View all professionals ►
Commercialisation of IP
Companies and Close Corporations
Corporate and Commercial
Defensive names and name objections
Intellectual Property Valuations
Research and Development
View all services ►
Can private schools have a termination clause in their contracts with parents?
03 Jan 2019
When am I required to register as a credit provider?
03 Jan 2019
Can the majority of trustees request a trustee to resign?
03 Jan 2019
View all news ►
Apply Now ►
Apply Now ►
View Now ►
POPI and your data security
15 May 2018
“I have an advisory business serving private and corporate clients. Our client information is stored on a central server in our offices. I have been advised to review our data security due to the growing risk of being hacked and the requirements of POPI to protect the personal information of my clients. What does POPI require of me in this regard?”
The Protection of Personal Information Act 4 of 2013 (“POPI”) aligns South Africa with the international position in respect of information and data protection. Although POPI has not yet fully come into operation, it is only a matter of time before it does.
An important aim of POPI is to protect persons from suffering damage and harm by requiring entities and persons who receive our personal information to protect such information. POPI therefore places an important responsibility on parties who collect, store, use and destroy personal information (“responsible parties”) and provides rights and remedies to persons whose rights have been infringed (“data subjects”).
POPI obliges responsible parties to ensure the integrity and confidentiality of personal information in their possession. Data security is promoted by appropriate and reasonable technical (electronic) and organisational (physical) measures to prevent the loss of, damage to, unauthorised destruction of, unlawful access to and/or the unlawful processing of personal information. It is important to understand that data security is not restricted to personal information that is processed electronically (technical). Even physical records containing personal information of data subjects (organisational) may need to be secured.
Information security breaches in the modern business environment may occur through various means, including theft, deliberate attacks on electronic systems, unauthorised use of personal information of data subjects by an employee, accidental loss or even equipment failure. Although POPI does not specify the technical requirements that must be met, it will be the responsibility of each responsible party to ensure that they have the necessary and appropriate technical and organisational measures in place to protect data.
In the event that a responsible party’s data security safeguards are compromised and unauthorised access to personal information ensues, responsible parties will be required to notify the Information Regulator as well as the affected data subjects as soon as is reasonably possible after the discovery of the compromise. The notice will also have to contain sufficient information for data subjects to adequately protect themselves against any potential consequences of the compromise in data security.
A responsible party will also have to contain the breach, aim to recover any compromised data (if possible), assess the risks associated with the breach, including the potential harm for data subjects and conduct an investigation into the cause of the breach and the effectiveness of the response thereto.
Responsible parties will therefore carry an extensive burden in terms of POPI in respect of their network and data security and it would be advisable to enlist the help of a technical expert or POPI specialist to review your current data security systems and develop the necessary security plans and procedures for your business.
Rate this article:
What the new Mining Charter holds for mining companies and suppliers
POPIA and the role of consent for direct marketing
POPI allows you access to your personal information
The liability of company directors
When do you have to appoint an auditor for your company?
What can estate agents expect with the new Property Practitioners Bill
Estate Planning (14)
Legal Update (2)
Social Media (5)
Credit Act (13)
Sectional Title (12)
Firm News (2)
Business Rescue (3)
Water Rights (2)
Intellectual Property (7)
Information Technology (7)
Unfair Labour Practice (3)
Self defence (1)
Group News (10)
Dispute resolution (8)
Phatshoane Henney Training Academy (3)
New Breed (2)
Community News (3)
Sectional Title and Community Schemes (2)
Data Protection (4)
Child Support (2)
conveyancing process (1)
Rate Clearance (1)
Credit agreements (1)
Sexual Offence (1)
Phatshoane Henney Foundation (1)
Deceased Estate (2)
honour medal (1)
Phatshoane Henney Group
About Phatshoane Henney
Black Economic Empowerment
T: +27 011 3255530
F: +27 011 3255639
Send us a comment
South Africa's Largest Association of Law Firms
© 2013, Phatshoane Henney inc., All Rights Reserved
Any correspondence with this website does not constitute a client attorney relationship. Neither the content on this website or any transmission by you to our firm through this website is intended to provide or constitute legal advice or other advice or to create an attorney-client relationship.