RATTLEHUB DIGITAL (PTY) LTD (“Rattlehub”) PROTECTION OF PERSONAL INFORMATION ACT POLICY
Summary
This guide will answer your frequently asked questions (FAQ) about the impact the Protection of Personal Information Act (POPIA) on our business. At Rattlehub Digital we believe in the protection of personal information of data citizens. Our business is built on trust and security, it is our license to operate.
In the near future, everyone in South Africa will have to endeavour to protect the personal information they process. POPIA sets conditions that any person, or system, who processes personal information must comply with. POPIA aims to protect the personal information of people (like consumers and employees) so that they do not become victims of things like identity theft1, which can have very serious consequences. However, POPIA does not aim to stop the free flow of information. It recognises that there needs to be a balance.
By using our digital data exchange, Rattlehub Digital ensures that personal information is processed securely, lawfully and transparently.
Rattlehub Digital offers three main products, for:
Key points and possible actions
POPIA Myth Busters
A POPIA myth is a widely held but false belief or idea about the Protection of Personal Information Act (POPIA). Let’s set the record straight.
1 http://www.michalsons.co.za/identity-theft-victim/12347
2 https://www.rattlehub.com/for-the-individual
3 https://www.rattlehub.com/for-the-financial-advisor-business
4 https://www.rattlehub.com/for-the-deceased-estate-executor
What is POPIA?
It is the Protection of Personal Information Act, a law passed by the South African parliament, which sets the conditions that you must follow to lawfully process the personal information about persons.
Why did POPIA come in to existence?
POPIA protects people (like you and me) from harm (both physical and loss of money) by requiring those who process our personal information to protect it. For this reason, alone, POPIA is important.
The protection of personal information is definitely needed now, more than ever. With the rise of computing power and devices like smart phones/watches and tablets, personal information is at greater risk than ever before. POPIA will enable personal information to be transferred to South Africa. This is because, under POPIA, South Africa will meet international data protection standards as set out by the European Union. Therefore, businesses will prefer to store data in South Africa which will bring economic benefits for the country and businesses operating in South Africa.
Key points and possible actions:
What about the protection of state information?
The Protection of State Information Bill (POSI) requires people to protect state information and is different to POPIA. You may process state information or decide how to process state information and therefore POSI may be applicable to your organisation. According to POSI state information is valuable and must be handled according to specified procedures. State information may also be categorised as ‘classified’ when it is justifiable in terms of national security. The people that are able to handle, process and view classified state information are extremely restricted. If you think that you might be handling or processing state information you need to identify if you are authorised to do so and what that authorisation permits you to do.
However, at this point, the president has not yet signed the latest version of the POSI Bill. This means it is a long way from being enacted. POSI will replace Protection of Information Act 84 of 1982. Therefore, until that point the Protection of Information Act applies to state information. Once again, this Act places obligations on parties who handle and store state information. The Act includes people or entities that either knowingly or reasonably ought to know they are handling or storing state information. Violations of the provisions of the Act constitute an offence.
It is important to understand your position when it comes to state information under both the Act and the POSI Bill. These pieces of legislation might not permit you to store information with a third party such as Rattlehub Digital and it may be necessary to get a legal opinion for your business on this matter.
Does POPIA apply to everybody?
Yes, virtually everybody. POPIA applies to everybody who processes personal information. It applies to all public (like Home Affairs and SARS) and private bodies (like financial institutions and direct marketers). Process is defined extremely broadly. In terms of POPIA processing means any operation or activity (either automated or not) that involves the collection, receipt, recording, organisation, collation, storage, updating, retrieval, dissemination, distribution, merging and degradation or erasing of data.
Key points and possible actions:
Who is exempt from complying with POPIA?
Very few people, but some are. For example, SAPS, Cabinet and journalists who process personal data for journalism.6 Some processing of personal information is exempt. For example, if you process personal information in the course of a purely personal or household activity.7
Do you have to comply with POPIA?
Yes, you must comply with POPIA (and the consequences for non-compliance are quite severe), but you also want to do it efficiently and get business value out of those efforts.
You must comply with the conditions of POPIA and protect the personal information that you process. If you are suspected of not complying with POPIA, the Information Regulator will notify you.
Key points and possible actions:
What could happen if you do not comply?
In terms of section 91(2) of POPIA ‘the Regulator may make public any information relating to the personal information management practices of a responsible party that has been the subject of an assessment under this section if the Regulator considers it in the public interest to do so.’ This could lead to significant reputational damage. Your records management practices may be aired in public.
On the evidentiary front, the non-retention of records that had to be retained by law may lead to negative inferences to be drawn by the courts in subsequent litigation should they not be available as evidence.
There are significant consequences for non-compliance, including:
The reputational damage is probably the biggest risk. There are not many offences in POPIA (for example it is not an offence if you fail to comply with the conditions) and generally speaking you will know when you commit one. It is quite hard to commit an offence, but if you do, the Information Regulator can fine you if it merely alleges you have committed an offence.
6POPIA, Section 6 and 7
7POPIA, section 6(1)(a)
8POPIA, section 99
9POPIA, section 109
What will happen to you, if you recklessly disclose a bank account number?
You could be fined R10 million or jailed for up to 10 years, if you:
Key points and possible actions:
How can we help you?
Who is the responsible party?
Whoever decides to process personal information in a certain way, is the responsible party. It is the person that, alone or in conjunction with others, determines the purpose of (why) and means for (how) processing personal information. 13 If you are processing personal information for somebody else, you are their operator and they are the responsible party.
Key points and possible actions:
Who is the operator?
If you are processing personal information for somebody else, you are their operator. If you do not determine the purpose and the means for processing the personal information you are the operator. An operator processes personal information for a responsible party under a contract. Operators are required to process information only under authorisation from the responsible party concerned.
Operators must also treat all information in their knowledge as confidential unless disclosure is required by law.
All Rattlehub partners are expected to provide the same stringent POPIA related controls within their environment and systems.
10 POPIA, section 105(1)
11 POPIA, section 106(1)
12 POPIA, section 106(3) and (4)
13 POPIA, definition of responsible party
Key points and possible actions:
Does POPIA only relate to consumer data?
No, it relates to all personal information. Almost all consumer data is personal information, but personal information is much broader than just consumer data. For example, personal information includes the personal information of employees.
Does POPIA apply outside of South Africa?
Yes, POPIA does apply outside of South Africa. A responsible party does not need to be domiciled in South Africa for POPIA to apply. If the responsible party uses equipment in the country to process information, then POPIA applies to that information.
What is personal information?
It includes information like race, gender, or age or relating to the education of a person. It includes the medical, financial, criminal or employment history of a person. And contact details like an email address, telephone number or location information.
It is any information that relates to an identifiable, living, natural person. In other words, it is information that identifies a human being. But in some circumstances, it can also be information, which identifies an existing juristic person like a company, close corporations or trust.
POPIA also applies to public (not just private) personal information and the conditions for lawful processing apply.
Key points and possible actions:
Whose information must you protect?
It is any information that relates to an identifiable, living, natural person. In other words, it is information that identifies a human being. However, in some circumstances it can also be information that identifies an existing juristic person like a company, close corporation or trust.
Key points and possible actions:
What must be done to protect personal information?
There are different ways to protect personal information. How you protect personal information will depend on what form the information is in and how the personal information is processed.
By protecting personal information, you stop third parties from getting information and harming the person (data citizens) to whom it relates.
Key points and possible actions:
How can we help you?
When will POPIA come into force? When must you comply by?
The President has signed POPIA in 2013, so it is here to stay. The regulations will not be significant so we know that material we have available is what we need to comply with. The Office of the Information Regulator has been created and consists of Adv Pansy Tlakula as the chair, Adv Cordelia Stroom (PAIA) and Mr Johannes Weapond (POPIA) as full-time members, and Prof Tana Pistorius and Mr Sizwe Snail as part-time members. The Regulator has drafted the first draft of the POPIA Regulations and will announce a commencement date for POPIA.14 The Regulator published the draft Regulations for POPIA in September 201715. You will have a one-year grace period after POPIA commences. The best course of action is for responsible parties and operators to take action steps now.
14 https://www.michalsons.com/blog/popi-commencement-date-popi-effective-date/13109
15 https://www.michalsons.com/blog/popi-regulations-popia-regulations/12417
Key points and possible actions:
How can we help you?
When am I processing personal information?
You process information when you do anything with personal information. This includes processing using automatic means. For example, you are processing personal information:
Does POPIA apply to paper-based forms or paper documents?
Yes. POPIA applies to all personal information, including information found in paper documents. Personal information in electronic form is also covered by POPIA.
Does POPIA require me to have accurate data?
Yes, the responsible party must take steps that are reasonably practicable to ensure that the information is accurate and complete.
Does POPIA require me to make disclosures?
Yes, you must be open about how you process personal information.16 You must be able to provide people with a description of the subjects on which you hold records and the categories of records you hold on each subject.17 You also need to notify the data subject of lots of things when you collect their personal information, including the nature or category of the information you collect from them. 18
What is de-identified personal information?
Personal information is de-identified when you delete information about the specific data subject and you are then unable to link the information to the data subject. In other words, you cannot identify a specific person from the information you have. POPIA does not apply to de-identified information.19
16 POPIA, condition 6
17 POPIA, section 17 and PAIA section 14 and 51
18 POPIA, Section 18(1)(h)
19 POPIA, definition of “de-identify”
When can I use records for historical, statistical or research purposes?
When the personal information is de-identified and meets the purpose the information was collected for or the law requires you to retain the record.
When is personal information no longer personal information?
De-identified personal information is not personal information.
Personal information of a deceased person is not personal information, as it does not relate to a living natural person.
Does the law now require information security?
Yes, it does. You had been securing the information that you have for a long time already because it made business sense to do so. POPIA now also places a legal obligation on you to secure the information you process. You must secure both the integrity and confidentiality of your personal information by taking appropriate, reasonable technical (like using encryption) and organisational (like policies) measures to prevent loss and unlawful access (a hack).20
20 POPIA, section 19
What is appropriate and reasonable information security?
It depends. The question is what was appropriate and reasonable for you to do considering the type of person information that needs to be protected. What is appropriate and reasonable for some may not be appropriate and reasonable for others. But there are certain things that will be considered appropriate and reasonable measures for most people to take. One of those is to use encryption and policies to secure person information on mobile devices. Mobile devices contain lots of personal information, which is at higher risk considering that mobile devices by their nature move around a lot. You need to secure that information.
Key points and possible actions
We can help you?
Does cost play a role in determining what is reasonable?
Yes, it does. To consider whether an organisation took reasonable measures the Information Regulator (or a court) would have to take into account how much money the organisation had available to it to protect its information.
Key points and possible actions
Must you encrypt your personal information?
Yes, because it is a key technical measure for securing data. Encryption is the first line of defence. Encryption is very important and is a key aspect of complying with POPIA.
As the data custodian for permyssion, Rattlehub Digital have embedded a conscious design principal which encrypts POPIA related data within the platform with the aim being “the data cannot be linked to any specific individual”.
Can the cloud help me to comply with POPIA?
Yes, it can. If many copies of personal information exist in many different places it is exposed to a greater number of risks. If you can consolidate their personal information into one central location in the cloud and then control the security and access to their personal information, you will be protecting personal information.
Key points and possible actions
How can we help you?
What about cybersecurity?
The Cybercrimes and Cybersecurity Bill 21 was first published on 28 August 2015 and was updated in January 2017. The Cyber Bill was introduced into Parliament on 22 February 2017. Cybercrime is increasing all the time and the Cyber Bill aims to keep the people of South Africa safe from criminals, terrorists and other states. It also consolidates South Africa’s cybercrime laws into one place. Essentially, it aims to stop cybercrime and improve the security of South Africa.
The Cyber Bill could also impact on the storage of electronic documents with third parties. The Cyber Bill imposes severe penalties, including prison sentences, for the disclosure and possession of classified state documents in various circumstances. This legislation is still in Bill format and therefore it is not yet applicable. However, you should familiarise yourself with its provisions relating to classified state documents.
Who regulates POPIA? Will it have teeth?
The Information Regulator regulates POPIA (http://www.justice.gov.za/inforeg/). Parliament has gone to great lengths to give this regulator teeth. The Information Regulator can ask an organisation to produce a record to enable the Information Regulator to investigate a complaint (section 81 of POPIA). You need to be able to comply with such a request.
21 https://www.michalsons.com/focus-areas/internet-law-internet-regulation/cybercrime-law
Key points and possible actions
What laws are linked to POPIA?
There are various other laws that also protect personal information. The key ones are:
1. Consumer Protection Act (CPA): Regulates the relationship between suppliers of goods and their customers in many areas.
2. National Credit Act (NCA): Relevant to the receipt compilation retention or reporting of confidential information pertaining to a consumer and the protection of the confidentiality of that information. Section 68 of the Act prescribes what must be done in order to protect such confidentiality
3. Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA): Regulates monitoring and interception of communications including electronic communications in South Africa
4. Promotion of Access to Information Act (PAIA): Promotes the constitutional right to access personal information, by permitting individuals access to both manual and computer records containing pertaining information about them. It makes it an offence to destroy, damage, alter, conceal or falsify a record. It imposes duties on the information officers to publish a manual (the PAIA Manual) on the procedure for accessing records.
5. General Data Protection Regulation (GDPR): Legislation that is aimed at safeguarding a person’s personal information when it is processed by public and private bodies. This regulation applies to all European Union member states. It will be fully enacted in two years’ time.
6. The Data Protection Act (United Kingdom): The equivalent of POPIA in the United Kingdom that prescribes how personal information must be processed by public and private bodies.
7. The Protection of Information Act (PI Act): The Protection of Information Act is in the process of being amended. It regulates the protection of certain types of information in the interests of national security. It will be repealed by the Protection of State Information Act, once enacted
8. Protection of State Information (POSI): This bill aims to regulate the classification, protection and dissemination of certain types of information in the interests of national security. It attempts to weigh up state interests against transparency and freedom of expression. It will repeal the Protection of Information (PI Act) 84 of 1982. The National Assembly passed the Protection of State Information Bill and it was sent to the President to be signed. The President has now referred it back to Parliament for certain sections to be redrafted. The new version is currently sitting on the President’s desk waiting to be signed
If there is a conflict between POPIA and another law, POPIA prevails. But if another law gives greater protection to personal information, the other law will prevail. For example, if POPIA says you do not need to get consent to market to someone and another law (like the NCA) says you do, the NCA will apply and you will have to get the persons’ consent.
There are various other laws, rules, codes or standards that relate to IT.22
22 http://www.michalsons.co.za/it-laws-ict-laws-rules-codes-and-standards-list/3219
Key points and possible actions
When do you need opt in consent?
When you want to direct market by electronic means (like email and SMS) to prospects. You don’t need opt-in consent to market to your customers.
Opt-in for all
It is international best practice to obtain opt-in consent from everyone. It is a higher standard than what the Consumer Protection Act (CPA) currently states and what POPIA states. This option is bad for marketing purposes as customers and prospective customers need to actively choose to opt-in, which they are unlikely to do. Your existing databases will shrink dramatically.
Opt-out for customers and opt-in for prospects
You do not need to obtain opt-in consent for your existing database of customers, but you will need to obtain opt-in consent from prospective customers for direct marketing by electronic means. While this is not the current legal position, it will be the position soon.
Opt-out for all
You do not need to obtain consent for your existing database. If you belong to any association you must check their codes and standards as they may impose stricter conditions even before POPIA comes into force. Once POPIA is in force you should not be choosing this option.
Key points and possible actions
How must you get consent?
Key points and possible actions
How can we help you?
How long can I retain personal information?
You must not retain personal information for any longer than you need it to achieve the purpose (the reason why you collected it).24 In the case of a data storage service, your purpose will be related to retaining the information for lengthy periods of time. As long as this purpose is clear to the customer then you should be able to retain information for the required time period.
Once the purpose is complete, you must delete the personal information, unless you can find a justification for retaining it.25
23 http://www.michalsons.co.za/consent-POPIA-and-other-legal-requirements/12623
24 POPIA, section 14(1)
25 POPIA, section 14(1)(a)-(d)
Key points and possible actions
How can we help you?
What happens if another law requires me to retain a record that includes personal information?
If another law requires you to retain the information for a longer period than POPIA prescribes, that law will prevail.
What about the rest of the world?
There have been data protection laws in the EU and UK for many years. South Africa is rightly following in the footsteps of the rest of the world – it is not trying to lead the way or be different. POPIA brings South Africa in line with the rest of the world.
The leader in data protection law is Europe. In April 2016, the European Union Parliament adopted the General Data Protection Regulation (GDPR) which prescribes a two-year transition period by which time member states must comply with the regulation which replaces the 1995 Directive. The GDPR applies to any data processing activities that are done by a controller in the EU. It also applies to all processing of the data of data subjects residing in the EU even if the entity processing the data is not in the EU. The GDPR will have far reaching consequences for all businesses. We will discuss the GDPR and how it applies to our business in more detail further in this document.
Prior to the Brexit decision the GDPR would have also applied to the United Kingdom. The UK Data Protection Act is in the process of being replaced. The UK government published the Data Protection Draft Bill 2017 on 14 September 2017 26. This Bill prescribes a similar set of data protection principles to POPIA and the GDPR. Like the GDPR this Bill also refers to data controllers and data processors. The Bill requires that if you are processing data this must be done lawfully, fairly, for a limited stated purpose and not transferred outside of the EU without adequate protection. The data must be used for in a way that is adequate, relevant, not excessive and kept secure for no longer than is absolutely necessary. The Bill will be similar to the GDPR but they are negotiating some exceptions.
The United States has limited data protection. They are in the process of legislating for data protection with The Consumer Privacy Bill of Rights Act (CPBORA).
Currently, the EU-US Privacy Shield provides data protection mechanisms for transfer of data between the EU and the US.27 The Privacy Shield replaces the Safe Harbour Agreement that was in operation between the US and Europe. The idea behind the EU-US Privacy Shield is that it will create a blanket permission that allows for the flow of data between the US and EU (like the Safe Harbour Agreement) but this time round the EU has demanded American intelligence agencies are limited in their collection of data on Europeans. The specific details are still being negotiated by the parties but it does look like they will reach a conclusion soon.
Key points and possible actions
26 https://www.gov.uk/government/collections/data-protection-bill-2017
27 https://www.michalsons.com/blog/new-privacy-shield-principles/22170
28 https://www.michalsons.com/blog/what-is-the-impact-of-the-executive-order-on-the-privacy-shield/24576
How we can help you?
Can data be transferred across borders?
You as a responsible party must protect the personal information of your data subjects when the data is transferred to a third party in another country. The other country may not have the same level of data protection as your country.
POPIA says that personal information may not cross borders unless there are measures in place, like:29
29 POPIA, section 72
Key points and possible actions
How we can help you?
Must you still notify regulators in the event of a lost or stolen encrypted device?
No, you do not have to notify the information regulator or the data subjects, because an unauthorised person is unlikely to have accessed the personal information.
Encryption is a way of using keys to lock access to electronic data. Security policies may make it so that if the device does not check-in with the server after a period of time, or a user enters an incorrect password too many times, the device is locked. These policies will execute even though the device is not connected to the Internet, and you are able to set custom rules. Rattlehub Digital takes protective actions even though the device may not be connected to the Internet.
What is the GDPR?
The General Data Protection Regulation or GDPR is a new data protection law Europe has enacted that will apply to the whole of the European Union (EU) as well as many organisations in other parts of the world. The GDPR sets out a number of requirements for anyone who controls personal data (aka the data controller) to lawfully process personal data. If you do business in Europe or target EU citizens, you will have to comply with these requirements.
Many European member states will now amend their data protection laws to be in line with the GDPR if their data protection laws provide less protection than the GDPR. 30
30 Germany has already passed its new Federal Data Protection Act Bundesdatenschutzgesetz or BDSG that takes the GDPR into account.
Key points and possible actions
How can we help you?
What are the differences between POPIA and the GDPR?
The GDPR uses slightly different terms:
A data subject is a natural person, the GDPR does not provide protection for juristic persons. A data subject is a citizen of any EU country or of another country
A data controller is a natural or legal person. The controller determines the purposes and conditions for the processing of personal data. For example, profit companies, non-profit companies, governments, state agencies and people
A data processor is a natural or legal person who processes personal data on behalf of the controller. For example, an IT vendor
The GDPR does not create such serious penalties for failing to protect an account number. It deals with the right to be forgotten and data portability. The GDPR includes a definition of genetic data and requires data controllers to do data protection impact assessments. The fines are much bigger in the GDPR as they are in Euros.
Genetic data as a form of personal information is one of the new aspects of data protection brought about by the GDPR. Genetic data includes certain information about a particular data subject, gathered from blood or tissue samples, for example. It is protected as a special category of personal data under the regulation.
When will the GDPR come into force?
When must you comply by?
The GDPR came into force on 24 May 2016 and the two-year grace period will end on 25 May 2018.
Why is the GDPR relevant to me in South Africa?
The General Data Protection Regulation applies to any data processing activities that are done by a controller in the EU. It also applies to all processing of the data of data subjects residing in the EU even if the entity processing the data is not in the EU. So, if any entity is offering goods and services to EU citizens or monitoring their behaviour they will be required to comply with the GDPR.
What steps must I take to comply with the GDPR?
Data processing under the GDPR must be lawful, transparent and for a specific purpose.
Controllers will have to designate a data protection officer (some small and medium-sized enterprises (SMEs) are exempt). They will also have to keep documentation about their processing activities. Some controllers outside the EU will have to appoint a representative in the EU.
Controllers will have to implement data security requirements and build data protection safe guards into their products and services from an early stage of development (commonly known as privacy by design).
Controllers must perform a data protection impact assessment (some SMEs are exempt) for their high-risk processing activities and, in some instances, this may involve consultation with a supervisory authority before proceeding. Some controllers will have to obtain prior authorisation from a supervisory authority.
Controllers must explain to the data subject that they have the right to transparent and accessible policies that explain how their data will be processed. A data subject must be able to interact with the processing procedure (for example a mechanism for a data subject to request rectification or erasure). Controllers must identify themselves (or their representative) and their data protection officer.
The controller must tell the data subject in a clear and understandable way:
If there is a data breach, controllers must notify the supervisory author and the data subjects involved. Incident response and the need for a breach coach is going to become more important.
When am I processing personal data under the GDPR?
Processing is defined as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.31
Personal data is defined as ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.
Key points and possible actions
What is data portability?
It is about moving or copying personal data from one place to another, whether it be from one data controller to another or one IT system to another. Article 20 set out the right that the data subject has to data portability. This means that the information that the data subject has provided to the data controller must be able to be moved in a structured and commonly used format.33
Key points and possible actions
Can data be transferred across borders?
Personal data can be transferred to a third country if the Commission has decided that the third country, territory or international organisation provides an adequate level of protection. The Commission will take the following elements into account when assessing whether there is an adequate level of protection:
Key points and possible actions
How long can I retain personal information?
The data subject has the right to inform the data controller the erasure of their personal data, and the data controller is obligated to do so without undue delay.34
What is the right to be forgotten?
In the GDPR a data subject has the right to have their personal data erased and no longer processed if the personal data is no longer necessary for the original purpose for which it was collected, or if the data subject has withdrawn their consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation.35
33 Article 20.1 – 20.3
34 Article 4
35 Article 17
How can we help you?
Permyssion allows data citizens to:
Rattlehub Digital :
Does the GDPR require information security?
Yes, it does. The data controller as well as the data processor are responsible for ensuring that appropriate technical and organizational measures are in place (appropriate to the risk involved). This includes:
In assessing an appropriate level of protection regard must be given to the risks presented by processing, in particular from destruction (whether accidental or unlawful), loss, alteration or unauthorised disclosure of personal data. Any person working for the controller and processor must only process on their respective instructions.
Who regulates the GDPR?
Each member state will create or provide one or more public bodies to be responsible for monitoring the application of the GDPR. These will be known as the ‘supervisory authority’.
Must I notify someone of a data breach?
Yes. The controller must without undue delay and if possible, within 72 hours of becoming aware of the breach, notify the supervisory authority of the breach. The notification must include:
The supervisory authorities will act with complete independence and remain free from external influence and not take instructions from anybody.41
You must also notify the data subject of the breach if the breach is likely to result in a high risk to the rights of the person. This notification must also be without undue delay The notification to the data subject must be in plain language and contain the same points mentioned above.
36 Article 32
37 Article 43.1
38 Article 32.2- 32.4
39 Article 51
40 Article 51
41 Article 52
42 Article 34
What are useful links for more information?
https://www.rattlehub.com/
http://www.michalsons.com/
http://justice.gov.za/inforeg/
https://www.gov.ukhttps://gdpr-info.eu/
https://azure.microsoft.com/en-us/