Another post following #ITWebGDPR2018 earlier this month.

In his talk on the cost and compliance obligations of the GDPR, governance specialist Peter Hill made the point that risk, as it is referred to in the regulation, refers to risk from the perspective of the data subject.

In other words, companies implementing GDPR and PoPIA must do so by considering the risk to the data subject, not the risk to themselves.

This is unusual as most regulation focuses on mitigating one’s own risk.

PoPIA mitigates the data subject’s risk

Why is this important?

While the GDPR and PoPIA are similar in many ways, a key difference is in the level of detail defined in each regulation, with the South African regulation being more loosely defined.

For example, in the event of a breach GDPR, in terms of article 33, sets a deadline of 72 hours by which time a breach must be communicated to the supervisory authority

By contrast, PoPIA section 22 (2) requires a notification to be made “as soon as reasonably possible after the discovery of the compromise”

The definition of “reasonable” is one that lawyers will no doubt spend much time debating in court, at great expense to all involved.

If we accept that the goal of the legislation is to protect risk to the data subject, then the definition of reasonable will have to be interpreted from the perspective of the person whose data has been compromised, rather than from the perspective of the company who has been hacked.

How long would you be prepared to wait if, for example, your credit card details had been stolen? One hour, one day, one week?

How long will it take your company to what has been compromised, and who this affects, in the event of a breach? An hour, a day, a week?

What is reasonable?

Does it not make sense for South African companies to use the GDPR yardstick of 72 hours as the baseline?