Legal advisory services for online business

The Protection of Personal Information Act (the POPI Act) sets out reporting obligations in section 22 where there are reasonable grounds to believe that personal information has been unlawfully acquired. The responsible party must report a breach to the Information Regulator as soon as reasonably possible. But the POPI Act does not stipulate what should be done in the first hours following the discovery of the incident.

My suggestion is the establishment of an incident response plan, the rules of which should be included in the service contracts with third party service providers and in corporate infosec policies. An incident response plan should be triggered immediately on discovering the breach.

The responsible party and the service provider must notify each other first and then set up the incident response team. The purpose of this is to co-ordinate activities: the investigation into the cause of the incident, the solution and the responses. These efforts also shape the content of the communication intended for the affected data subjects or for the entire customer base or for the public at large. When the incident is controlled, the incident response team should be dissolved.

An incident response team would consist of decision makers, like the Information Officer, the IT, operations, PR, legal and HR executives and relevant third party providers. Meetings must be scheduled and minuted. Investigators should be appointed to provide regular reports. Select key staff should be engaging with the Information Regulator and the media channels. Communication with the authorities, department heads, stakeholders (like head office or parent company) should be coordinated.

This is one way to manage the practicalities of a data breach while also preserving relationships and reputations.

Legal advisory services for smart business

Paia Manual

Terms of Use