Africa is in the midst of a rapid digital transformation, and that brings with it the possibility for some businesses to be cyber hacked. It is critical that organisations ensure compliance with the relevant data privacy legislation across the jurisdictions in which they operate, to safeguard both sensitive client information and the business’s reputation.
Zaakir Mohamed, Head of Corporate Investigations & Forensics and specialist in Corporate Governance & Compliance and Data Protection & Privacy at South Africa-based law firm CMS, says the failure to comply with such legislation can expose an organisation to significant regulatory risk. This may include administrative or other sanctions that may be issued by a regulatory body, as well as significant reputational risk for the organisation.
Mohamed says organisations need to understand what the legislation requires of them. They need to consider the nature of their respective operations in order to best decide how to implement appropriate data, privacy and cybersecurity measures that will ultimately strike the right balance between ensuring regulatory compliance, as well as having the right cybersecurity measures and tools to meaningfully protect themselves from cybersecurity and data privacy risks.
He lists three stumbling blocks to organisations trying to mitigate the risk of cyberattacks, the first relating to employee behaviour because they are the first line of defence when it comes to cybercrime.
Mohamed says a company may have the best cybersecurity tools possible, but if employees lack an understanding of what cybersecurity risk is, and what behaviour is expected of them in order to mitigate these risks, it could create significant vulnerabilities.
He shares his insights on South Africa’s Minimum Information Security Standards (MISS) and whether it is enough to keep up with the speed of ever-changing technology. He says whilst these standards are of critical national importance, they cannot be looked at in isolation.
“We can have world class pieces of legislation and standards, but if they’re not used effectively, they’re absolutely meaningless.”
Mohamed points out that while regulatory notification obligations when reporting a breach may differ according to jurisdictions, the commonality in most of them is to report to the data privacy regulator as soon as possible.
“But then you've got some legislation that attaches a specific time period to that which could be within 72 hours,” he said, explaining that having an incident response team is important.
The enlightening discussion wraps up with Mohamed talking about why data privacy is not just about regulatory compliance.
To join Africa Legal's mailing list please click here