What do you know...and what can you do with it? [Part 3]


An article series exploring data protection laws in South Africa and the EU.

This is the third in a three-part series of articles discussing GDPR, POPIA regulation and compliance as relevant to data privacy and protection, and the management of data breaches.

Notification of Data Breaches

Where a data breach has occurred, POPIA requires that, within a reasonable time from the time in which the data breach occurred, the operator must notify the responsible party and the responsible party must in turn notify the Information Regulator and the data subject whose personal information has been unlawfully accessed. POPIA does not provide a prescribed time period within which a responsible party must notify the Information Regulator. It simply states that the notification must be made as soon as reasonably possible after the discovery of the compromise. The only instance where an operator may delay notification of the data subject, is when a public body responsible for the prevention, dictation or investigation of offences or where the Regulator determines that notification will impede a criminal investigation.

Section 22(4) states that the notification must be in writing and communicated to the data subject in one of various ways, or as directed by the Information Regulator It is therefore recommended to include in the mandate a prescribed timeframe in which the responsible party must be notified of the breach in order to mitigate the risk of further compromise to the data subject’s personal information.

Under GDPR, the controller must notify the supervisory authority that has jurisdiction in the territory where the controller or processor concerned, or any data subjects affected, are located, within 72 hours of the data breach if there is a risk to a data subject’s rights and freedom. POPIA on the other hand states that the information regulator must be notified of all data breaches regardless of whether or not there is a high risk to a data subject’s rights and freedom, unless the data subject cannot be identified.

Appointment of Information Officer

As stated above POPIA stipulates that each responsible party must appoint an information officer. Article 27 of the GDPR states that both the controller and the processor must appoint a representative within the territory of the EEA. Whilst POPIA does not state that an operator must appoint an information officer, it would be advisable to identify an information officer of each of the parties in the mandate.

Processors and Operators

Under both the GDPR and POPIA, controllers or responsible parties (as applicable) are obliged to ensure that processors and operators whom they engage to process data or personal information undertake, as a term of the contracts between them ,to maintain the integrity and confidentiality of information that they process. In addition, processors and operators are required to ensure that the individual employees processing the data are subject to a duty of confidence.

The GDPR imposes further obligations on processors before engaging subcontractors, such as requiring the controller’s prior consent. This is not mandatory under POPIA. Both POPIA and GDPR prohibit the retention of information after the purpose for which it was initially collected or subsequently processed no longer exists.

In term of section 21 of POPIA, there is an obligation on the responsible party to enter into a written contract with the operator, and the responsible party must ensure that the operator which processes personal information for it establishes and maintains the security measures referred to in section 19. This would entail securing the integrity and confidentiality of personal information in its possession. They must also take measures to prevent loss, of damage to or unauthorised destruction of information and unlawful access to or processing of personal information.

Similarly, Article 28 of the GDPR states that processing by a processor must be governed by a contract or other legal act under Union or Member State Law. The contract shall be binding and set out who the subject-matter is, duration of processing, the nature and purpose of processing, the type of personal data to name a few. Article 28 (3)(a)-(e) goes on to stipulate that the contract must specifically include the following mandatory provisions:

  • personal data is only on documented instruction from the controller including with regard to transfers of personal data to a third county or international organisations; unless required to do so by Union or Member State law to which the processor subject; in such cases the process is still obligated to inform the controller of that legal requirement before processing;

  • persons authorised to process personal data have provided a confidentiality undertaking or are subject to a statutory duty of confidentiality;

  • there is a duty on the operator/processor to provide reasonable technical and organisational measures to ensure a level of security appropriate to the risks presented by processing;

  • the processor respects the conditions imposed for engaging another processor; and

  • the processor assists the controller to comply with its obligations in respect of security of processing, notification of data breaches and assessments of the impact of measures taken to protect data security.

Recommended Practices

Anyone conducting, or responsible for, processing of data falling within the application of the GDPR should consider introducing a number of new measures to ensure that existing policies, processes and procedures are complaint with the legislation. The recommended measures include the following:

  • a system to enable the controller to carry out privacy impact assessments when undertaking new data processing tasks;

  • implementing mechanisms that allow data subjects to effectively exercise rights e.g. their right to object to processing for direct marketing purposes;

  • considering whether the controller (and processor where applicable) is under an obligation to appoint a data protection officer under the GDPR;

  • establishing and maintaining appropriate technical and organisation measures to implement data protection principles effectively;

  • where profiling is involved, ensuring that data subjects have access to meaningful information about the logic involved and the significance and envisaged consequences of such processing for data subjects;

  • implementing a framework that will allow the reporting of a data breach to the relevant authority within 72 hours of becoming aware of the data breach;

  • specifying notification requirements in the event of a data breach;

  • restricting the transfer and storage of personal information, and making provision for the deletion or return of personal data on termination of the contract; and

  • that the agreements between the controllers and any processors it appoints comply with the requirements of Article 28.

Conclusion

Only a few sections of POPIA have come into effect as yet. These are of little relevance to the conduct of private individuals and entities, being the sections that create the office of the Information Regulator administrative infrastructure for the implementation and enforcement of POPIA. The sections that create compliance requirements for private individuals and entities are to commence on a future date, which has yet to be proclaimed.

Once the commencement date for these sections has been proclaimed, POPIA provides for a 12-month grace period for affected parties to gear themselves up for compliance. The Regulator is however encouraging persons and business that process personal information to prepare themselves in advance for the implementation of the substantive provisions of POPIA, It is therefore advisable that all business entities that collect and make use of personal information of any persons, for any purpose, be aware of the requirements and put measures in place to comply with them.

You can also read the first and second parts of this article series on our Insights blog.