pi,’ emphasising that personal data is not only vital for business operations but also demands constant attention and care due to its inherent risks.

Focusing specifically on the maintenance of personal data under the POPIA regulations in South Africa and the GDPR in Europe, Caroline aims to provide valuable insights into lawful data management practices. Unlike earlier sessions that dealt with data disposal and storage, this webinar will shed light on how organisations can effectively uphold the integrity of personal information throughout its lifecycle. The tiger metaphor serves as a powerful reminder that while personal data is essential, mishandling it poses serious legal and reputational threats, underscoring the importance of diligent data management.

Figure 1 The Life of P.I.

Figure 2 About me

Figure 3 Collaboration efforts

Figure 4 A Lifecycle Approach to Data Protection

Figure 5 Data Lifecycle

Figure 6 The Life of P.I. Webinar Series

Understanding Roles: Responsible Party vs. Operator

A crucial aspect of privacy law is the distinction between Responsible Parties and Operators, which fundamentally shapes an organisation’s legal obligations and liability. Under the Protection of Personal Information Act (POPIA), the Responsible Party is the entity that decides why and how personal data is processed and is primarily liable for compliance and decision-making regarding data usage.

In contrast, Operators, such as third-party vendors or cloud service providers, process data on behalf of the Responsible Party. This differentiation is significant, as the legal responsibilities associated with each role vary considerably.

To avoid compliance pitfalls and potential liability, organisations must clearly understand their role in relation to specific datasets. Caroline emphasises the necessity for legal departments to establish clarity in this matter, as any confusion can lead to missed compliance requirements and greater exposure to legal risks.

Recognising whether an organisation is controlling data or merely processing it for another party is essential for shaping an effective compliance strategy. Clear identification of roles not only safeguards against liabilities but also ensures adherence to legal obligations.

Figure 7 Quick Reminder

Figure 8 POPIA Role Players

The Account Number Red Flag: Managing Critical Risk

Privacy laws necessitate expanding traditional risk registers to include the concept of “Risk to the Data Subject,” particularly under the POPIA. Under this legislation, account numbers—considered financial identifiers—fall into the highest-risk category, as their mismanagement can trigger severe penalties.

Unlike the General Data Protection Regulation (GDPR), which imposes substantial administrative fines, POPIA emphasises civil remedies, allowing data subjects to sue organisations directly for damages. This legal framework creates a distinct risk profile, where reputational damage from a breach of account numbers can far exceed any direct financial penalties, especially since a single breach may lead to multiple individual lawsuits seeking restitution.

To mitigate these risks, organisations must prioritise the security and proper handling of financial identifiers over other data types. This involves implementing advanced controls, encryption, access restrictions, and continuous monitoring specifically for account numbers.

As emphasised by experts in the field, while all forms of personal information are important, account numbers stand out as the “nuclear option” in POPIA’s enforcement framework. Therefore, investing in robust security measures for financial identifiers should be a top priority for organisations to protect themselves from potential legal and reputational repercussions.

Figure 9 Privacy Laws Extend Your Risk Register

Figure 10 Riskiest Risk Approach

The Three Pillars of Maintaining Personal Information

Effective management of personal data hinges on three interconnected pillars: Purpose, Quality, and Participation. First, organisations must clearly define the specific, documented purpose for each piece of data they collect, as vague justifications fail to meet legal requirements.

Second, maintaining data quality is crucial; the information must be accurate and current to mitigate potential harm to individuals and reduce liability risks. This necessitates a commitment to robust data stewardship practices.

In addition to Purpose and Quality, Participation is vital for empowering data subjects. Organisations must provide individuals with meaningful access to their information, allowing them to view, correct, and, when appropriate, delete their data.

By transforming privacy into a customer service function, organisations establish a foundation of trust with stakeholders. Together, these three pillars not only ensure compliance with legal guidelines but also promote ethical data practices in today’s digital landscape.

Figure 11 Maintaining Data Quality through Participation

Figure 12 Be purposeful, Quality is Key, and Enable Participation

Figure 13 Controller / Responsible Party

Deep Dive: Obligations and Controls

Controllers and Operators have distinct roles that necessitate different compliance frameworks. For Controllers, essential obligations include maintaining a Record of Processing Activities (RoPA), implementing robust data quality checks, and establishing transparent participation procedures for data subjects.

The RoPA is foundational, as it details the data held, the rationale for its collection, its storage location, access permissions, and retention timelines. This inventory is crucial for compliance, while data quality controls ensure the accuracy of the information processed. Moreover, clear participation procedures empower data subjects by providing them with avenues to exercise their rights effectively.

Conversely, Operators focus primarily on security and adherence to the Controller’s instructions. They are restricted from using data for purposes beyond what is stipulated in their contracts, which serves as a critical protection for their operations.

Caroline highlights the importance of these contracts, noting that they act as an Operator’s “get out of jail free card.” By demonstrating compliance with documented Controller instructions when issues arise, Operators can significantly mitigate their liability exposure. This distinction underscores the importance of both roles in maintaining data integrity and compliance within the broader data protection framework.

Figure 14 Operator / Processor

Figure 15 Controller / Responsible Party

Pillar 1: Being Purposeful with RoPA and CMDBs

Effective management of the RoPA is essential for demonstrating compliance with data processing regulations. Every data processing activity requires a lawful basis, and the RoPA serves as the primary tool for documenting each legal justification, creating an auditable trail for organisations. However, relying solely on spreadsheets for this management can lead to complications as organisations expand, especially in capturing the intricate relationships among data, systems, and processes.

To enhance RoPA management, it is advisable to utilise IT Service Management tools, particularly Configuration Management Databases (CMDBs). CMDBs excel in tracking assets and their interconnections, making them invaluable for documenting data flows, system dependencies, and processing activities.

Utilising graph databases further enhances this process by visualising data movement within the organisation. By integrating privacy records into existing IT infrastructure, organisations can achieve improved visibility, easier auditing, and reduced maintenance burden, transforming RoPA from a static compliance document into a dynamic, practical management tool.

Figure 16 “Be Purposeful”

Figure 17 8 Conditions of Lawful Processing

Figure 18 Your #1 Risk Under POPIA – Account Numbers

Figure 19 RoPA: Reasonable Steps to Comply with Conditions of Lawful Processing

The Direct Marketing Challenge

Further processing of data—where organisations use collected information for purposes beyond its initial intent—poses significant compliance challenges, particularly in marketing. When data is collected for a specific purpose, such as processing a sale, using that same data later for marketing efforts necessitates obtaining explicit consent from the individuals involved. As highlighted during a recent Q&A, the use of cookies for targeted advertising undoubtedly falls under the realm of direct marketing, which is governed by privacy laws that mandate transparency and consent.

Cookie notices must effectively clarify the tracking practices employed and the rationale behind them, adhering to the “purpose specification” principle. If users did not reasonably anticipate being tracked for advertising when providing their information, repurposing that data could constitute unlawful further processing.

This challenge is further exacerbated when companies aim to market to “customers’ customers,” utilising data acquired through one relationship to target individuals who have never interacted directly with the organisation. Such practices necessitate thorough legal scrutiny and robust consent mechanisms to ensure compliance with privacy regulations.

Figure 20 Using Employee Information for Promotional Marketing

Pillar 2: Data Quality and Stewardship

Howard Diesel emphasises the importance of determining data ownership by applying a CRUD matrix, which stands for Create, Read, Update, and Delete. By analysing who performs each operation on specific data elements, organisations can clearly delineate responsibilities associated with data management. Typically, the individual or department that creates the data should be designated as its Data Owner or Steward, as they are best positioned to ensure the data’s quality and accuracy.

In contrast, Howard highlights the complexities of managing unstructured data, such as file shares, personal drives, and Excel spreadsheets, which he describes as “diabolically difficult.” Unlike structured databases, which offer clear access controls and audit trails, unstructured data often lacks governance, leading to permission sprawl and conflicting versions.

To address these challenges, organisations must prioritise migrating critical personal information from unstructured storage to governed systems. If immediate migration is not possible, it is crucial to implement stringent access controls, conduct regular audits, and establish clear retention policies to maintain high data quality standards.

Figure 21 Your #2 Risk – Is the Purpose Direct Marketing?

Figure 22 Data Quality is Key

Figure 23 8 Conditions of Lawful Processing

Figure 24 Data Stewardship: Who Owns that P.I.?

Figure 25 Data Stewardship: Who Owns that P.I.? pt.2

Figure 26 Master Data & Data Stewardship

Figure 27 Data Movement & Ownership (Create, Update, and Delete)

Figure 28 Threats to Data Quality – Unauthorised Access

The Human Hack: Using Group Polarisation

Changing organisational culture around privacy requires more than just technological solutions; it demands a psychological approach that fosters collaboration across departments. Traditional fear-based compliance messaging often leads to short-term behavioural changes, which are insufficient for lasting impact.

By introducing Group Polarisation, organisations can leverage diverse perspectives from departments such as Marketing, IT, HR, and Legal to facilitate meaningful discussions about privacy. This mixing of perspectives allows teams to better understand each other’s concerns—IT’s security issues, HR’s liabilities, and Marketing’s business pressures—creating a shared commitment to a stronger privacy culture.

Structured dialogue is essential in this process, as it encourages genuine listening rather than merely presenting positions. When departments engage in honest conversations about their challenges and constraints, privacy transitions from being viewed as a compliance burden enforced by Legal into a collective organisational value embraced by everyone. Ultimately, fostering these cross-functional discussions not only strengthens privacy stances but also aligns the entire organisation around the importance of protecting sensitive information.

Figure 29 Talking to Employees about Data Quality – Persuasive Comms 101

Pillar 3: Enabling Data Subject Participation

Organisations must view data subject participation rights as an essential aspect of customer service, rather than a burdensome legal requirement. By making it easy for individuals to query, access, correct, and delete their personal information, companies not only comply with privacy laws but also enhance their relationships with customers. Clear communication about contact details and straightforward processes for submitting requests helps individuals feel valued and respected, while also ensuring that organisations maintain high data quality.

To effectively implement these participation rights, businesses should establish clear procedures and train staff to understand privacy rights comprehensively. Ensuring reasonable response timeframes, typically within 30 days, along with secure identity verification to prevent unauthorised access, is crucial. Regular testing of participation processes from the data subject’s perspective will help organisations identify areas for improvement, further fostering customer trust and satisfaction while fulfilling their legal obligations.

Figure 30 Enable Participation

Figure 31 The Rights of Data Subjects under POPIA

Figure 32 Data Subject Participation

Figure 33 Monitoring Data Subject Participation

Figure 34 How to Process P.I. Lawfully

Final Compliance Checklist

Maintaining effective data management practices is crucial for organisations to uphold compliance and safeguard sensitive information. A practical checklist should include tracking the purpose of every processing activity through a RoPA to ensure a clear justification for data retention.

Additionally, enabling meaningful participation from data subjects requires establishing clear channels for them to exercise their rights. Organisations should also prioritise data quality by assigning stewardship, conducting regular accuracy reviews, and implementing prompt correction processes. Security measures must be tailored to the sensitivity of the data, providing enhanced protection for high-risk items such as account numbers.

Furthermore, proactive planning for potential data breaches is essential, as incidents can occur despite preventive measures. Developing a comprehensive incident response plan, establishing defined notification procedures, and creating breach documentation processes are not signs of pessimism but rather prudent strategies for operational readiness.

Viewing privacy compliance as an ongoing requirement rather than a one-time project is vital for organisational resilience. Regularly reviewing the maintenance checklist serves as an effective audit tool, helping organisations stay compliant as their data practices evolve and enabling them to identify potential gaps before they lead to violations. Ultimately, the commitment to maintaining these standards can mean the difference between successfully managing data risks and facing severe repercussions.

Figure 35 Is Our Processing Lawful?