The official implementation of the Protection of Personal Information Act (POPIA) is set to cause a massive shake up in the relationship between companies and their customers, as South African businesses will soon be legally obligated to notify of a data breach.
This is according to Darryl Bernstein, a partner at Baker McKenzie, and follows the release of the Gemalto Breach Level Index in March 2017 which found that South Africa experienced nine major reported security breaches in 2016.
The report also found that 45.2 million records were stolen in 2016 across Africa, compared with 38.5 million in 2015 and that the continent had 17 data breaches in total over the past year – compared to just six in 2015.
However, it was not the rise in security breaches that caused the most alarm, said Bernstein.
“Gemalto noted in the survey that the delay in disclosing or identifying security breaches was the most concerning factor.”
He highlighted how slow Ster-Kinekor had been in a announcing that its website had been hacked after it made a public apology in March 2017 – a year after exposing personal information in over six million accounts.
“The enactment of the Act itself, largely based on similar EU data protection legislation, is the most significant development in the South African privacy landscape,” said Bernstein.
“The notification of security compromises is governed by POPIA, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party will have to notify the Information Regulator, as well as the data subject, unless that person’s identify cannot be established.”
How will they notify?
According to Bernstein the notification will have to be made as soon as reasonably possible after the discovery of the compromise. It will also have to consider the needs of law enforcement or any measures necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.
“The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Information Regulator determines it will impede a criminal investigation,” said Bernstein.
- The notification itself must be in writing and must be communicated either via email or posted to the data subject’s last known address.
- Alternatively, the notification could also be placed in a prominent position on the website of the responsible party, published in the media; or as directed by the Information Regulator.
- The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise.
- It should also include a description of the measures taken by the responsible party intends to address the security breach, as well as a recommendation on what measures the data subject should take to mitigate the possible adverse effects of the breach.
- If known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information must also be divulged to the data subject.
“An organisation that is involved in a data breach situation may also be subject to an administrative fine, penalty or sanction, or civil actions and/or class actions,” said Bernstein.
“Whether or not compulsory reporting of this nature is a good thing is certainly up for debate. One thing is certain however, in a world where security breaches are a matter of when, not if, the treatment and security of personal information ought to be a matter of top priority for all institutions.”