Data Breaches are no longer something seen only on TV or in movies but something that has become an unavoidable occurrence. It’s not about if you’ll be hacked, but rather when. The Protection of Personal Information Act 3 of 2013 (“POPI”) regulates all aspects surrounding personal data and the processing thereof in South Africa and is therefore the go to piece of law when discussing data breaches.
But what do most of us understand about data breaches and what the law requires responsible parties (the term used under POPI for those responsible for the processing of personal data) to do in these circumstances?
In this blog we hope to briefly unpack data breaches or security compromises as they are known under POPI, and what responsible parties are required to do in the instance where they find themselves hacked.
Responsibility to Secure Data
Under section 19 of POPI, responsible parties are required to secure the integrity and confidentiality of all personal information in their possession by taking “appropriate, reasonable technical and organisational measures” to prevent the loss or damage to personal information and any unlawful access to or processing of personal information.
Under section 19, responsible parties are required to:
- identity all foreseeable internal and external risks to the personal information they possess;
- establish and maintain safeguards against the risk which they identify;
- regularly verify that their safeguards are being implemented effectively; and
- continuously update the safeguards in response to new risks or deficiencies identified.
What To Do Once There Has Been a Security Compromise?
The first step is to try not to panic. Second step is to understand whether the security compromise is one which triggers POPI.
Under POPI, only where there is reasonable ground to believe that the personal information of a data subject (that’s us!) has been accessed or acquired by any unauthorised person, is there is a duty on the responsible party to notify the Information Regulator and the affected data subjects.
The definition under POPI of security compromise is quite broad and means that whether 1 data subject’s information was comprised or 50 000 data subjects, both instances require the Information Regulator to be notified.
A responsible party must notify the information regulator as well as affected data subjects, as soon as reasonably possible after they discover a security compromise. But how soon is reasonably possible? When we consider other legislation with similar reporting requirements it appears that a reasonable period is around 72 hours after the compromise.
Section 22 of POPI requires that the notification to data subjects to must provide “sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise”, which includes:
- a description of the possible consequences of the security compromise;
- a description of the measures that the responsible party intends to take or has taken to address the security compromise;
- a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
- if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.
Depending on the nature and severity of a data breach, the Information Regular may require that a responsible party publish the notice of the data breach where the Information Regulator feels that this would protect a data subject who has been affected.
What Happens If a Responsible Party Does Not Comply?
A responsible party who fails to comply with the requirements under section 22 of POPI may trigger an investigation by the Information Regulator into the responsible party’s conduct. The investigation by the Information Regulator may result in an enforcement notice. Once an enforcement notice has been received, it must be complied with, or it may be appealed. Non-compliance with an enforcement notice is an offence under POPI subject to a fine or criminal investigation.
Responsible parties should ensure they have put in place data breach processes and procedures to keep them well prepared and ready for when a data breach comes barging in.
Although data breaches are no one’s fault, it is a responsible party’s duty to put the best measures it can in place to ward off any unauthorised access. You’ll never know when a data breach is about to strike so being overly prepared is never a bad thing. Responsible parties should also keep on top of their breach procedures to ensure they understand what is required of them under POPI in the event of a breach and the appropriate processes are followed without any undue delay.
– Lauren van der Byl
Have any questions? Drop us a message below and we’ll be in touch!