South Africa Chapter – July 2021


Chapter Overview

Date: Wednesday, 28th of July 2021

Time: 11.30 am – 1.00 pm (SAST)

Platform: Digital Alliances

Location: Digital Alliances – Microsoft Teams Link – Invite Only

Overall Theme: Panel: What I wish I had in place the 90 days before GDPR went live?

The Protection of Personal Information Act (POPIA) is South Africa’s data privacy law that empowers citizens with enforceable rights over their personal information, requires websites, companies and organizations to live up to minimum conditions for lawful processing, and establishes the Information Regulator to supervise and enforce compliance with POPIA.

  • 1115

    Welcome Remarks & Joining Time

  • 1130


    Session Leader: Leigh Thomas – Director – DPO Alliances & CISO Alliances

    Session Title: Digital Alliances

  • 1140

    Panel Perspective


    Helen Rabe, Global CISO

    Robin Smith, Head of Cyber  and Information Security

    Owen John, Senior Enterprise Cybersecurity Architect

    Session Title: What I wish I had in place the 90 days before GDPR went live?

    Individual Synopses

    Helen Rabe:

    With data privacy and security being so closely aligned these days many companies assumed it was an easy fit for security to own the preparation as well as post implementation requirements for GDPR.   This was especially pertinent in smaller companies with low risk maturity and historically low regulatory overheads. Recognising that data privacy comes with it’s own unique set of challenges and practices, that lean strongly towards legal recourse is why a combined effort between data privacy experts and security teams was always going to be a more successful approach.  Understanding that compliance is not a one-time ready project is key to ensuring your focus is on the delivery priorities as well as the longer term plan. Achieving compliance is not a prescriptive exercise, you need to be clear on how your demonstrate that you value the privacy of the data in scope, these initial steps help you structure your approach to what can be a very vague set of legal statements.

    Robin Smith:


    Owen John:

    When GDPR came along, there was no consensus whether it was an IT issue or a legal one.  There was therefore little ownership at the start.  When considering any data protection regulation in a global environment, there us a good argument to consider adopting the most strict regulations across the entire enterprise so simplify the privacy processes globally. Its important to take a risk based decision on data localisation and to understand the geopolitical issues in any geography you operate in to assess your risk against puntave action for political or financial gain by an authority.

  • 1215

    Debate & Questions

  • 1255

    Action Areas and Next Steps