Page 29 - Q&A 2019/2020
P. 29

measures will have to be designed and implemented in accordance with the
            nature and practices of each business, the type of personal information they
            process and the potential harm that may emanate from a potential security
            breach. Additionally, any specific industry practices or standards relevant to the
            business should also be taken into account in establishing an appropriate data
            security framework.

            A few examples of physical and technical data security measures that can
            be employed include CCTV cameras, security systems, safes, anti-virus software,
      Commercial  secure file destruction protocols etc. Here the advice of technical specialists
            access control, file and server encryption, firewall software, password policies,
            will be important to help guide you in the necessary security measures to be
            employed by your business.
            The reality through is, that despite all measures that can be employed by a
            business a breach of data security can still occur. It is therefore important that a
            business must have a data security policy which includes an incident response
            plan detailing how the business and employees should deal with a potential
            data security breach. This is vital to address the breach and ensure that the
            impact is mitigated and managed and potentially affected parties informed
            timeously of the breach.
            POPIA  also  requires that  a  business,  in  the event  that  its data  security  is
            compromised and unauthorised access to personal information ensues to
            notify the Information Regulator of the breach as soon as reasonably possible
            after discovery of the breach. POPIA also requires that the affected data subject
            (unless their identity cannot be established) must be notified of such data
            security breach where there is reason to believe that the personal information
            of the data subject has been accessed or acquired by any unauthorised
            person. This notice must contain sufficient information for the data subject to
            adequately protect  themselves  against  any  potential  consequences  of  the
            compromise in data security.
            To answer your question, once POPIA comes into effect the theft of the laptop
            with personal information thereon could amount to a breach of POPIA given that
            your business would have to have the necessary data security procedures and
            practices in place. In addition, POPIA would require you to disclose the potential
            breach to the Information Regulator as well as to all potentially affected data
            subjects. Additionally, the breach should have been dealt with in accordance
            with the incident response plan of the business to help mitigate the risks of a
            data security breach.
            As should be clear from the above, data security should not be taken lightly
            and a business, small or large, should ensure that it has the necessary
            framework in place and that employees are aware and trained in the data
            security requirements of the business. Given that this is a specialised field, it
            may be advisable to consult with data security specialists to help guide you in
            establishing the correct framework and policies and ensure that your business
            is fully compliant with POPIA.



            23
   24   25   26   27   28   29   30   31   32   33   34