Data breaches: prevention is better than cure

South Africa

Responding to a data breach is a complex and burdensome task. Even if an organisation is well-prepared and responds effectively to a data breach, the fallout may still result in severe financial, operational and reputational damage. When it comes to data breaches, therefore, an ounce of prevention is better than a pound of cure. Further, under the Protection of Personal Information Act, 2013 (“POPIA”) it is a legislative requirement that organisations secure the personal information with which they are entrusted.

There are a number of ways in which an organisation can prepare itself in the face of the worrying rise of cyber-attacks in South Africa. Implementing preventative measures may feel like an overwhelming task, but compliance with section 19 of POPIA is a good place to start. Section 19 of POPIA states that a responsible party must take appropriate, reasonable technical and organisational measures to prevent loss of, damage to, unauthorised destruction, unlawful access to or unlawful processing of personal information. POPIA further states that a responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations. This is a helpful framework to use when constructing defences against data breaches.

Risk assessment

Under POPIA, a responsible party must take reasonable measures to identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control. To comply with this requirement, an organisation may take steps such as conducting a risk assessment and / or audit of its information security practices when processing personal information, the types of personal information which it processes in the organisation and for which purposes. This exercise can be a springboard from which to compile both external-facing and internal-facing privacy policies which detail how personal information is / should be processed within that organisation. These policies will be helpful as reference guides when implementing data protection measures and assessing their effectiveness.

Appropriate Safeguards - Technical Measures

POPIA requires a responsible party to establish and maintain appropriate safeguards against the risks identified. This may include implementing IT security measures such as establishing strong password requirements, setting up a firewall, implementing anti-virus and anti-malware protection, securing every laptop and securing mobile devices. These safeguards must be appropriate and it is, therefore, important for an organisation to assess the extent to which it processes personal information, as discussed above. For example, what are appropriate safeguards for a small restaurant business will not be appropriate for a large hospital, which processes personal information and special personal information on a much larger scale and to a greater extent. In addition, from a risk perspective, it is important to put in place measures such as cyber insurance policies, which may mitigate the financial impact of a data breach on an organisation.

Appropriate Safeguards - Organisational Measures

In addition to technical measures, responsible parties must also take organisational measures to ensure data security and must regularly verify that safeguards are effectively implemented. Because most personal information is processed at an operational level by employees, it is imperative to ensure employees are well-trained and tested in data security practices on an ongoing basis. Employees can be an organisation’s greatest data protection asset, or its greatest weakness. If you would like to know more about the importance of employee compliance with data protection measures, please read our article

Ongoing Compliance

Responsible parties must ensure that the safeguards discussed above are continually updated in response to new risks or deficiencies identified in previously implemented safeguards. For example, security measures put in place before COVID-19 and the introduction of remote and hybrid working may no longer be sufficient in protecting personal information processed by an organisation. This means that ensuring data protection measures are both effective and POPIA-compliant is not a once-off obligation but an ongoing one.

Security Measures of Operators

Even where organisations (the responsible party) employ third parties (“operators”, under POPIA) to process personal information on their behalf (for example, a business using an external payroll provider), the security of that personal information remains the ultimate responsibility of the responsible party. Section 21 of POPIA stipulates that responsible parties must, in terms of a written contract with the operator ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures required in terms of section 19 of POPIA. It is, therefore, important for a responsible party to put in place data protection agreements with any third party which processes information on its behalf to ensure compliance with POPIA.

With a number of high-profile data breaches making headlines in South Africa, it is clear that data breaches are a real threat and organisations cannot afford to rest on their laurels. It is far preferable for an organisation to prevent, rather than respond to, a data breach. Addressing data security in an organisation can feel overwhelming, but ensuring compliance with section 19 of POPIA is a good place to start.

Should you, however, require more information on what may be required when faced with a data breach, read our article or feel free to contact us directly.

Takeaways:

  • It is better to prevent, than respond to, a data breach.

  • Compliance with section 19 of POPIA is a good place to start when implementing data security measures.

  • Organisations must conduct risk assessments to identify all reasonably foreseeable internal and external risks to personal information in its possession and gauge what would be appropriate, reasonable technical and organisational measures for that organisation to implement.

  • Technical and organisational measures must be reviewed and updated on an ongoing basis.

  • Even where third parties process personal information for an organisation, the security of that personal information remains the ultimate responsibility of that organisation.

  • Contact us if you require advice on your organisation’s compliance with section 19 of POPIA