https://www.engineeringnews.co.za
Africa|Business|drives|Environment|Financial|Health|Service|Services|Systems|Technology|Training
Africa|Business|drives|Environment|Financial|Health|Service|Services|Systems|Technology|Training
africa|business|drives|environment|financial|health|service|services|systems|technology|training

Appropriate data protection fundamental in South African cybersecurity laws

20th November 2019

By: Schalk Burger

Creamer Media Senior Deputy Editor

     

Font size: - +

Reasonable and appropriate technical and organisational measures to protect personal information are fundamental to comply with South African information privacy laws, notwithstanding the impossibility of completely preventing cybersecurity breaches, law firm Herbert Smith Freehills cybersecurity and privacy consultant Rohan Isaacs said on Wednesday.

The Protection of Personal Information (PoPI) Act stipulates that organisations that process and/or store customers’ personal information must take appropriate steps to protect that information.

Whether these measures were in place in the event of data loss or a leak would be central to the liability of the organisation, including fines.

However, organisations must also consider the sensitivity of the information in question because PoPI does distinguish between personal information and special personal information, which includes health, social, religious, sexual and political information, to which more restrictive obligations apply.

While there are no separate penalties stipulated for the loss of special personal information, PoPI does limit the grounds on which this information must be captured, processed, stored and shared as compared with ordinary personal information.

South Africa was lagging behind developed countries and developing peers and had to implement PoPI to keep up, he added.

The rapid pace of development and adoption of connected technologies is dramatically increasing the complexity of the environment.

This means that breaches cannot be completely prevented, but companies must take steps to protect data. Organisational measures to facilitate protection of personal information, such as cybersecurity training and awareness drives among staff, are part of the appropriate measures organisations should take to protect personal information.

New threats are continuously developed and new attack vectors used, making it impossible for any company, and any cybersecurity service providers, to guarantee that no breach or leak will occur, explained Isaacs.

There is also increasing demand for cybersecurity insurance. In most cases, the insurance covers against losses suffered as a result of data breaches as well as provides first response assistance in the event of a data breach. This includes forensic information technology services, preliminary legal advice and public relations advice.

“When a cybersecurity breach and data loss occurs, the manner in which organisations communicate details of a breach or data loss with affected parties becomes very important,” he said.

Companies that are transparent with clients and business partners about the incident and their efforts to contain and mitigate the impacts tend to limit the reputational impacts most effectively, he illustrated.

Further, information and its appropriate protection varies by industry and company, which must be considered when determining whether reasonable and appropriate measures are in place to protect data.

Meanwhile, policing cybercrime is difficult and the nature of cybercrimes – anonymous and borderless – necessitates a collaborative and international approach.

There is some capacity in South Africa, such as under the cybercrime unit of the Directorate of Priority Crime Investigation, as well as in private sector organisations and industry bodies, to detect and investigate cybercrimes.

The latest version of the Cybercrimes Bill, which was adopted in November 2018 but has not yet been passed by the National Council of Provinces, includes clauses for requesting and/or sharing information with foreign States in compliance with the International Cooperation in Criminal Matters Act, as well as clauses that allow for South African courts to have limited extraterritorial jurisdiction where offences are committed outside of South Africa.

The Cybercrimes Bill also states that information and communications service providers and financial institutions that become aware that one of their computer systems was involved in a cybercrime must report the offence to the police within 72 hours and preserve any evidence related to the offence.

Edited by Chanel de Bruyn
Creamer Media Senior Deputy Editor Online

Comments

Showroom

Condra Cranes
Condra Cranes

ISO-certified Condra manufactures overhead cranes, portal cranes, cantilever cranes and crane components: hoists, drives, end-carriages, brakes and...

VISIT SHOWROOM 
Yale Lifting Solutions
Yale Lifting Solutions

Yale Lifting Solutions is a leading supplier of lifting and material handling equipment in Southern Africa. Yale offers a wide range of quality...

VISIT SHOWROOM 

Latest Multimedia

sponsored by

Option 1 (equivalent of R125 a month):

Receive a weekly copy of Creamer Media's Engineering News & Mining Weekly magazine
(print copy for those in South Africa and e-magazine for those outside of South Africa)
Receive daily email newsletters
Access to full search results
Access archive of magazine back copies
Access to Projects in Progress
Access to ONE Research Report of your choice in PDF format

Option 2 (equivalent of R375 a month):

All benefits from Option 1
PLUS
Access to Creamer Media's Research Channel Africa for ALL Research Reports, in PDF format, on various industrial and mining sectors including Electricity; Water; Energy Transition; Hydrogen; Roads, Rail and Ports; Coal; Gold; Platinum; Battery Metals; etc.

Already a subscriber?

Forgotten your password?

MAGAZINE & ONLINE

SUBSCRIBE

RESEARCH CHANNEL AFRICA

SUBSCRIBE

CORPORATE PACKAGES

CLICK FOR A QUOTATION







sq:0.081 0.131s - 166pq - 2rq
Subscribe Now