POPIA Update: South African Information Regulator muscles up with Enforcement Committee
Popular search terms
Click each term for related articles
Data Protection & Privacy
In a welcome development on Friday, 12 August 2022, the Information Regulator published a notification template and guidance to facilitate the reporting of security compromises in terms of section 22 of the Protection of Personal Information Act (POPIA).
The new reporting form is effective immediately. In this article, we discuss what a section 22 notification entails, and how this new guidance affects reporting in compliance with POPIA.
Responsible parties are required to notify both data subjects and the Information Regulator as soon as there are reasonable grounds to believe that an unauthorised party has unlawfully accessed or acquired personal information. This is referred to as a ‘data breach’ or a ‘security compromise’, which the Information Regulator is empowered to investigate.
The Information Regulator has published two documents aimed at streamlining the process of notification:
Previously, there was no official guidance on the reporting of security compromises to the Information Regulator. This meant there was little uniformity in approach when responsible parties and their representatives notified the Regulator of a security compromise.
The SCN1 template is a fillable online form which requires specific information to be reported, including:
Responsible parties and their information officers must sign and declare that the notification is true, accurate and correct.
The accompanying Guidelines are helpful in explaining the forms and how organisations should go about completing them.
The process to be followed when reporting a security compromise is as follows:
Clyde & Co’s Cyber team specialises in all aspects of cyber risk, data protection, insurance and claims. Our end-to-end One cyber solution is designed to boost cyber resilience and is built around pre-incident planning, effective incident response and post-incident recovery.
Our Corporate and Regulatory team has extensive experience advising responsible parties and operators on suitable terms for inclusion in agreements, and in advising more broadly on compliance with South Africa’s data privacy legislation.
Please reach out to our team should you require advice on how and when to undertake reporting of a security compromise in compliance with POPIA.