POPIA compliance

The importance of breach protocols and procedures

By Anola Naidoo (Associate at KISCH IP - commercial department)

Cyber-attacks, ransomware and data breaches are becoming increasingly more frequent and a threat to the day-to-day operations of a business. The recent data leak by Experian has highlighted the need for robust cyber security systems, particularly when sensitive personal information such as banking information is held by a business.

The breach has emphasised the need for the Protection of Personal Information Act No. 4 of 2013 (POPIA) to foster an atmosphere of compliance when dealing with consumer information, especially where businesses are processing Big Data unbeknownst to the consumer.

The Experian data breach has further highlighted how consumers should know who is in possession of their personal information. When news first broke about the breach, many consumers were unaware of the consequences, until their respective financial institutions starting releasing SMS’s and statements, assuring consumers that they were taking every precaution necessary to secure their personal information. It was at this point that consumers began to realise that their trusted financial institution had provided a third party with their personal information. While many security measures are undertaken by financial institutions, the security of the third party, if not monitored, could lead to back door access to the financial institutions’ information.

Condition 7 of POPIA, which business must comply with by the 1st of July 2021, deals with security compromises. It states that a person or business that is responsible for personal information (responsible party) will, in the event of a security compromise, have to notify the Information Regulator as well as any parties whose personal information has been accessed or acquired by an unauthorised party.

The notification must, at the very least, contain the following information:

  1. A description of the possible consequences of the security compromise;
  2. A description of the taken or proposed measures by the responsible party to remedy the security breach;
  3. A recommendation of the measures that any party whose personal information was leaked in the security compromise should take in order to mitigate the possible adverse effects of the security compromise;
  4. The identity of the unauthorised person, if known, who accessed or acquired the personal information.

The Information Regulator may also require the data breach to be publicised. Having regard to the reputational and financial harm associated with a data breach, not to mention the disruption that it can cause to a business’s operations, responsible parties should ensure that they have adequate cybercrime insurance cover as well as a data breach response plan in place.

The data breach response plan should be clear and readily available for implementation immediately on becoming aware of a potential incident and form part of a business’s data privacy policy, covering the aforementioned notification requirements, periodic risk assessment protocols and mitigation strategies.

In line with data subject participation, it is imperative that data subjects are aware of their right to question the responsible party as to what personal information is being processed and the identities of the third parties is being disclosed. You have the right to object to this disclosure and can place an obligation on the responsible party to update any of your personal information or to destroy your personal information if you are no longer using their services.

It is the responsibility of all responsible parties to ensure that they are ready for the privacy laws which have become pervasive in recent times and therefore it is essential that such parties consult with an attorney who is proficient in data privacy law for assistance in this regard.

Should you require any further information or assistance in preparing your POPIA incident protocols and policies or have any further questions, then please do not hesitate to contact our data protection department at merciaf@kisch-ip.com or anolan@kisch-ip.com.