Do I need to report a data breach?
According to the POPI Act, an organisation that gathers personal information about others is required to report any data leak or breach in security in a timely manner.
In other words, once you are aware of the data breach you should waste no time in informing the Information regulator and providing as much information as you can so that the organisation has a clear picture of:
- exactly what kind of data was leaked
- when it happened
- who was affected
when do I need to report a data breach?
The number of data breaches affecting South African companies almost doubled over the past year, making it more likely than ever that your business may be affected by one.
For company owners and managers, dealing with the damaging effects of compromised data or a ransomware attack can be extremely stressful – and there’s also a further requirement that any compromised personal information needs to be reported to the authorities.
The POPI (Protection of Personal Information) Act places a strong duty on organisations that collect customers’ personal data to report data leaks in a timely manner. To help our customers comply with the regulations, let’s take a look at the POPI regulations and the responsibility of data collecting entities in more detail.
reporting data leaks is your legal obligation
As a business operating in South Africa, you are obliged to abide by the terms of the POPI Act. One of the regulations that companies need to follow is reporting data leaks to the Information Regulator of South Africa, a body which monitors and enforces POPI compliance.
Here’s what the law has to say about companies’ obligations to report compromised personal information:
- In terms of section 22 of the POPI Act if there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party (your business) must notify the Information Regulator and the data subject (the victim of a data leak) and provide a comprehensive notification of the type of breach.
In other words, if you think a data leak or breach has occurred you need to let the Information Regulator of South Africa know about the incident in detail – without delay.
covering yourself: the benefits of complying with the POPI Act
Reporting incidents when the personal information of your client base has been compromised in a data leak is a legal obligation that will help keep your business on the right side of the law.
It’s also an action that could help you legally if one of the people whose information was leaked decides to take action against you in a civil case.
While the information in this article is a general overview of the law, we are not in the business of dispensing legal advice. When a data leak occurs, it’s essential to consult a lawyer who specialises in cybersecurity cases so that you follow a strategy that’s legally sound.
protect your business and customer data with secure cloud storage
There’s no doubt that complying with the POPI Act is a legal requirement, but it also can be a very stressful and time-consuming process. To reduce the risk of a cyberattack and the need to report compromised personal data, it’s essential to secure your company’s information using encrypted, cloud-based storage. To discover a package that’s right for your business, browse our service offerings today.