Organisations in Africa that are processing the personal information of data subjects from within the European Union (EU) should already have effective General Data Protection Regulation (GDPR) compliance procedures in place, including Data Breach Security Checklists, impact assessments and subject data requests procedures.
This due diligence is not only required by the GDPR regulation but can significantly reduce the risks associated with security breaches, raise awareness of the GDPR and ensure that companies have appropriate technical and organisational measures in place to comply with the legislation. These GDPR compliance procedures were recently discussed at event hosted by Baker McKenzie and Cognia Law in Johannesburg.
Darryl Bernstein, Head of the Technology, Media and Telecommunications Practice Group at Baker McKenzie in Johannesburg said that it was essential for organisations to have a General Data Protection Regulation (GDPR) Data Security Breach Checklist in place to assess the risks of a data security breach and to implement a plan to contain and manage any data breaches.
Bernstein noted that the first step on any organisation’s GDPR Data Security Breach Checklist should be to assess the risks associated with a data security breach. “It is essential to know whose data might have been disclosed, what type of data has been breached and if it contains sensitive information. Affected organisations should also asses the volume of data disclosed and if any of the data has been lost or damaged. The cause of the breach and where in the world the breach occurred must also be investigated,” he said.
Bernstein explained that step two on the Checklist should be to contain the breach and recover the data. “Organisations who have fallen victim to a data breach must establish who will investigate the breach, who will assist with the containment of the breach and/or the recovery of information and if action should also be taken to prevent the breach from recurring. This is also the time to inform the police, if appropriate to do so.”
During step three, organisations must notify all data subjects who have had their private information breached. “According to the GDPR, notification must take place without undue delay and no later than 72 hours after the breach has occurred. The nature and scope of the breach, as well as its consequences and the measures taken to rectify it, must also be disclosed to affected data subjects,” he said.
Bernstein explained that South African organisations will have to have a similar checklist in place in order to comply the soon to be implemented Protection of Personal Information Act (POPIA). POPIA stipulates that a data breach must be notified as soon as reasonably possible after the discovery of the compromise, considering the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.
To assist organisations in the event of a data breach, Baker McKenzie recently launched a mobile application called "Data Breach 72" (also available for iPhone). This app, which is available in English and French, allows organisations to identify the existence of a data breach, within the scope of application of the GDPR; establish whether it is necessary to notify the competent supervisory body; and prepare an initial draft of this notification. The app forms part of Baker McKenzie's innovation programme, which aims to rethink the way in which lawyers deal with the challenges their clients are facing.
The final step in Checklist includes a thorough evaluation of the breach.“Once the first three steps are complete, organisations must investigate whether employees were responsible for the breach and if disciplinary action is required. If a third party was involved, the contract should be checked for damages provisions and an impact assessment undertaken. Lastly, organisations must review their procedures and ensure their data is secure going forward,” he said.
Janet MacKenzie, partner in Baker McKenzie’s Corporate/M&A practice and TMT specialist, noted, “The GDPR further requires organisations to complete a Data Protection Impact Assessment prior to the processing of private information, where the processing is likely to result in a high risk to the rights and freedoms of natural persons.
MacKenzie said it is essential to conduct an Impact Assessment of third parties that process high-risk company personal data, to determine their awareness of GDPR and to ensure that they have appropriate technical and organisational measures in place to comply with the legislation. For high-risk third parties, audit partners should be identified for the assessment of processes and to determine if on-site audits are required. It is worth noting that the requirements of the GDPR stipulate that data processing can only be outsourced to a third party if the processor guarantees conformity with the requirements of the GDPR.
Janet Taylor Hall, CEO of Cognia Law, explained further, “There were two operational areas where clients tend to underestimate the impact assessment efforts around GDPR - the first being adequately preparing to deal with a data breach when it happens and the second is subject data requests, which can in themselves lead to a breach if not handled appropriately.”
“Right of access is a core principle of the GDPR. Individuals have the right to access their personal data and supplementary information at any time. In responding to these data requests in time (30 days), it is also important that no data is shared that belongs to another individual or that contains intellectual property or trade secrets,” she said.
“Putting a robust subject data request capability in place is an important part of the on-going GDPR compliance support we offer our clients”, highlighted Justin Ridl, Global Head of Legal Services, Cognia Law.