Professional Documents
Culture Documents
Data Privacy Newsletter 2023
Data Privacy Newsletter 2023
Data Privacy Newsletter 2023
BDO IT CONSULTING
IT GOVERNANCE & CONSULTING
80 ”
IT GOVERNANCE & CONSULTING has worked on more than
Sylvie Greco
Partner
“
Privacy is recognised as a fundamental human right and its protection has become essential
for organisations around the world. Since Mauritius enacted the Data Protection Act in
January 2018 to better protect the personal data of individuals as well as to align with
international regulations such as the European Union General Data Protection Regulation
(EU GDPR), BDO IT Consulting has worked on more than 80 Data Protection Projects,
helping out companies in implementing Data Protection Frameworks, performing Data
Privacy Audits and acting as outsourced DPO, among others.
2022 has been a great and enriching year for BDO IT Consulting. We have consolidated our
position in the local market as a leading firm by providing tailor-made solutions, advice
and assistance to influential corporations in data privacy matters. Our team of privacy
experts constantly develops and fine-tunes data protection policies and procedures, tools,
implementation methodologies as well as training and awareness materials for different
levels of audiences. We have also hosted important compliance events and entered into
foreign markets in Middle East Africa. We look forward to the new challenges of 2023.
On the occasion of the international Data Privacy Day, celebrated annually on the 28th of
January, we are happy to share with you this Newsletter to raise awareness about Privacy
and the impact of major data protection updates that took place last year in Mauritius
and worldwide.
I seize this opportunity to thank all our valued clients and team members who have
”“
contributed to the preparation of this Newsletter and to wish you a Happy Data Privacy
Day and Nice Reading.
We have
consolidated our
position in the
local market as a
Page 1
leading firm
”
BDO IT CONSULTING
IT GOVERNANCE & CONSULTING
i. Status of a Controller
The judgment shed a light on the status of medical institutions with regards to their
processing operations and states that “the respondent “processed” all such information
relating to the applicant since, at the very least, it collected, recorded, organised and
stored such personal data. The respondent therefore became the “controller”, as it was in
a position to determine its purposes and means of processing, and it has decision-making
powers with respect to the processing of the data, as is clearly established by the stand
it has adopted in the present case”. This judgement reinforced the definition of a Data
Controller under the DPA.
Page 2
BDO IT CONSULTING
IT GOVERNANCE & CONSULTING
3 Compliance Certification
The Data Protection Act 2017 provides under Section 48 – Certification, the
authority to the Data Protection Office (DPO) to certify an organisation as
being data protection compliant. Certification is free and voluntary.
Organisations that wish to be certified will need to fill out the certification form and send
it to the DPO following which the DPO will assess and upon satisfaction will conduct a
comprehensive compliance audit. A certificate of compliance will then be awarded to only
those organisations that fully meet the provisions laid down in the DPA. This certificate
is valid for 3 years and can be revoked at any time by the DPO should the controllers/
processors no longer comply with the Act. As per the DPO Certification is a lengthy process.
ABSA Bank is the first organisation and first Bank in Mauritius to receive the Certificate of
Compliance which was awarded by the DPO on the 30th September 2022.
Fines
1 TikTok
On September 2022, the Information Commissioner’s Office (ICO) issued a
fine of £ 27 million to the social media TikTok for failing to protect children’s
privacy. TikTok was found to process the data of children under the age of 13
without appropriate parental consent; failed to provide proper information
to its users in a concise, transparent, and easily understandable way; and processed special
categories of data without legal grounds to do so. Hence breaching the fundamental
principles of the EU GDPR as mentioned above.
2 Meta
For Meta, 2022 has been a very tough year with an accumulation of fines.
The latest fine the company received was from the Ireland Data Protection
Commission (DPC). Meta received a fine of $390 million. It was found that
Meta Ireland breached its transparency obligations under the GDPR. On this
point, the DPC noted that the information provided about the legal basis on which Meta
Ireland relied was not clearly outlined to users, resulting in insufficient clarity as to what
processing operations were being carried out on the personal data, for what purpose(s),
and the specific legal basis being relied upon. Thus, breaching the core principles of the
GDPR.
Page 3
BDO IT CONSULTING
IT GOVERNANCE & CONSULTING
This was an intentional breach of the GDPR hence explaining the fine incurred by the
company.
4 Oppo Kenya
The Kenya Data Protection Act (KDPA) came into force in 2021. The Office of the Data
Protection Commissioner imposed a fine of KES 5 million on Oppo Kenya for infringing the
privacy of the complainant by publishing his photo on their social media platform without
the consent of the latter, contrary to the Act. This sum is the first fine imposed under the
KDPA.
International Standards
The International Organization for Standardization (ISO) is a non-governmental international
organisation which comprises 167 national standards bodies. It creates standards covering
almost all aspects of technology, management and manufacturing to ensure the quality,
safety, and efficiency of products, services, and systems. For instance, ISO/IEC 27701:2019
specifies requirements and provides guidance for establishing, implementing, maintaining
and continually improving a Privacy Information Management System (PIMS) in the form
of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within
the context of the organisation. Certifications are provided to organisations meeting the
relevant standards.
As of February 2023, Privacy by Design, which is a concept that calls for the incorporation of
privacy into the design and operation of information systems, products, and services, will
be incorporated in the ISO Standard ISO 31700-1. This shall help organisations to adopt
and integrate privacy throughout the lifecycle of consumer products, which will in turn
allow the reinforcement of consumer privacy rights.
Page 4
BDO IT CONSULTING
IT GOVERNANCE & CONSULTING
Clients Testimonials
We are happy to share the views of our esteemed and valued clients on why
privacy matters to them and how BDO IT Consulting assisted them down the
road to compliance:
Kenya Airways
“Kenya Airways values data privacy and attaches to its significance the protection of privacy
rights of individuals, the safe conduct of transactions involving the use, exchange or transfer of
personal data, and the prevention of data breaches including the unauthorized or criminal use
of personal data.
With a proper privacy framework and culture in place come an increased trust and credibility
from clients, employees, partners and other stakeholders, as well as an enhanced reputational
and brand value. We also believe that embedding best privacy practices into our operations will
be of added value while maintaining the effectiveness and efficiency of our processes. Hence,
in an effort to develop and implement our privacy program, we have embarked on numerous
activities, such as, performing a data inventory exercise, developing data protection remediation
documents, conducting training and awareness sessions, performing Data Protection Impact
Assessment for high risk processing activities besides registering with the Office of the Data
Protection Commissioner.
The assigned team proved to be knowledgeable and skilled in the subject matter and the provision
of such a business solution. The team was dedicated and committed to the achievement of set
objectives in addition to being flexible and responsive to Kenya Airways’ needs at all times.”
Dorcas Muturi Joyce Nzau
Senior Manager Risk & Compliance Risk and Compliance Officer
Page 5
BDO IT CONSULTING
IT GOVERNANCE & CONSULTING
Clients Testimonials
Ecole du Centre
“Afin de nous conformer au Data Protection Act à l’Ecole du Centre, établissement privé à
programme français, nous avons bénéficié de l’accompagnement de BDO IT Consulting pour
mettre en œuvre un cadre complet de conformité en matière de protection des données.
Les conseils et l’expérience de BDO IT Consulting Ltd dont nous avons bénéficié nous a permis de
réaliser ce projet. BDO IT Consulting nous a aidé à mettre en place nos politiques de protection
des données, à former nos responsables de traitements de données et à assister notre délégué à
la protection des données.”
Cédric Thonney
Délégué à la protection des données
Page 6
BDO IT CONSULTING
IT GOVERNANCE & CONSULTING
Retrospective of 2022
The privacy team of BDO IT Consulting, together with BDO member firms in Seychelles and
East Africa, met with incredible audiences in 2022!
Page 7
BDO IT CONSULTING
IT GOVERNANCE & CONSULTING
Our Team
Our team includes legal experts, cybersecurity specialists, risk professionals and project
management consultants. Our privacy experts hold the following certifications:
Page 8
About BDO and why choose us?
BDO’s global organisation extends across 167 countries and territories, with 91,054 people
working out of 1,658 offices – and they’re all working towards one goal: to provide our clients
with exceptional service. Our firms across the organisation cooperate closely and comply with
consistent operating principles and quality standards. We are a global organisation built on local
relationships.
There are five key components that describe BDO and our consistently exceptional service delivery:
- CLIENT NEEDS: we anticipate our clients’ needs and are forthright in our views, in order to
ensure the best outcome for you
- COMMUNICATION: we are always clear, open & swift in our communication
- COMMITMENT: we agree to and meet our commitments, meaning that we deliver what we
promise, every day, for every client
- PEOPLE: at BDO we are proud to provide the right environment for our people to grow and
develop – but also the right people to deliver for our clients
- VALUE: Our experts focus on creating value: we give our clients up to date ideas and valuable
insights and advice that they can trust
Contact Us
Sylvie Greco
Partner
T: +230 260 5889
M: +230 5497 9578
E: sylvie.greco@bdo.mu
Deepshi Hujoory
Manager
T: +230 260 5839
M: +230 5964 0469
E: deepshi.hujoory@bdo.mu
Thank You!
Essar Building, 10 Frère Felix
De Valois St, Port Louis
+230 260 78 00
bdo.it.consulting@bdo.mu
BDO IT Consulting