Two months and counting

Aon South Africa, an insurance brokerage and risk advisory services provider, has released its Insurance & Data Privacy report, which highlights the impact that the Protection of Personal Information Act (POPIA) will have on organisations, and identifies how cyber insurance can assist.

POPIA came into effect on July 1, 2020. After a 12-month transition period, organisations must be compliant with POPIA by July 1 this year. The Act was adopted to protect the rights to privacy of natural living persons and extended to include existing legal persons, setting out minimum requirements for processing personal information. The aim is to:

• Give effect to the constitutional right of privacy, in particular, the safeguarding of personal information;
• Regulate the processing of personal information in harmony with international privacy standards;
• Prescribe minimum requirements for the lawful processing of personal information;
• Provide rights and remedies to protect data subjects against unlawful and illegal uses of their personal information; and
• Establish an information regulator – to promote, enforce and fulfil the rights protected by POPIA.

As organisations seek to comply with the requirements set out in POPIA, it will become increasingly important for them to make operational changes to the way they process personal information.

“One of the requirements set out in the Act is for organisations to appoint an independent member of their organisation to perform the function of a data protection officer (referred to in POPIA as ‘information officer’), ensuring that the principles of POPIA are adhered to and form part of the overall organisational culture,” explains Zamani Ngidi, cyber solutions client manager at Aon South Africa.

“The function can be performed by an individual or a group of individuals who are familiar with the organisation’s operations and processes. This stipulation alone highlights the operational changes that need to be adopted in order to comply with the legislation.”

Cyber insurance and POPIA

The scope of POPIA is broader than most cyber insurance policies. These are often triggered by privacy or security incidents, whereas POPIA violations can also be triggered by non-compliance, distinct from a privacy or security incident.

“The current insurance market does allow for some expansion of cover to specifically address certain instances of non-compliance as it relates to POPIA, but the language of such an insurance policy must be carefully drafted and reviewed,” says Ngidi.

Typical cyber insurance policies only insure fines when insurable by applicable laws, and generally stipulate that the insurability of fines or penalties should be determined by the “laws of any applicable jurisdiction that most favours coverage for such monetary fines or penalties”.

“From a South African perspective, it is not possible to insure against criminal fines as a matter of law and public policy. Insuring administrative fines is not expressly prohibited, but these fines are likely to be found uninsurable as a matter of public policy. Organisations should also consider other costs and liabilities that could result from non-compliance with POPIA,” says Ngidi.

He adds: “POPIA fundamentally changes business requirements in processes such as incident response and business continuity, making it crucial for organisations to evaluate the value to be unlocked from the insurance market via forensic consultants with experience in handling claims and incidents that may be somewhat unfamiliar to the business. Consulting with a professional broker that specialises in cyber risk will be well worth the effort in achieving a better understanding of their exposures and to navigate the complex relationship that exists between POPIA and cyber risk.”

Download Aon’s Insurance & Data Privacy Report for an in-depth insight into the data-breach implications of POPIA.