What is reasonable when it comes to PoPIA?

Another post following #ITWebGDPR2018 earlier this month.

In his talk on the cost and compliance obligations of the GDPR, governance specialist Peter Hill made the point that risk, as it is referred to in the regulation, refers to risk from the perspective of the data subject.

In other words, companies implementing GDPR, and PoPIA, must do so by considering the risk of the data subject, not the risk to themselves.

This is unusual as most regulation focuses on mitigating one’s own risk..

PoPIA mitigates the data subject’s risk

Why is this important?

While the GDPR and PoPIA are similar in many ways, a key difference is in the level of detail defined in each regulation, with the South African regulation being more loosely defined.

For example, in the event of breach GDPR, in terms of article 33, sets a deadline of 72 hours by which time a breach must be communicated to the supervisory authority

By contrast, PoPIA section 22 (2) requires a notification to be made “as soon as reasonably possible after the discovery of the compromise”

The definition of “reasonable” is one that lawyers will no doubt spend much time debating in court, at great expense to all involved.

If we accept that the goal of the legislation is to protect risk to the data subject, then the definition of reasonable will have to be interpreted from the perspective of the person who’s data has been compromised, rather than from the perspective of the company who has been hacked.

How long would you be prepared to wait if, for example, your credit card details had been stolen? One hour, one day, one week?

How long will it take your company to what has been compromised, and who this affects, in the event of a breach? An hour, a day, a week?

What is reasonable?

Does it not make sense for South African companies to use the GDPR yardstick of 72 hours as the base line?


2 thoughts on “What is reasonable when it comes to PoPIA?

  1. I completely agree with you, Gary. It is quite concerning just how little guidance has been given to the various provisions around notification in POPI in comparison to the GDPR. I would certainly apply the GDPR measures as a benchmark (i.e the 72 hour rule). Interestingly, POPI is also silent on any risk-based approach in notifying breaches to data subjects and the information regulator. A strict and plain ( and arguably unreasonable) reading suggests that even a low-risk breach (i.e. lost cellphone) is notifiable.

    1. I believe that a lot of businesses have a “bury our head in teh sand” approach to PoPIA that is going to come back to haunt them. The practical implications are simply not being planned for

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.