Data security a vital consideration

2019-03-20 06:00


I am the owner of a small advisory firm.

One of my employees left his laptop in the car and it was stolen out of his car. I hear that the IT guys forgot to have encryption activated on his laptop. With client information on the laptop I am worried about whether I could be in breach of POPIA. Am I?


With a constantly increasing amount of personal and sensitive client data being captured and maintained by businesses, it has become an imperative for all businesses to have the necessary data security frameworks in place.

To help regulate such frameworks, the Protection of Personal Information Act 4 of 2013 (“POPIA”) has been promulgated. Although not fully in operation yet, it already plays a vital guiding role for businesses.

POPIA also provides for the rights and remedies of persons whose rights have been infringed in terms of POPIA and therefore obliges parties dealing with personal information to take care in handling such information and protect the public against the incorrect and unauthorised access and use of their personal information.

The obligation on businesses to ensure the security and integrity of personal information is one of the most important principles for the lawful processing of data in terms of POPIA, since security failures and breaches have the potential for data subjects to suffer significant harm.

POPIA requires that for data security businesses must implement appropriate and reasonable technical and organisational measures to prevent the loss of, damage to, unauthorised destruction of, unlawful access to or the unlawful processing of personal information.

This is quite a mouthful.

What it boils down to is, a business must take into account generally accepted data security practices and procedures that can be put in place including such practices as may be required by or be standard for the industry in which it operates.

This means that there is not a standard set of data security rules that can be selected, but rather that the appropriate data security measures will have to be designed and implemented in accordance with the nature and practices of each business, the type of personal information they process and the potential harm that may emanate from a potential security breach.

Any specific industry practices or standards relevant to the business should also be taken into account in establishing an appropriate data security framework.

The reality is that despite all measures that can be employed by a business a breach of data security can still occur. It is important that a business must have a data security policy which includes an incident response plan detailing how the business and employees should deal with a potential data security breach.

This is vital to address the breach and ensure that the impact is mitigated and managed and potentially affected parties informed timeously of the breach.

To answer your question, once POPIA comes into effect the theft of the laptop with personal information thereon could amount to a breach of POPIA given that your business would have to have the necessary data security procedures and practices in place.

In addition, POPIA would require you to disclose the potential breach to the Information Regulator as well as to all potentially affected data subjects. Additionally, the breach should have been dealt with in accordance with the incident response plan of the business to help mitigate the risks of a data security breach.

– Juanita van Zyl, senior associate, Phatshoane Henney Attorneys


Join the conversation! encourages commentary submitted via MyNews24. Contributions of 200 words or more will be considered for publication.

We reserve editorial discretion to decide what will be published.
Read our comments policy for guidelines on contributions.

Inside News24

Traffic Alerts
There are new stories on the homepage. Click here to see them.


Create Profile

Creating your profile will enable you to submit photos and stories to get published on News24.

Please provide a username for your profile page:

This username must be unique, cannot be edited and will be used in the URL to your profile page across the entire network.


Location Settings

News24 allows you to edit the display of certain components based on a location. If you wish to personalise the page based on your preferences, please select a location for each component and click "Submit" in order for the changes to take affect.

Facebook Sign-In

Hi News addict,

Join the News24 Community to be involved in breaking the news.

Log in with Facebook to comment and personalise news, weather and listings.