PRIVACY DAY 2023

BDO IT CONSULTING
IT GOVERNANCE & CONSULTING

#Technology. Value Driven.

 BDO IT CONSULTING
“ BDO IT Consulting

80 ”
IT GOVERNANCE & CONSULTING has worked on more than

Data Protection Projects

Sylvie Greco
Partner

“
Privacy is recognised as a fundamental human right and its protection has become essential
for organisations around the world. Since Mauritius enacted the Data Protection Act in
January 2018 to better protect the personal data of individuals as well as to align with
international regulations such as the European Union General Data Protection Regulation
(EU GDPR), BDO IT Consulting has worked on more than 80 Data Protection Projects,
helping out companies in implementing Data Protection Frameworks, performing Data
Privacy Audits and acting as outsourced DPO, among others.
2022 has been a great and enriching year for BDO IT Consulting. We have consolidated our
position in the local market as a leading firm by providing tailor-made solutions, advice
and assistance to influential corporations in data privacy matters. Our team of privacy
experts constantly develops and fine-tunes data protection policies and procedures, tools,
implementation methodologies as well as training and awareness materials for different
levels of audiences. We have also hosted important compliance events and entered into
foreign markets in Middle East Africa. We look forward to the new challenges of 2023.
On the occasion of the international Data Privacy Day, celebrated annually on the 28th of
January, we are happy to share with you this Newsletter to raise awareness about Privacy
and the impact of major data protection updates that took place last year in Mauritius
and worldwide.
I seize this opportunity to thank all our valued clients and team members who have

”“
contributed to the preparation of this Newsletter and to wish you a Happy Data Privacy
Day and Nice Reading.

We have
consolidated our
position in the
local market as a

Page 1
leading firm
”
 BDO IT CONSULTING
IT GOVERNANCE & CONSULTING

Data Protection In Mauritius – Updates

In 2018, the Data Protection Act (DPA) came into force. The DPA is greatly inspired by the
EU GDPR, hence integrating the latter’s main principles into our legislative system, and
plays a fundamental role in elevating data privacy, securing data subjects’ rights and fos-
tering a privacy culture across organisations.
In 2022, we have witnessed a few major developments in our system as provided below:

1 The Supreme Court of Mauritius upheld the Right of Access

In August 2022, the supreme court of Mauritius provided a judgment regarding
the right of access under section 37 of the Data Protection Act 2017. In this
case, the Plaintiff requested a private medical institution (the Respondent) to provide her
with her complete medical files and all of her medical reports. The Respondent refused on
the grounds that the documents requested do not constitute her personal data and that the
private medical institution is not the “controller” but the “processor”.
The judgment clarified two important components of data protection as follows:

i. Status of a Controller
The judgment shed a light on the status of medical institutions with regards to their
processing operations and states that “the respondent “processed” all such information
relating to the applicant since, at the very least, it collected, recorded, organised and
stored such personal data. The respondent therefore became the “controller”, as it was in
a position to determine its purposes and means of processing, and it has decision-making
powers with respect to the processing of the data, as is clearly established by the stand
it has adopted in the present case”. This judgement reinforced the definition of a Data
Controller under the DPA.

ii. Right of Access

The judgment imposed that the Respondent provides the Plaintiff with a copy of her
complete medical file and records as same include her personal data as per the definition
laid down in the DPA and thus upheld the provision of Section 37 of the DPA with regards to
the right of access of a data subject.

2 Data Protection E-Services

Late 2022, the Data Protection Office (“DPO”) implemented the Data Protection E-Services
platform whereby all registration applications, complaints and other procedures shall be
done via this online portal. E-forms are also available to Data Controllers and Data Processors
for transfers of personal data outside Mauritius, notification of personal data breaches,
compliance audit, data protection impact assessment and certification. This significant
step makes all processes more accessible to organisations as well as individuals. The new
platform is all set to be launched on January 30, 2023.

Page 2
 BDO IT CONSULTING
IT GOVERNANCE & CONSULTING

3 Compliance Certification
The Data Protection Act 2017 provides under Section 48 – Certification, the
authority to the Data Protection Office (DPO) to certify an organisation as
being data protection compliant. Certification is free and voluntary.

Organisations that wish to be certified will need to fill out the certification form and send
it to the DPO following which the DPO will assess and upon satisfaction will conduct a
comprehensive compliance audit. A certificate of compliance will then be awarded to only
those organisations that fully meet the provisions laid down in the DPA. This certificate
is valid for 3 years and can be revoked at any time by the DPO should the controllers/
processors no longer comply with the Act. As per the DPO Certification is a lengthy process.
ABSA Bank is the first organisation and first Bank in Mauritius to receive the Certificate of
Compliance which was awarded by the DPO on the 30th September 2022.

Data Privacy News Around The World

Fines

1 TikTok
On September 2022, the Information Commissioner’s Office (ICO) issued a
fine of £ 27 million to the social media TikTok for failing to protect children’s
privacy. TikTok was found to process the data of children under the age of 13
without appropriate parental consent; failed to provide proper information
to its users in a concise, transparent, and easily understandable way; and processed special
categories of data without legal grounds to do so. Hence breaching the fundamental
principles of the EU GDPR as mentioned above.

On December 2022, the Commission Nationale de l’Informatique et des Libertés (CNIL)

additionally fined TikTok €5 million for the lack of transparency concerning its cookie
management. It was found that users could not easily reject the cookies and the functions/
types of cookies were not properly defined.

2 Meta
For Meta, 2022 has been a very tough year with an accumulation of fines.
The latest fine the company received was from the Ireland Data Protection
Commission (DPC). Meta received a fine of $390 million. It was found that
Meta Ireland breached its transparency obligations under the GDPR. On this
point, the DPC noted that the information provided about the legal basis on which Meta
Ireland relied was not clearly outlined to users, resulting in insufficient clarity as to what
processing operations were being carried out on the personal data, for what purpose(s),
and the specific legal basis being relied upon. Thus, breaching the core principles of the
GDPR.

Page 3
 BDO IT CONSULTING
IT GOVERNANCE & CONSULTING

3 Berlin E-Commerce Group

A subsidiary of a Berlin-based e-commerce retail group has been fined € 525,000 for non-
compliance with Article 38(6) of the GDPR due to a conflict of interest of their DPO. The DPO
was simultaneously the managing director of the concerned company. Any tasks or duties
delegated to a DPO must not result in a conflict of interest and a DPO must essentially act
independently. It was therefore stretched out that such an arrangement defeats the purpose
of having a DPO as the role of the managing director is to make managerial decisions while
the DPO had to ensure that all those decisions were compliant with the data protection
laws and to take the necessary remediation actions if not.

This was an intentional breach of the GDPR hence explaining the fine incurred by the
company.

4 Oppo Kenya
The Kenya Data Protection Act (KDPA) came into force in 2021. The Office of the Data
Protection Commissioner imposed a fine of KES 5 million on Oppo Kenya for infringing the
privacy of the complainant by publishing his photo on their social media platform without
the consent of the latter, contrary to the Act. This sum is the first fine imposed under the
KDPA.

International Standards
The International Organization for Standardization (ISO) is a non-governmental international
organisation which comprises 167 national standards bodies. It creates standards covering
almost all aspects of technology, management and manufacturing to ensure the quality,
safety, and efficiency of products, services, and systems. For instance, ISO/IEC 27701:2019
specifies requirements and provides guidance for establishing, implementing, maintaining
and continually improving a Privacy Information Management System (PIMS) in the form
of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within
the context of the organisation. Certifications are provided to organisations meeting the
relevant standards.

As of February 2023, Privacy by Design, which is a concept that calls for the incorporation of
privacy into the design and operation of information systems, products, and services, will
be incorporated in the ISO Standard ISO 31700-1. This shall help organisations to adopt
and integrate privacy throughout the lifecycle of consumer products, which will in turn
allow the reinforcement of consumer privacy rights.

Page 4
BDO IT CONSULTING
IT GOVERNANCE & CONSULTING

Clients Testimonials
We are happy to share the views of our esteemed and valued clients on why
privacy matters to them and how BDO IT Consulting assisted them down the
road to compliance:

Mauritius Network Services

“MNS is a trusted technology partner to Government agencies in Mauritius ensuring seamless
transmission of data between businesses and citizens and eGovernment systems. MNS handles
highly sensitive data for trading and port activities, tax filings and business registration.
Therefore, data protection and information security are given the highest amongst priorities
at MNS and having access to top-level expertise in the field of data protection is extremely
important for MNS.
It is in this context that MNS contracted out the role of Data Protection Officer to BDO in January
2022. This has allowed MNS to have access to the expertise of BDO to put in place all the policies
and procedures to be fully in line with the provisions of the Mauritius Data Protection Act as well
as the EU GDPR. We have also been able to train our staff and make them fully aware of their
duties and responsibilities with regard to data protection.
In their advisory role with regards to Data Protection, BDO also helped MNS to put in place
processes to minimize the risks of data breaches across the various functions of MNS.”
Mahen Govinda
Chief Executive Officer

Kenya Airways
“Kenya Airways values data privacy and attaches to its significance the protection of privacy
rights of individuals, the safe conduct of transactions involving the use, exchange or transfer of
personal data, and the prevention of data breaches including the unauthorized or criminal use
of personal data.
With a proper privacy framework and culture in place come an increased trust and credibility
from clients, employees, partners and other stakeholders, as well as an enhanced reputational
and brand value. We also believe that embedding best privacy practices into our operations will
be of added value while maintaining the effectiveness and efficiency of our processes. Hence,
in an effort to develop and implement our privacy program, we have embarked on numerous
activities, such as, performing a data inventory exercise, developing data protection remediation
documents, conducting training and awareness sessions, performing Data Protection Impact
Assessment for high risk processing activities besides registering with the Office of the Data
Protection Commissioner.
The assigned team proved to be knowledgeable and skilled in the subject matter and the provision
of such a business solution. The team was dedicated and committed to the achievement of set
objectives in addition to being flexible and responsive to Kenya Airways’ needs at all times.”
Dorcas Muturi Joyce Nzau
Senior Manager Risk & Compliance Risk and Compliance Officer

Page 5
BDO IT CONSULTING
IT GOVERNANCE & CONSULTING

Clients Testimonials

BDO Dutch Caribbean

“With the assistance of BDO IT Consulting Ltd (BDO ITC), our firm successfully developed the Global
Data Protection Regulation Framework in an efficient and effective manner. We appreciated the
knowledge sharing platform offered by BDO ITC as well as the great project management shown
throughout the assignment! I would definitely recommend their services!”
Paul Lungu
Partner

Juhudi Kilimo Company Limited

“Juhudi Kilimo (JKL) is an institution which offers its customers a broad range of financial
services with a mission to improve the livelihood of the rural smallholder farmers and micro-
entrepreneurs. For JKL, Data Protection is not just a key competitive advantage, but also a
precondition for existing in the business market. Being an organisation that processes a large
amount of personal and financial data of customers, staff, service providers and other partners,
JKL has understood how crucial it is to ensure the protection of those data.With the Kenya
Data Protection Act 2019 (DPA) coming into force and imposing some major obligations on all
organisations processing personal and financial data, JKL has deemed it important to go down
the compliance route to ensure that its staff are upholding all data protection principles and
thus complying with the law. Some of the key steps undertaken by JKL were: the successful
registration as Data Controller with the Data Protection Commissioner Office, the delivery of
data protection training to all its staff, aligning the IT systems to include privacy principles,
amendments and implementation of various data protection policies, contracts and standard
operating procedures. JKL understands that data protection is not an off-time activity and to
ensure ongoing compliance, JKL has assigned a team the oversight of Data Protection in the
organisation and compliance requirements of the elements of the DPA.”
Job Kirui
Chief Technology Officer

Ecole du Centre
“Afin de nous conformer au Data Protection Act à l’Ecole du Centre, établissement privé à
programme français, nous avons bénéficié de l’accompagnement de BDO IT Consulting pour
mettre en œuvre un cadre complet de conformité en matière de protection des données.
Les conseils et l’expérience de BDO IT Consulting Ltd dont nous avons bénéficié nous a permis de
réaliser ce projet. BDO IT Consulting nous a aidé à mettre en place nos politiques de protection
des données, à former nos responsables de traitements de données et à assister notre délégué à
la protection des données.”
Cédric Thonney
Délégué à la protection des données

Page 6
BDO IT CONSULTING
IT GOVERNANCE & CONSULTING

Retrospective of 2022
The privacy team of BDO IT Consulting, together with BDO member firms in Seychelles and
East Africa, met with incredible audiences in 2022!

Page 7
BDO IT CONSULTING
IT GOVERNANCE & CONSULTING

BDO IT Consulting - Data Protection Services

Our data protection solutions remain wide-ranging but tailored to our client’s needs.
We offer:
- Privacy and Security Gap Assessments - Implementation of ISO 27701
- Implementation of a Data Privacy - Assistance in the registration process
Framework with relevant data protection authorities
- Data Protection Compliance Audit - Assistance in the Compliance Certification
- Outsourced DPO and/or Support to the under the DPA
DPO - Trainings and workshops
- Privacy by Design advisory services for
new information systems

Our Team
Our team includes legal experts, cybersecurity specialists, risk professionals and project
management consultants. Our privacy experts hold the following certifications:

- Fellow of Information Privacy (FIP) - EXIN Privacy and Data Protection

- Certified Information Privacy Professional Foundation (PDPF)
Europe (CIPP/E) - One Trust Certified Professional - Privacy
- Certified Information Privacy Manager Management (OTCP)
(CIPM) - One Trust Certified Fellow of Privacy
- Certified Information Privacy Technologist Technology
- (CIPT) - PECB Certified ISO 27701 Lead
- Certified Information Systems Auditor Implementer
(CISA)

Page 8
About BDO and why choose us?
BDO’s global organisation extends across 167 countries and territories, with 91,054 people
working out of 1,658 offices – and they’re all working towards one goal: to provide our clients
with exceptional service. Our firms across the organisation cooperate closely and comply with
consistent operating principles and quality standards. We are a global organisation built on local
relationships.
There are five key components that describe BDO and our consistently exceptional service delivery:

- CLIENT NEEDS: we anticipate our clients’ needs and are forthright in our views, in order to
ensure the best outcome for you
- COMMUNICATION: we are always clear, open & swift in our communication
- COMMITMENT: we agree to and meet our commitments, meaning that we deliver what we
promise, every day, for every client
- PEOPLE: at BDO we are proud to provide the right environment for our people to grow and
develop – but also the right people to deliver for our clients
- VALUE: Our experts focus on creating value: we give our clients up to date ideas and valuable
insights and advice that they can trust

Contact Us
Sylvie Greco
Partner
T: +230 260 5889
M: +230 5497 9578
E: sylvie.greco@bdo.mu
Deepshi Hujoory
Manager
T: +230 260 5839
M: +230 5964 0469
E: deepshi.hujoory@bdo.mu

Thank You!
Essar Building, 10 Frère Felix
De Valois St, Port Louis
+230 260 78 00
bdo.it.consulting@bdo.mu

BDO IT Consulting