Confidentiality and information security
Misuse or loss of confidential client information or personal data may compromise our clients, expose the firm to legal proceedings, and adversely impact our reputation.
Misuse or loss of confidential client information or personal data may compromise our clients, expose the firm to legal proceedings, and adversely impact our reputation.
The firm’s Information Protection Leader is a member of the Africa Risk Council and is supported by the PwC Network Information Security Organisation which, together with the Information Protection Committee, provides oversight, policy and strategic direction on information risk and cybersecurity matters.
Membership of the Committee comprises representatives from Risk and Quality, the Office of General Counsel, Network Information Security, Information Technology and the lines of service. The committee’s objectives are to:
PwC regularly reviews its data protection practices to comply with applicable laws, industry standards and best practices. To meet the requirements of the European Union’s General Data Protection Regulation (GDPR), and as a result of other territorial regulations impacting privacy, a comprehensive global programme -- the Network Data Protection Programme or NDPP -- has been established to provide a basis for, and a consistent approach to, data protection compliance across the PwC network and within each member firm.
PwC South Africa operates an information security management system, which is certified as compliant with the requirements of ISO/IEC 27001:2013 for all client data that comes under its control or ownership by virtue of a contract for services between PwC South Africa and a client.
The firm’s policies and standards are supported by ongoing compliance monitoring. Monitoring is carried out by PwC Africa’s Internal Audit and Compliance teams and is supplemented by checks by the PwC Network Information Security Organisation. Our ISO/IEC 27001:2013 certification is subject to annual external independent assessment. The firm’s incident reporting and response procedures seek to minimise the impact of any data loss that may arise. These procedures include notifying clients when it is known that their data is at risk and, where appropriate and feasible, taking corrective action.