Although data breaches are nothing new, this topic has received more focus recently with stricter data protection laws and regulations. It is more important than ever that organisations prepare for such an occurrence and have formal procedures and protocols in place to deal with the fallout. Here are some pointers and reminders of aspects to think about.
What is a data breach or security compromise?
In terms of the Protection of Personal Information Act (POPIA), this is not defined. Under the new Cyber Crimes Bill, there are descriptions of types of actions that would constitute criminal offences. However, for the purposes of being prepared, this could entail any type of data breach or security compromise (digital or physical) that would expose the organisation to potential risk.
Apart from the obvious things around cyber security such as hacking, malware, ransomware attacks, etc. we also need to consider other vulnerabilities in the protection of the (personal)...
Many organisations use agencies / consultants / service providers for a range of activities – which in all likelihood include the processing of personal information and/or special personal information. Think about recruitment agencies, IT service providers, security providers, payroll management, marketing agencies, external auditors – to name just a few. These would, for the purposes of POPIA, be regarded as third-party operators and YOU have to ensure that they comply with the Act when they process personal information on your behalf.
The Responsible Party under POPIA is a public or private body or any other person who, alone or in conjunction with others, determines the purpose of and means for the processing of personal information in their possession.
An Operator is the person (or entity) doing the actual processing.
The responsibilities, rights and obligations of operators are not the same as those of responsible parties. However, the distinction...
POPIA compliance is complicated. It is not something that can quickly be tackled and completed within a week, or even a few weeks prior to the compliance deadline of 1 July 2021. Such a thing as a 'POPI file' filled with templates and completed checklists sitting on a shelf or in folder, ready for a random inspection, will not cut it. Neither will a generic 'POPI Manual' or policy that you buy from a service provider. If you want to achieve actual compliance that will withstand court challenges, prosecutions, complaints and regulatory investigations, it will require a great deal more.
While we are all too aware that POPIA may be the last thing on people's minds when they are struggling with sheer survival in the midst of the Covid-19 environment, we do believe that there is room for awareness and education on the topic, and a slow 'easing in' for organisations and individuals to become familiar with a POPIA-compliant landscape.
Most of the remaining provisions of the Protection of Personal Information Act have come into operation on 1 July 2020.
That means that the start of the anticipated 12 month transition period is 1 July 2020 and that the effective date for enforcement (the date by which organisations must be compliant) will be 30 June 2021. Although there will be no sanctions for non-compliance until that time, organisations must work towards compliance as soon as possible - and there is a lot to do.
It is expected that there will be further communications covering practical implications such as the registering of Information Officers.
POPIA applies to all local and foreign organisations processing personal information in South Africa. The Act will impact on technology, policies, procedures and compliance frameworks across the business - including in ICT, HR and marketing.
What is POPIA?
POPIA is the South African version of the European...