You have a data breach…now what?

Data breaches are almost inevitable. So, in addition to working towards preventing data breaches, you should be asking yourself whether your business is ready to respond quickly and effectively when the pawpaw (or POPIA) strikes the fan.

When you look at data breaches around the world, businesses often get into hot water for not being prepared to deal with data breaches. Your response must be swift, it must give the affected people the tools to protect themselves, must not open you up to liability (the legal stuff like fines and civil actions) and you must manage the PR fallout. The harm to your reputation is the biggest risk when a breach happens.

So what do you need to do?
#1 Do you have a breach response policy and procedure?
Regulators will often ask for this policy and procedure in order to measure whether you took reasonable steps to prepare for breaches. It is important to have a crystal clear procedure which is documented. It has to set out everything from where and how to report the breach, who should be notified, steps taken to address the fallout and who gets to liaise with the regulator and draft the incident report.
#2 Do your staff know what the breach procedure is?
Training is essential. Too often, businesses have a breach response procedure, but no-one knows what it is. In a crisis situation you want your staff to know what to do without having to think about it. There are many ways to achieve this. Take a look at Compliance Online’s Dawn Raid training. You will be prepared for any regulator who wants to spoil your day.
#3 Use technology!
Our friends at Compliance Online have developed an app which automates your crisis management (whether that crisis is a breach or a visit from a regulator). With the press of a button, the app makes sure that notifications are sent to the right people in your organisation so they can respond quickly and effectively.  Contact us for more info.
#4 Use PR people
In-house lawyers are not trained in how to communicate to customers in a crisis. Your communication strategy must be spot on, or you might risk throwing oil on the fire. Get experts to help you – it will be money well spent.
We wrote this blog with POPI in mind (we have been dealing with a breach this morning), but obviously this applies to almost any crisis, from floods, to Regulators or even a zombie apocalypse. Be prepared!
Get our newsletter. From ‘oh ****’ to ‘aha!’, get free advice on doing compliance right.

About the Author:

Elizabeth de Stadler
Elizabeth is the quirky one in the company. She specialises in all things Consumer Law, plain language drafting and designing and delivering training. She prides herself on being slightly out there and bringing a fresh perspective to compliance issues. She has a Masters (cum laude – the nerd) in Consumer Law. Elizabeth met Paul in 2011 and joined Esselaar Attorneys (she is still a senior associate at the firm). In 2013 they founded Novation Consulting together. Elizabeth is a bit of a nerd. She is the editor of the Consumer Law Review (you can get it here for free!) and wrote A Guide to the Protection of Personal Information Act with Paul. She is also the author of Consumer Law Unlocked, a co-author of the hefty Commentary to the Consumer Protection Act and wrote chapters on the Consumer Protection Act in The Law of Contract in South Africa and The Law of Commerce in South Africa. She is currently working with Liezl van Zyl from the Stellenbosch University Language Centre on Plain language legal drafting, which will be published in 2017. Elizabeth loves Lego, sneakers, zombies and white wine. She hates comic sans font, sweet potato and most other attorneys. She is allergic to suits and ‘office shoes’ because of the years she worked at Webber Wentzel. She is very scared of moths. It is a thing – read about it. Want to find out more about Elizabeth? Check her out on LinkedIn. Better yet, contact her on or (021) 481 8004.