http://www.polity.org.za
Deepening Democracy through Access to Information
Home / Press Office / Other Briefs RSS ← Back
Close

Email this article

separate emails by commas, maximum limit of 4 addresses

Verification Image. Please refresh the page if you cannot see this image.

Sponsored by

Close

Article Enquiry

Data Breaches: What is Required?

Verification Image. Please refresh the page if you cannot see this image.
Close

Embed Video

Data Breaches: What is Required?

29th August 2018

SAVE THIS ARTICLE      EMAIL THIS ARTICLE

Font size: -+

South Africa has experienced no fewer than four significant data breaches involving consumer’s personal information held by businesses, in the preceding ten months alone. There is currently no legislation in effect in South Africa which compels a business to disclose data breaches to any authority or to the persons affected thereby, meaning there could well be other instances of data breaches that have simply not been brought to the public’s attention.

These leaks of personal information have highlighted the need for robust cyber security systems, particularly when sensitive personal information is held by a business. Unfortunately, even the most advanced of cyber security systems are susceptible to hacking, provided cybercriminals are given enough time and resources. It is therefore important to know what the law requires in the event of a security compromise.

Advertisement

The provisions of the Protection of Personal Information Act No. 4 of 2013 (POPI) dealing with security compromises have not come into effect as yet but are expected to soon.

Once the relevant provisions of POPI come into effect, a person or business that is responsible for personal information (responsible party) will, in the event of a security compromise, have to notify the Information Regulator as well as any parties whose personal information have been accessed or acquired by an unauthorised party.

Advertisement

The notification must, at the very least, contain the following information:

  1. A description of the possible consequences of the security compromise;
  2. A description of the measures taken or proposed to be taken by the responsible party to remedy the security breach;
  3. A recommendation of the measures that any party whose personal information was leaked in the security compromise should take in order to mitigate the possible adverse effects of the security compromise;
  4. The identity of the unauthorised person, if known, who accessed or acquired the personal information.

The Information Regulator may also require the data breach to be publicised.

If the personal information of individuals in the European Union (EU) is affected by a data breach in South Africa, the General Data Protection Regulation (GDPR), which came into effect on 25 May 2018, requires the responsible party to notify the supervisory authority in the EU without undue delay, and at the latest within seventy-two hours after having become aware of the security breach.

The notification in this case must:

  1. Describe the nature of the breach;
  2. State the categories and number of persons affected by the breach;
  3. State the contact details of the data protection officer where further information can be obtained;
  4. Describe the likely consequences of the breach; and
  5. Describe the measures taken or proposed to be taken by the Company to remedy the breach, including measures to mitigate its possible adverse effects.

Having regard to the reputational and financial harm associated with a data breach, not to mention the disruption that it can cause to a business’s operations, responsible parties should ensure that they have adequate cybercrime insurance cover as well as a data breach response plan in place. The data breach response plan should form part of a business’s data privacy policy and should cover the aforementioned notification requirements.

It is the responsibility of all responsible parties to ensure that they are ready for the privacy laws which have become pervasive in recent times and therefore it is essential that these parties consult with an attorney who is proficient in data privacy law for assistance.

Written by Mercia Fynn, Director, KISCH IP

EMAIL THIS ARTICLE      SAVE THIS ARTICLE ARTICLE ENQUIRY

To subscribe email subscriptions@creamermedia.co.za or click here
To advertise email advertising@creamermedia.co.za or click here

Comment Guidelines

About

Polity.org.za is a product of Creamer Media.
www.creamermedia.co.za

Other Creamer Media Products include:
Engineering News
Mining Weekly
Research Channel Africa

Read more

Subscriptions

We offer a variety of subscriptions to our Magazine, Website, PDF Reports and our photo library.

Subscriptions are available via the Creamer Media Store.

View store

Advertise

Advertising on Polity.org.za is an effective way to build and consolidate a company's profile among clients and prospective clients. Email advertising@creamermedia.co.za

View options
Free daily email newsletter Register Now