The Protection of Personal Information Act 4 of 2013 (“POPIA”) requires all businesses to secure the integrity and confidentiality of personal information in their possession. It is important to remember that POPIA is in effect from 1 July 2020, with the exception of certain provisions coming into force on 30 June 2021, and that businesses have until 1 July 2021 to become POPIA compliant.
POPIA focusses on the processing of personal information, and sets new rules for regulating this. Since POPIA requires businesses to secure the integrity and confidentiality of personal information in their possession, a data breach does fall within the ambit of the legal framework established by POPIA and businesses have certain obligations in this regard.
POPIA does not define data breaches, but it is clear that a data breach has occurred when there are reasonable grounds to believe that any unauthorised person has accessed or acquired personal information under the control of a business, or if data has been intentionally or accidently lost, shared or destroyed. Data breaches may occur in different ways, including but not limited to hacking, theft, accidental loss and unauthorised use of personal information. Remember that a data breach can take place through either physical or electronic means. This means that the theft of a laptop containing potentially personal information of your clients, will constitute a data breach in terms of POPIA.
In the event that a data breach occurs, POPIA requires that businesses inform the Information Regulator, as well as the person or persons whose data has been compromised. Businesses must also conduct their own investigations in order to determine the nature and scope of the breach and the potential impact thereof, as well as take steps to mitigate any adverse consequences.
This notification must be confirmed in writing and should contain sufficient information to allow data subjects to take protective measures against the potential adverse consequences flowing from the data breach. Such notification must include the possible consequences of the data breach, a description of the measures taken by the business (as the responsible party) or intends to take to address the data breach, recommendations for the measures which the data subject can take to mitigate possible effects of the data breach, and the identity of the person who gained unauthorised access (if known). The notice must be communicated to the data subject concerned. In your situation therefore, your business is required to consider its options to limit the potential adverse consequences of the breach. Should you be able to remotely wipe the laptop, or track such or enable encryption, such options should be considered.
You will also be required to inform all the data subjects whose data has been compromised, as well as the Information Regulator, as soon as reasonably possible after you become aware of the data breach. If your business does not yet have a policy in place that deals with data breaches, it may be advisable to enlist the help of a POPIA or data security specialist to help you put in the place the correct processes and procedures to both protect and deal with any potential future data breaches.
