Nathalie Burrows, Editor EBnet
One of the highlights for me when attending this week’s PLA conference was the opportunity to hear feedback straight from the Information Regulator’s office. To be able to hear directly from this relatively new Regulator on trends in security compromises, how the protection of personal information is unfolding and what the IR is focusing on was immensely valuable.
Adv. Collen Weapond shared some of their experiences since the legislation became effective. I think it’s fair to say that, in the retirement funds context, 2 and half years is not yet a very long track record, but there are definitely meaningful trends emerging.
The first is the increases in security compromises being reported:
- 1 July 2021 to 31 March 2022: 202
- 1 April 2022 to 31 March 2023: 509
- 1 April 2023 to 31 March 2024: 1 727
The increase may be attributed to all of us becoming more familiar with the processes of reporting, or having clarity on what constitutes a security compromise (did you just remember you left your file at the airport?) … or maybe we’re just in line with the global increase in security compromises.
While the increase in the number of incidents reported is interesting, more noteworthy is that the response time to these data breaches has not decreased.
Adv. Weapond stressed how important it is for responsible parties like retirement funds to have robust risk mitigation measures and systems in place, which should be regularly tested and updated. I’m not sure that the initially flurry of activity immediately prior 1 July 2021 has been followed up with any more busy-ness around POPIA in retirement funds.
Lastly, Adv. Weapond discussed the teeth that the IR has bared through the issuing of:
- Enforcement notices,
- Fines, and
- Codes of conduct.
The bottom line for retirement funds: report breaches timeously (even if you only suspect them), review your systems and processes regularly (particularly those around data security), ensure that you have all the necessary agreements in place and where you do have breach, respond to data subjects quickly and effectively.
ENDS