Data Breach Incidence Response Plan and Notification

Data Breach Incidence Response Plan and Notification

Data Breach Incidence Response Plan and Notification

A ‘data breach’ is not per se defined in the Protection of Personal Information Act 4 of 2013 (POPIA), but generally refers to the access or acquisition of personal information by an unauthorised person.

The financial impact of a data breach is unquestionably one of the most immediate consequences, but one should not disregard the reputable damage caused by such occurrence. Being prepared to respond and notify appropriately not only meets the regulatory requirement but also has the potential of limiting consequential damage, both reputational and financial.

What is the purpose of a data breach incidence response plan?

A comprehensive incidence response plan not only aids in minimising the damage caused by a data breach but also guides the organisation to recover in the shortest possible time.  There is no legal requirement to have such document on hand but it is invaluable in times of crisis as it ensures that nothing is overlooked.

A data breach incidence response plan typically includes some or all of the following depending on various organisational/industry factors:

  • Possible risks/scenarios related to data breaches;
  • Categories of importance attached to each possible risk/scenario;
  • Activities in response to a compromise;
  • List of people throughout the organisation who should be involved in the event of a breach, and their respective tasks;
  • Schedules for backups and archiving;
  • Third parties to assist in managing an incident, such as your legal team or insurance; and
  • Notification procedures.

Data breach notification

POPIA places an obligation on a responsible party (a person who determines the purpose and means of processing personal information – typically, but not always, the collector of information) to notify the Information Regulator and the data subject (owner of data) of a security compromise where there are reasonable grounds to believe that the personal information of a data subject had been accessed or acquired by any unauthorised person, unless the identity of such data subject cannot be established.

What is the process to notify the Information Regulator and data subjects of a data breach as per section 22 of POPIA

Step 1: Provide sufficient information in the notification that allows the data subject to take protective measures against the potential consequences of the data breach.

The notification must, at the very least, contain the following information:

  • A description of the possible consequences of the security compromise;
  • A description of the measures taken or proposed to be taken by the responsible party to remedy the security breach;
  • A recommendation of the measures that any party whose personal information was leaked should take in order to mitigate the possible adverse effects of the security compromise;
  • The identity of the unauthorised person who accessed or acquired the personal information, if known.

Step 2: Decide on the method in which to convey the written notification.

The following methods are permitted by section 22:

  • Postal delivery to the data subject’s last known physical or postal address;
  • Sent by e-mail to the data subject’s last known e-mail address;
  • Posted in a prominent place on the website of the responsible party;
  • Published in the news media; or
  • As may be directed by the Regulator.

The Information Regulator may be contacted at:

In conclusion

Other than the legal requirement to notify the Information Regulator and data subjects of such incidence, there may also be contractual obligations with various third parties to meet. The incidence response plan integrates all the legal, contractual and organisational obligations and procedures to ensure an efficient recovery.

Although we are approaching the POPIA compliance deadline (1 July 2021), the threat of damages or even the possibility of a fine should not be the driving force for compliance but rather the end goal of having a country which enforces and empowers each person’s right to privacy.

Whilst the main focus of POPI is on compliance, our approach at SERR Synergy is to implement information compliance in such a way that it provides business value to our clients and allows for improvement in efficiencies and effectiveness by meeting the compliance requirements.

About the Author: Monique van der Merwe completed her B.Consumer Science degree at the University of Pretoria. She joined our team in July 2018 and currently holds the title of “Information Compliance Advisor”. She specialises in compliance with the Consumer Protection Act (CPA) as well as POPI and PAIA. This includes compiling legal compliance reports and developing policies along with the other assessment aspects relating to consumer protection legislation. She drafts and submits PAIA manuals to the Human Rights Commission and also compiles and implements Data and Information Protection Reports to identify risks associated with information security in each department of an organisation.



You May Also Like

The modern battlefield of Direct Marketing
March 05, 2019
One often feel overwhelmed by all these rules and how to comply with legislation, but in essence  the main objective of the Consumer Protection Act (CPA) is simply to provide a fair and sustainable market place for consumers.  Bearing this in mind, it is far easier to comply wi
April 21, 2020
The Protection of Personal Information (POPI) Act of 2003 emanates from section 14 of the Constitution of the Republic of South Africa, which states that all persons have a right to privacy.
Important guidelines to enhance cybersecurity for businesses
September 25, 2018
One of the most important elements of cybersecurity is constant monitoring of the nature of security risks. The approach of cybersecurity is to f
Online Resource & News Portal