MTN MoMo Launches Additional Services To Help SA During Challenging Times

MTN’s Mobile Money solution, MoMo, has launched some new functionalities aimed at assisting South Africans during challenging economic times. These include the new food...

Latest Posts

SA’s Digital Heritage: Keeping Us Globally Relevant

South Africa’s heritage is not just physical. It is intimately part of the digital world. Digital connectively can enhance the value of that heritage,...

How is Huawei Powering Digital Inclusion with Technology in Africa?

Huawei believes that no one should be left behind in the digital world, so the Chinese telecoms giant developed TECH4ALL. TECH4ALL is a long-term, digital...

Uber Eats Releases South Africa’s Most Loved Traditional Orders

The term local is lekker always rings true in a country as diverse as South Africa, where one is always guaranteed a taste extravaganza....

2021 BMW M3 Competition Sedan and M4 Competition Coupe Revealed

BMW has finally revealed its new M3 and M4 Coupe models that are likely to launch locally towards the middle of 2021. South Africans are...

The Notification of Data Breaches in SA Will Soon be Required by Law 

By Darryl Bernstein, partner in Baker McKenzie’s Disputes and ITC Practice Groups in Johannesburg

According to the Gemalto Breach Level Index, released in March 2017, South Africa experienced nine reported security breaches in 2016. Across Africa, 45.2 million records were stolen in 2016, compared with 38.5 million in 2015. Africa had 17 data breaches in total, compared with six in 2015.

It was not the rise in security breaches that caused the most alarm, however. Gemalto noted in the survey that the delay in disclosing or identifying security breaches was the most concerning factor. In March 2017 Ster-Kinekor in South Africa announced that its website had been hacked a year prior, in 2016 exposing personal information in over 6-million accounts.

Legislation around data protection and privacy in South Africa is currently awaiting implementation. The Protection of Personal Information Act, 2013 (POPIA) was enacted in 2013. Once implemented, it is expected to change the way businesses approach the protection of customer and employee data and how they will have to report on data security breaches.

POPIA seeks to bring South Africa in line with international data protection laws by regulating the processing of the information of natural and juristic persons and placing more onerous obligations on “responsible parties” that process such information. However, only certain sections of the Act have commenced. These sections relate specifically to the establishment of the Information Regulator, who was appointed in December 2016.

The enactment of the Act itself, largely based on similar EU data protection legislation, is the most significant development in the South African privacy landscape. The timeline for the commencement of the entire Act is, however, still unclear. Given the limited transitional period of one year provided for compliance, coupled with potentially severe penalties, businesses in South Africa have already commenced implementing initiatives to comply with the prescriptive principles under the Act.

The notification of security compromises is governed by POPIA, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party will have to notify the Information Regulator, as well as the data subject, unless that person’s identify cannot be established.

The notification will have to be made as soon as reasonably possible after the discovery of the compromise, considering the needs of law enforcement or any measures necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system. The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Information Regulator determines it will impede a criminal investigation.

The notification must be in writing and must be communicated either via email or posted to the data subject’s last known address. The notification could also be placed in a prominent position on the website of the responsible party, published in the media; or as directed by the Information Regulator.

The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise. This includes providing a description of the possible consequences of the data breach and how they will affect the data subject.

It should also include a description of the measures taken by the responsible party intends to address the security breach, as well as a recommendation on what measures the data subject should take to mitigate the possible adverse effects of the breach. If known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information must also be divulged to the data subject.

In addition, the Information Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the she has reasonable grounds to believe that such publicity would protect a data subject affected by the compromise.

An organisation that is involved in a data breach situation may also be subject to an administrative fine, penalty or sanction, or civil actions and/or class actions.

In addition, the revised Cybercrimes and Cybersecurity Bill, which was tabled in the South African National Assembly in February 2017 notes the further obligations of electronic communications service providers and financial institutions when they become aware that their computer systems have involved in a cyber security breach as defined by the Bill. They must, according to the Bill, report such offences to the South African Police Service and preserve any information which may be of assistance in the investigation. Non-compliance with the clause is a criminal offence.

Whether or not compulsory reporting of this nature is a good thing is certainly up for debate. One thing is certain however, in a world where security breaches are a matter of when, not if, the treatment and security of personal information ought to be a matter of top priority for all institutions.

Bernstein and his team recently contributed the South African chapter of the Baker McKenzie Global Privacy Handbook 2017 which outlines privacy and information protection legislation in 58 jurisdictions around the world. More information on the protection of personal information and the processes involved can be found in this guide.

Latest Posts

SA’s Digital Heritage: Keeping Us Globally Relevant

South Africa’s heritage is not just physical. It is intimately part of the digital world. Digital connectively can enhance the value of that heritage,...

How is Huawei Powering Digital Inclusion with Technology in Africa?

Huawei believes that no one should be left behind in the digital world, so the Chinese telecoms giant developed TECH4ALL. TECH4ALL is a long-term, digital...

Uber Eats Releases South Africa’s Most Loved Traditional Orders

The term local is lekker always rings true in a country as diverse as South Africa, where one is always guaranteed a taste extravaganza....

2021 BMW M3 Competition Sedan and M4 Competition Coupe Revealed

BMW has finally revealed its new M3 and M4 Coupe models that are likely to launch locally towards the middle of 2021. South Africans are...

Don't Miss

Avon Disrupts the Norms to Create Addictive, Rebellious & Fierce “Far Away Rebel & Diva”

Avon breaks all the rules with Far Away Rebel & Diva. The new launch is the next step in the glamorous bold journey of...

Investec Says Union Must Seek Answers For Phantom Shares from Cell C

Investec has told the Information Communication Technology Union (ICTU) to direct its questions about the Believe Phantom Option Share Scheme for Cell C workers to the...

Union Asks If Blue Label Telecoms Is Using Cell C as a ‘Piggy Bank’

The Information Communication Technology Union (ICTU) wants Blue Label Telecoms to explain how the JSE-listed company can zero rate its stake in Cell C...

Workers at Cell C Want Investec to Explain ‘Sudden Devaluing’ of their Share Scheme

The Information Communication Technology Union (ICTU) has asked Investec to explain the ‘devaluing’ of the "Believe Phantom Option Shares Scheme (Believe Share Scheme)" awarded to Cell...

Spotify’s Discover Weekly Playlists Now Sponsored by Telkom South Africa

Global streaming service Spotify is announcing Telkom South Africa as the first local sponsor of the Discover Weekly playlists for South African users. These sponsorship...

Stay in touch

To be updated with all the latest news, offers and special announcements.