POPIA Toolkit - Incident response plan & control sheet

1. Introduction: This policy describes the Personal Information Breach Incident Response Plan (‘IRP’) of ____(Pty) Ltd (‘Company’). This plan is derived from industry standards and the applicable provisions of the Protection of Personal Information Act, Act 4 of 2013 (‘POPIA’). Each step is described in detail below, however, these steps are not listed in chronological order as the application of each step depends on the nature and circumstances of the incident. The steps described below are not a substitute for sound business practices and discretion. 2. Purpose: Having a clear, readily-accessible IRP available to implement immediately upon becoming aware of any cyber-incident or data breach is vital. It is also important to implement periodic dry-runs, training, awareness and testing of this IRP to ensure that the IRP is effective. This will facilitate and enable the Company to comply with its obligations under POPIA, navigate the aftermath of cyber-incidents and data breaches and mitigate any possible liabilities faced by it. This IRP aims to limit the impact that a Personal Information (‘PI’) breach might have on the company, its the customers, employees, service providers, and third parties (‘Data Subjects’ / ‘DS’) whose PI the Company may hold at any point in time. Timeous action and coordinated response are key requirements by the Company of the appointed Information Officer (‘IO’)/Deputy Information Officer(s) (‘DIO’), the employees, and the Management of the Company.