The recent pandemic has seen a dramatic move towards the use of technology in the business world. While the use of technology has in some instances increased productivity and eased the way of doing business, cybercrime has become a global phenomenon with company data being hacked on an all to regular basis. The big question is who is responsible for the safety of data and privacy of information. South Africa has world class legislation which at times does not deter cyber criminals due to the lack of enforcement by authorities. Legislation clearly puts the onus on directors of a company to take all reasonable steps to protect sensitive data.
Directors duties under POPIA, PAIA, the Companies ACT and King IV
- Section 76(3(c) of the Companies ACT codifies the duty of care of a director by stating that he has a duty to perform his duties in good faith, in the best interests of the company and with due care, skill and diligence that would reasonably be expected of a person carrying out the same functions in relation to the company as those carried out by that director, and having the general knowledge skill and experience of that director.
- In terms of the business judgement rule, directors are required to take reasonably diligent steps to become informed about POPIA.
- As the Responsible Party (who processes personal information), a company, or its board of directors, is required to appoint and register an Information Officer with the Information Regulator.
- Usually the role of the Information Officer is, by default, assigned to the Chief Executive Officer, Managing Director or an equivalent officer of a company.
- Notwithstanding the delegation of authority to the Information Officer or IT Manager (in regard to the protection of cyber security), the board retains overall responsibility over POPIA compliance of the Responsible Party.
- The board is required to implement a ‘POPI’ programme to ensure the protection of personal information for their ‘Data Subjects’ (employees, clients, customers, suppliers etc).
- The POPI programme should aim, inter alia, to identify risk areas, develop strategies and policies for POPIA, and ensure the implementation thereof within
- Cyber security and data protection policies are required to be developed and implemented, not only in compliance with POPIA, but in line with Principle 12 of King IV™.
- Section 22 of POPIA imposes a mandatory reporting obligation on the Responsible Party – to report a data breach, in writing, to the Information Regulator, where one has occurred.
As can be seen the onus falls largely on directors to protect “Data Subjects” information. If you would like to have a review of your responsibility as a director as regards cybercrime, please do not hesitate to contact us for professional advice in this regard.