Businesses’ pre-cyber breach response will come under scrutiny in POPI
Loading player...
South African businesses need to adequately prepare for a breach of information in advance by auditing and taking stock of information technology and security systems used. This needs to be done before the latest amendments to the Protection of Information Act (POPIA) come into effect come June 2021. Director of Dispute Resolution at ENS Africa, Nicole Gabryk tells the Business Hour, that businesses will come under scrutiny for both pre and post cyber breach by the information regulator.
According to Gabryk, a data breach in section 22 of the POPI Act is widely defined, as anytime that we have an unauthorised access and/or acquisition of personal information. She says once you suspect that a breach has taken place, the responsible party needs to report the breach to the information regulator’s office and to the affected data subject in question. Now the responsible party in this equation is seen as the individual/group that is in control/responsible for the leaked data.
The Act has created provision for the information regulator’s office to levy penalties for data breaches for example, not notifying the information regulator and the affected data subject upon knowledge of a breach or not complying with investigations.
Gabryk cautions that part and parcel of a pre-cyber breach response is ensuring that your businesses develops an incident response plan and puts an incident response team in place. She encourages businesses to also hold dry runs of in preparation for potential breaches.
With regards to post breach response, Gabryk says businesses need to have a communication strategy in place to ensure that the reputation of the organisation remains protected. Furthermore, businesses should conduct forensic analysis to determine the extent of the breach and inform customers accordingly, so that they too can find ways to safeguard themselves.
She says in closing that post-breach, businesses should seek legal counsel to chart a way forward.
According to Gabryk, a data breach in section 22 of the POPI Act is widely defined, as anytime that we have an unauthorised access and/or acquisition of personal information. She says once you suspect that a breach has taken place, the responsible party needs to report the breach to the information regulator’s office and to the affected data subject in question. Now the responsible party in this equation is seen as the individual/group that is in control/responsible for the leaked data.
The Act has created provision for the information regulator’s office to levy penalties for data breaches for example, not notifying the information regulator and the affected data subject upon knowledge of a breach or not complying with investigations.
Gabryk cautions that part and parcel of a pre-cyber breach response is ensuring that your businesses develops an incident response plan and puts an incident response team in place. She encourages businesses to also hold dry runs of in preparation for potential breaches.
With regards to post breach response, Gabryk says businesses need to have a communication strategy in place to ensure that the reputation of the organisation remains protected. Furthermore, businesses should conduct forensic analysis to determine the extent of the breach and inform customers accordingly, so that they too can find ways to safeguard themselves.
She says in closing that post-breach, businesses should seek legal counsel to chart a way forward.
