Good evening. My name is Mrs Non-profit. I’m writing this email to you at a bad time. I need your advice about a data breach we have suffered. I’ve heard that you may be able to help. You apparently do a lot of work for non-profits, especially in the data protection space. Please tell me how to go about dealing with this scenario. Who do I need to tell? I’ve heard that I might need to communicate with the people who are affected. Who else do I need to tell?
The details of the data breach
This saga scares me as much as it breaks my heart that it happened. I didn’t mean for it to happen. I’m not sure whether that makes any difference, but I thought I should just mention that. If only the donor understood that, but let me get to the details first.
This data breach happened in 2018, but only found out recently about it. We were still a small outfit back then. And that’s part of what’s coming back to bite us. It’s funny how for the longest time all I wanted was for our organisation to grow, but now that it’s grown, the growth brought us problems. Back to 2018. One of our developers accidentally uploaded documents containing our beneficiaries’ records. Back then, we were doing less to hide people’s full names and details, so there was a clear view for anyone looking. There were even some account numbers, I’m told, but I’m yet to look. I’ve heard something about POPIA making account numbers a big deal. I’ve also heard about the Information Regulator. My understanding is that they’re the regulatory body that looks after POPIA.
One of our main donors found out about this matter and they’ve had a lot to say. According to them, this is a sign that we can no longer be trusted and they’ve asked to review our systems. They say the review will help them feel reassured that the incident was an anomaly. I’m not a big fan of this review. I’ve always reported to donors, but them looking through our books and systems seems a little invasive.
Your help
As you can tell from the above, we’re scratching around trying to unscramble and uncook this egg. Could you please help us? Very important to us is the following:
- What does your help come with or entail?
- Do we have to let our affected people know or can we repair this and move on?
- What is our position with the donor?
- What does POPIA say?
- How does the Information Regulator figure into all of this? Must I notify the regulator of a data breach?
- Do you have any tips?
We look forward to your response.
Kind Regards
Mrs Non-profit.
Written by Sicelo Kula.