Cyber security and data privacy in South Africa



Cyber security and data privacy will be under the spotlight when South Africa’s Protection of Personal Information Act comes into force.

The date of operation is still to be proclaimed by the president. Affected parties will then have a minimum of 12 months to comply with the Act.

The Act introduces strict security measures to safeguard the integrity and confidentiality of personal information. A responsible party, that is the person who processes, or at whose instance personal information is processed, must take appropriate, reasonable, technical and organisational measures to prevent loss of or damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information.

That will involve taking reasonable measures to: identify all reasonably foreseeable internal and external risks to personal information in its possession or, under its control; to establish and maintain appropriate safeguards against the risks identified; to regularly verify that the safeguards are effectively implemented; and to ensure that the safeguards are continually updated in response to new risks or deficiencies previously implemented safeguards.

If the responsible party has a third party processing personal information, defined as an operator, then there must be a written contract between the responsible party and the operator to ensure that the operator establishes and maintains the security measures required by the Act.

The Act contains onerous provisions where there are security compromises.

Where there are reasonable grounds to believe that personal information of the data subject has been accessed or acquired by an unauthorised person then both the regulator and the data subject must be notified. Notification must be in writing and communicated to the data subject in at least one of the ways specified in the Act, for example, email or posting.

Most significantly, the notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise. That includes notification of: a description of the possible consequences of a security compromise; a description of the measures that the responsible party intends to take or has taken to address the compromise; a recommendation in regard to measures to be taken by the data subject to mitigate the possible adverse effects of the compromise; and if known, the identity of the unauthorised person who may have accessed or acquired the information.

Personal information is broadly defined. The Act relates to the processing of personal information entered in a record by or for a responsible party (which would include an operator), where the responsible party is domiciled in South Africa or, if not domiciled in South Africa, makes use of automated or non-automated means in South Africa except if the means are used only to forward personal information through the South Africa.

A record is any recorded information regardless of form or medium, in the possession or under the control of a responsible party, whether or not the record was created by that party, and regardless of when it came into existence.

It does not really matter if the personal information is stored in a ‘cloud’ (wherever the cloud may be), as long as the responsible party is domiciled in South Africa or makes use of automated or non-automated means in South Africa for processing by entering into a record.

The provisions of the Act mean increased cyber and privacy liability for responsible parties. Cyber liability entails financial or reputational loss suffered by a third party arising from a hacking attack or virus, or inability to access a system or cloud as a result of the hacking or virus and loss or theft of a responsible party’s or a third party’s data. Privacy liability is the other side of the liability coin and arises from the failure to prevent unauthorised access to private and confidential information.

Exposure to these cases of liability may result in: breach, notification and remediation costs, that may include the provision of credit monitoring services to those persons affected, public relations issues and crisis management expenses, and other expenses related to protecting the responsible party’s brand reputation; system damage and business interruption which include costs of restoring or recreating data that is corrupted or destroyed, and business interruption following the system damage; cyber crime which includes direct financial loss due to fraudulent input of data into or through the system, and extortion relating to ransoming of hacked systems; and finally, multimedia and content liability which includes exposure to defamation, intellectual property rights infringement and other content liability arising from content created or disseminated by or on the responsible party’s behalf for which they are deemed responsible.

Those increased exposures and liabilities highlight the need for responsible parties and operators to obtain appropriate cyber liability insurance where the cyber risks are probably not covered by the general liability insurance held by those parties.


Donald Dinnie is head of Norton Rose Fulbright’s South Africa Disputes Practice. He can be contacted on +27 11 685 880 or by email:

© Financier Worldwide


Donald Dinnie

Norton Rose Fulbright

©2001-2019 Financier Worldwide Ltd. All rights reserved.