When you look at data breaches around the world, and now in our own back yard, businesses often find themselves in hot water for not being prepared to deal with the breach.
- must be swift,
- must give the affected people the tools to protect themselves, and
- must not open you up to liability (the legal stuff like fines and civil actions).
You must manage the PR fallout. The harm to your reputation is the biggest risk when a breach happens.
The POPIA says that the responsible party must notify the Information Regulator and the affected data subjects (those whose PI were accessed) as soon as reasonably possible if there are reasonable grounds to believe that there has been unauthorised access of PI.
This is what should be in the notice:
- a description of the possible consequences of the breach
- a description of the measures that you have taken or intend to take to address the breach
- a recommendation relating to the steps that data subjects should take to protect themselves
- the identity of the unauthorised party who may have accessed the PI