The evolving data privacy regulatory landscape is transforming the way organisations and individuals think about the use and protection of personal information. The need to manage personal information in a secure and compliant way is greater than ever since the Protection of Personal Information Act (“POPIA”) became effective on 1  July 2020. This is in addition to the already difficult business environment of protecting client data and the continued increase in the sophistication of cyber-crime

The introduction of data protection laws, the increasing level of regulatory action, and the changing cyber threat landscape, all drive an organisation’s privacy compliance requirements. On top of these risk and regulatory drivers, there are other factors that are forcing organisation’s to adapt and enhance their privacy practices - these include new technology, a greater focus on digital transformation, and the changing public perception regarding the collection and use of personal information.

Considerations for business:

To minimise risks, and the amount of time it will take to meet new data privacy requirements, organisations first need to adopt a fresh mindset on navigating the risk landscape. To accomplish this the following should be considered:

1. Do we understand the organisation’s privacy obligations, risks, and if our compliance strategy is fit for purpose? In other words, have we conducted a privacy gap assessment and a privacy risk assessment?

2. Are we making sound decisions and plans with regard to technology and business transformation initiatives involving personal information (i.e. any transformation projects which touch on the personal information of customers,  employees, and/or the supply chain)

3. Do we have a clear view of what personal information is being processed whereby who and for what purpose? In other words, have we performed a data mapping exercise to identify personal information flows?

4. Am we confident of the organisation’s ability to detect and manage a data breach effectively and timeously? (including reporting requirements to data subjects and regulators)

5. Do we have confidence that our products, new ventures, or acquisitions are privacy complaint?

6. Have we considered and are we managing the risk to personal information posed by third parties?

7. How will existing and emerging data privacy laws impact our enterprise operations and risk appetite?

For more information on KPMG's Privacy services, please contact our team at: