The Experian Data Breach, POPI Act and Privacy Management

The recent Experian data breach meant that personal information belonging to around 24 million South African citizens and almost 800,000 businesses fell into the hands of fraudsters. It has also emerged that it took almost three months for the breach to be fully known and reported.

There is still a lot of media speculation and different opinions as to the severity of the breach and the nature of the personal information that fell into the hands of fraudsters. But what is clear is that a breach did occur, and that a lot of personal information has been leaked.

The reality is that the breach in South Africa is the latest in a long series of examples around the world in which companies and government organisations are feeling the pain from data breaches, and the fines and reputational damage associated with violating data privacy regulations.

The breach and the POPI Act

One of the fundamental principles of the POPI Act is that organisations have to be accountable for ensuring that data is only shared with authorised parties at the owner’s consent.

While Experian is not liable for fines or penalties under the act as it only comes into full force on 1 July 2021, this breach certainly represents a warning to other organisations as the Act’s deadline draws closer.

Post-July next year, the POPI Act will make it possible for organisations that fail to adequately protect personal data to face fines of up to R10 million, and for jail sentences of up to 10 years for senior executives depending on the severity of a breach.

How can Enterprise Architecture help with Privacy Management?

Enterprise Architecture can be successfully implemented in organisations in order to satisfy regulations, produce the requisite regulatory documents, and break silos across people, process, and technology to prevent violations. It facilitates a rapid understanding of compliance levels, and accelerate the implementation of remediation plans. This is achieved in the following ways.

Quickly understand compliance levels

With HOPEX Privacy Management, identified stakeholders across the organisation can quickly view compliance levels, and whether each regulation is effectively satisfied. For example, DPO’s and cross-functional stakeholders can assess and understand if and how your organisation complies with privacy regulations by using the collaborative workspace.

Analyse risks and implement remediation plans

Carry out Data Protection Impact Assessments (DPIA) in order to prioritise remediation activities. The results and findings can again be shared across stakeholders for efficient internal visibility and inputs.

Automatically generate reports to demonstrate compliance

Document and demonstrate compliance with a full range of reports designed for the supervisory authority. This step will be increasingly important to demonstrate the right steps have been taken in accordance with the POPI Act.

Privacy Management capabilities

HOPEX Privacy Management helps you to map data, conduct assessments, and comply with industry, national and international regulations. It does so in three main ways:

Map data

Identify processes or applications handling sensitive data categories:

  • Specify categories of involved data subjects and legal basis for processing
  • Assign DPOs and Data Controllers processing activities to coordinate compliance efforts
  • Build the inventory of your processing activities

Conduct assessments

Understand the sources of risk and measure your compliance level:

  • Conduct Data Privacy Impact Assessments (DPIA)
  • Prioritize processing activities by risk scale and compliance level
  • Document and assess risks affecting the rights and freedoms of data subjects
  • Document data breach incidents and manage Data Subject requests

Comply with regulations

Prepare and produce in one click reports to analyse compliance level and demonstrate that regulatory requirements are met:

  • Record of processing activities
  • Data Protection Impact Assessment (DPIA)
  • Data transfer maps
  • Subject rights report
  • Risk and compliance indicators

Find out more

Call Mbulase’s expert team today to discuss your Privacy Management requirements.

Read more about our partner MEGA International’s Privacy Management solutions at: