Table of Contents

Data Breach policy

Effective Date

8/ 10/ 2023

Version

V1

  1. OBJECTIVE OF THE POLICY
    1. The purpose of the policy is to provide protection over the information held and the processing of data by Botle Buhle Brands (Pty) Ltd, as well as contain all data breaches and minimise the risks associated with any breaches.
    2. This policy outlines the actions that should be taken in the event of a breach and to prevent further breaches.
    3. The policy is intended to ensure that every care is taken to protect personal data from incidents (accidental or deliberate) and to avoid a security breach that could compromise such data.
    4. The Protection of Personal Information (POPI) Act, and Promotion of Access to Information Act (PAIA), requires organisations to have mandatory data breach notifications in place, this will include the informing of such a breach to the Information Regulator as well as any parties whose personal information have been accessed or acquired by an unauthorised party. This notification should include:
      1. A description of the possible consequences of the security compromise;
      2. A description of the measures taken or proposed to be taken by the responsible party to remedy the security breach;
      3. A recommendation of the measures that any party whose personal information was leaked in the security breach;
      4. The identity of the unauthorised person, if known, who accessed or acquired the personal information.
  2. DEFINTIONS
    1. Data: Information in digital form that can be transmitted or processed.
    2. Data subject: A person to whom personal information relates/ a juristic person i.e. a company.
    3. Personal Data: Information relating to an individual by which the individual can be identified (directly or indirectly) from that data alone or in combination with other identifiers.
    4. Data Breach: An incident, event, or action, whether accidental or deliberate that has the potential to compromise the availability of data, the integrity of data, confidentiality, and/or our company’s data systems.
    5. Information Regulator: The South African independent body established in terms of section 39 of the Protection of Personal Information Act ,4 of 2013 who is empowered to monitor and enforce compliance with POPI and PAIA Acts.
    6. Information Officer: The CEO (or equivalent) of Botle Buhle Brands as registered with the Information Regulator.
    7. Responsible party: means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal data.
  3. LEGAL PRINCIPLES
    The following legislation is applicable to this policy:
    1. The Protection of Personal Information (POPI) Act (2003)
    2. Promotion of Access to Information Act (PAIA) (2000)
    3. Consumer Protection Act (2008)
    4. Electronic Communications and Transactions Act, 2002 (ECTA)

  1. POLICY
    1. This data breach policy applies to everyone at Botle Buhle Brands (Pty) Ltd – including employees, temporary or casual staff, consultants, suppliers, contractors, freelance workers, or other data processors who are storing or processing data on the behalf of Botle Buhle Brands (Pty) Ltd.
    2. For the purposes of this data breach policy, an incident may include (but is not limited to) any of the following:
      1. Unauthorised use or accessing/modification of data;
      2. Loss or theft of personal or sensitive data;
      3. Loss or theft of equipment on which data has been stored;
      4. Individual error;
      5. Attempts from unwanted external parties to gain access to our data or our company IT systems (both successful and failed);
      6. Defacement of Botle Buhle Brands (Pty) Ltd web property;
      7. Physical incidents, like a fire, which could compromise IT systems.
    3. All employees who access, manage, or use data in any way are responsible for reporting a data breach or any other type of security incident.
    4. POPIA clearly states an exception to breach notifications if the identity of data subjects cannot be established.
    5. According to Section 22 of POPIA, which deals with notification of security compromises, Botle Buhle Brands (Pty) Ltd must immediately notify stakeholders about unauthorized accesses or acquisitions of personal data.
    6. Any person who provides false information, or tries to hinder, obstruct, or unlawfully influence the Information Regulator on any matter, will be held liable to a fine or imprisonment.
    7. Should Botle Buhle Brands (Pty) Ltd detect a security breach on any of its systems that contain personal data, Botle Buhle Brands (Pty) Ltd shall take the required steps to assess the nature and extent of the breach in order to ascertain if any information has been compromised.
    8. Botle Buhle Brands (Pty) Ltd shall notify the affected parties should it have reason to believe that their information has been compromised. Such notification shall only be made where Botle Buhle Brands (Pty) Ltd can identify the data subject to which the information relates. Where it is not possible it may be necessary to consider website publication and whatever else the Information Regulator prescribes.
    9. Notification will be provided in writing by means of either:
      1. email;
      2. registered mail;
      3. placed on website.
    10. The notification shall provide the following information where possible:
      1. description of possible consequences of the breach;
      2. measures taken to address the breach;
      3. recommendations to be taken by the data subject to mitigate adverse effects;
      4. the identity of the party responsible for the breach.
    11. In addition to the above, Botle Buhle Brands (Pty) Ltd shall notify the Regulator of any breach and/or compromise to personal data in its possession and work closely with and comply with any recommendations issued by the Regulator.
  2. PROCEDURE
    On discovery of a data breach the following actions should be taken:
    1. Containment and recovery
      1. In the event of a data breach steps to ensure containment should immediately be actioned by limiting further access to the affected personal information, or the possible compromise of other information.
      2. The individual committing the breach or having identified a possible breach should immediately inform their manager.
      3. In order to determine the appropriate response, the following questions should be considered:
        1. How did the data breach occur?
        2. Is the personal information still being shared, disclosed, or lost without authorisation?
        3. Who has access to the personal information?
        4. What can be done to secure the information, or stop the unauthorised access or disclosure, and reduce the risk of harm to affected individuals?
    2. Assessing the risk
      1. An assessment of the data breach will help Botle Buhle Brands (Pty) Ltd to understand the risks posed by the data breach and how these risks can be addressed, this should be done as soon as practically possible.
      2. The assessment is used to establish the severity of the incident. The initial assessment should also include analysing whether there is any way to recover the lost data, and mitigate further risks associated with the incident.
      3. The Information Officer or a nominated person will investigate the breach and prepare a Breach Report within 72 hours.
      4. The assessment of the data breach will guide the decision on whether to notify affected individuals. In the assessment of a data breach, it is important to consider:
        1. the type or types of personal information involved in the data breach;
        2. the circumstances of the data breach, including its cause and extent;
        3. the nature of the harm to affected individuals, and if this harm can be removed through remedial action.
    3. Notification of breach to the Information Regulator
      1. In the event that the Information Officer concludes the breach significant notify the Information Regulator and the data subject thereof, unless the identity of the data subject cannot be established.
      2. Notification to the data subject must be:
        1. made as soon as reasonably possible after the discovery of the breach;
        2. sufficiently detailed; and
        3. in writing and communicated to the data subject by mail (to the data subject's last known physical or postal address), email to the data subject's last known email address, placement in a prominent position on the website of the responsible party, publication in the news media, or as may be directed by the Information Regulator.
      3. The notification to a data subject must be in writing and communicated to the data subject in at least one of the following ways:
        1. Mailed to the data subject’s last known physical or postal address;
        2. sent by e-mail to the data subject’s last known e-mail address;
        3. placed in a prominent position on the website of the responsible party;
        4. published in the news media; or as may be directed by the Regulator.
      4. The notification should provide the data subject with sufficient detail in order to allow the data subject to take the appropriate protective measures.
      5. A responsible party may be directed by the Information Regulator to publicise the breach where the Information Regulator has reasonable grounds to believe that such publicity would protect the data subject.
      6. Depending on the exact case, the notification would have to be either physically or electronically mailed to the data subject, published on the organisation’s website, or announced to the media.
    4. Evaluation and response.
      1. Once the breach has been dealt with, the cause of the breach needs to be considered. There may be a need to update policies and procedures, or to conduct additional training.
      2. It is also important to conduct an extensive review detailing:
        1. The cause of the breach;
        2. The effectiveness of any response ;
        3. Whether any changes to existing IT systems, company procedures or policies must be implemented
To download a copy of the signed policy, please click below:
Download Data Breach Policy
To download the Data Breach Notification Form, please click below:
Download Data Breach Notification Form

How did we do?

Code of Conduct policy

Disciplinary policy

Contact