Giscard Kotelo

• Supporting CVC's DPCO in promoting and ensuring compliance with international privacy laws, regulations and policy requirements.
• Leading in the performance of Data Protection Impact Assessments ('DPIA'), Data Transfer Impact Assessments, Legitimate Interest Assessments, and the ongoing performance and maintenance of Records of Processing Activities ('ROPA') in accordance with GDPR requirements and applicable regulatory requirements.
• Leading CVC's GDPR data retention and deletion project in collaboration with Risk, Legal and IT functions as well as external legal counsel.
• Providing support to the DPCO in reporting data privacy matters to CVC's Data Compliance Committee.
• Providing support to CVC's vendor and third-party onboarding processes including working with CVC Legal to review contracts and data processing agreements in relation to data processing, transfer, retention and deletion.
• Contributing to supporting privacy due diligence and manage third-party risk assessments of material third-parties and thereafter on a periodic risk-based frequency.
• Maintaining knowledge of applicable privacy laws, regulations and best practices, and monitoring changing global privacy laws, regulations and best practices.
• Participating in the development and facilitation of privacy training and awareness programs across the group to improve employee awareness and promoting compliance to policies.
• Maintaining and updating internal and external data privacy policies and notices for the Group.
• Helping manage and report data privacy breaches in conjunction with the information security team, complaint handling, regulatory notifications and responding to individual rights requests.
• Spearheaded and unified the integration of third-party risk management ('TPRM') processes across all entities, collaborating with stakeholders from Legal, Compliance, Finance, IT and AI to streamline vendor onboarding, enhance operational efficiency, resolve issues and create a cohesive onboarding framework.
• Lead cross-functional collaboration with Legal, Compliance, Finance, IT and AI departments to overhaul and unify TPRM processes, leveraging OneTrust to drive efficiency and compliance.
• Streamlined workflows and assessments on OneTrust, collaborating closely with stakeholders across Legal, Compliance, Finance, IT and AI.
• Led integration meetings and stand-ups with senior leadership, fostering collaboration and driving alignment on OneTrust implementation and TPRM strategies.
• Trained and onboarded three additional team members, expanding vendor onboarding capacity and ensuring they effectively manage responsibilities under my guidance.
• Collaborated closely with the AI Governance Lead to ensure compliance with emerging regulations, including the EU AI Act.
• As an AI Champion within the firm, I have participated and contributed to initiatives focused on integrating AI Governance into vendor onboarding processes and privacy operations.
• Participated in additional AI training to empower colleagues, fostering a deep understanding of responsible AI practices.
• Developed and authored an internal mailbox access guidance note, which detailed privacy risks and provided clear procedures for accessing employee mailboxes under various circumstances.
• Conducted comprehensive research and presented to senior leadership, who commended its clarity and effectiveness.
• Conceptualized and led the development of a comprehensive Privacy Champions Program, conducting in-depth research and authoring a whitepaper with a strategic framework and actionable rollout plan.
• Successfully presented this initiative to senior leadership, leading to its adoption across 32 global locations.
• Provided training and knowledge resources to the Privacy Champions, collaborating with them to foster a culture of data protection ownership.
• Leading the Data Retention and Destruction Program, I am spearheading efforts to implement and maintain data retention and deletion standards in alignment with legal and regulatory requirements.
• Pioneered the establishment of our company's Pride Network in the new Cape Town office, orchestrating a successful launch that included senior members from our European offices.

• Providing clients with practical and meaningful advice on matters related to the protection of personal information, privacy and the legal aspects of information security.
• Conducting and preparing POPIA and GDPR Gap Assessments; Data Protection Impact Assessments; GDPR Audit (using a Risk Control Matrix); Privacy Compliance Risk Management Plan (CRMP); Development of Data Leakage Strategies; Retention and Destruction of Data programmes; POPIA compliance reports to the Information Regulator.
• Reviewing of local and regional privacy-related policies, procedures and controls.
• Helping clients identify privacy-related, legal or business risks and assist them in the implementation of the appropriate organisational and technical counter measures.
• Planning and executing pragmatic and integrated privacy and legal approaches to make privacy work within clients' business operations.
• Advising on both legal and technical aspects of privacy or other IT legal issues and looking for compliant but workable solutions.
• Assisting in drafting legal updates or courses for firm's or other initiatives.
• Conducting privacy-related training to clients.
• Conducting a privacy-related internal audit into a mining company.
• A POPIA-compliance assessment report conducted for a leading telecommunications company on request by the Information Regulator.
• Bidding for assisting a large multinational company in the fertilizer industry with the rolling out of its privacy program on a group-basis.
• Bidding for conducting a privacy gap assessment in respect of POPIA and GDPR for a leading IT company.
• Conducting an entity-level POPIA compliance assessment for a leading South African mining company.
• Performing a due diligence into all security and data privacy rules applicable in respect of an acquisition transaction by the largest retail pharmacy chain in South Africa.
• Assisting a large multinational financial institution ('bank') with improving and maturing its records retention and destruction capability.

• First rotation: Litigation/Dispute Resolution
• Second rotation: Labour, Financial Services and Pensions
• Third Rotation Corporate and Commercial

Data Privacy legal matters:

• Providing legal advice on various privacy laws including GDPR, PIPEDA, CCPA, POPIA, and HIPPA.
• Advising a global financial institution ('bank') on the legality of requiring diversity, equity and inclusion data from South African data subjects in the bank's recruitment processes.
• Advising a global, high-tech engineering group ("group") on their data breach reporting obligations in five African countries after the group's central vendor suffered a data, affecting the group's global subsidiaries.
• Advising a financial institution (insurer) on their data breach reporting obligations under POPIA.
• Advising a global telecommunications company on their alignment with various data privacy laws in their Group Inter-data Transfer Agreement.
• Advising a professional body on the publication of exam results and exam candidates' personal information on their website.
• Advising a global financial institution (bank) on data privacy concerns in respect of its current and updated employee monitoring policies and procedures.
• Advising a local medium-sized company on its POPIA compliance obligations (pro bono).
• Drafting and reviewing data privacy and data protection wordings in various types of documents.
• Assisting with data privacy and data protection wordings in various types of documents including insolvency-related requisition forms, insurance-industry related documents, third-party operator agreements, non-disclosure agreements, and more.