With the high prevalence of cyber incidents and data breaches in today’s data-intensive and technology-enabled business environment, organisations need to be vigilant about the handling of sensitive and confidential data, and, in particular, in the processing of personal information.
By Daniel Pretorius, partner, and John Paul Onges and Songezo Ralarala, senior associates, Bowmans South Africa
As the Information Regulator continues to apply and enforce the Protection of Personal Information Act 2013 (PoPIA) across multiple sectors and industries, organisations must be prepared for potential data breaches.
If a breach occurs, having a well-resourced data breach response team (DBRT) and clear reporting protocols are necessary to mitigate exposure to liability, limit reputational damage, and ensure compliance with applicable law.
DBRTs should ideally comprise:
- Legal and compliance experts to ensure compliance with POPIA and other applicable laws;
- Information technology and cybersecurity experts to identify, investigate and address the cause(s) of the data breach;
- Communications/ public relations/ corporate affairs professionals to manage stakeholder relations and to assist in crafting the required communications and notifications; and
- Senior management to provide strategic direction, guidance and make decisions.
DBRTs prove to be highly effective in the coordination of activities within entities themselves as well as in being a central contact point for internal and external stakeholders.
To be effective, a DBRT must have a clearly articulated, easily accessible and well-communicated data incident response plan (DIRP), which should outline:
- The DBRT’s composition and contact details;
- Breach detection and reporting procedures;
- Incident classification and escalation procedures;
- Containment and eradication strategies;
- Notification procedures for internal stakeholders;
- Notification procedures for affected parties and regulatory authorities;
- Post-incident review and continuous improvement mechanisms; and
- Regular compulsory training for all staff.
Forming a robust DBRT and developing a tailored DIRP can ensure that organisations are adequately equipped to coordinate responses to cyber incidents and data breaches and competently address these incidents in compliance with PoPIA and applicable law.
Businesses would be well advised not to wait until it is too late, but rather to build their teams and plans without delay. Members of our Data Protection Practice are available to assist in providing POPIA-related advice and with all stages of interactions with the Information Regulator.