1Purpose

This Data Breach Response Plan sets out the procedures that Tapnet Solutions (Pty) Ltd, trading as TradeJournal, will follow in the event of a data breach involving personal information.

Section 22 of the Protection of Personal Information Act 4 of 2013 (POPIA) requires that where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person, the responsible party must notify the Information Regulator and the affected data subjects as soon as reasonably possible.

This policy applies to tradejournal.co.za and all other websites, applications, and digital services operated by Tapnet Solutions (Pty) Ltd.

2Definition of a Breach

A "data breach" or "security compromise" means any event where personal information processed by Tapnet Solutions (Pty) Ltd is subject to:

Unauthorised access to personal information
Unauthorised disclosure of personal information
Loss of personal information
Damage to or corruption of personal information
Destruction of personal information (whether intentional or accidental)

This includes breaches caused by cyber attacks, human error, system failures, theft, or any other cause.

3Breach Response Team

The breach response team is responsible for coordinating the response to any data breach. The team is led by the Information Officer:

Information Officer

Wynand de Beer

Email: wynand@tapnet.co.za

Phone: 079 174 8357

The Information Officer has the authority to activate this response plan, engage external assistance if required, and make decisions regarding notification and remediation.

4Step-by-Step Response Procedure

a. Discovery and Initial Assessment (0 -- 24 hours)

Upon discovery or report of a potential breach, the following immediate actions are taken:

Identify the nature and scope of the breach
Contain the breach to prevent further unauthorised access or loss (e.g., revoke access, disable compromised accounts, patch vulnerabilities)
Preserve all evidence related to the breach (logs, screenshots, affected records)
Notify the Information Officer immediately if not already aware
Document the date, time, and circumstances of discovery

b. Investigation (24 -- 72 hours)

A thorough investigation is conducted to determine:

What personal information was affected (type and sensitivity)
How many data subjects are affected
The root cause of the breach
Whether the breach is ongoing or has been fully contained
Whether any personal information has been used or further disclosed

c. Risk Assessment

The Information Officer assesses the likelihood that the breach will result in harm to the affected data subjects. Factors considered include:

The type and sensitivity of the personal information involved
Whether the information was encrypted or otherwise protected
The identity and intent of the unauthorised party (if known)
Whether the information could be used for identity theft, fraud, or other harm
The number of data subjects affected

d. Notification to Information Regulator

The Information Regulator must be notified as soon as reasonably possible after the breach has been discovered. The notification must include:

A description of the breach
The categories and approximate number of data subjects affected
The contact details of the Information Officer
A description of the likely consequences of the breach
A description of the measures taken or proposed to address the breach and mitigate its effects

Information Regulator (South Africa)

Email: enquiries@inforegulator.org.za

Phone: 012 406 4818

Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

P.O. Box: P.O. Box 31533, Braamfontein, Johannesburg, 2017

e. Notification to Data Subjects

Affected data subjects must be notified as soon as reasonably possible, in writing (via email). The notification must include:

A description of the breach in plain language
What personal information was compromised
What steps we are taking to address the breach
What steps the data subject should take to protect themselves
Contact details of the Information Officer
Contact details of the Information Regulator

f. Remediation

Following containment and notification, the following remediation steps are taken:

Fix the vulnerability or weakness that caused or permitted the breach
Implement additional safeguards to prevent similar breaches in future
Update security policies and procedures as needed
Provide additional training or awareness where human error was a factor

g. Documentation

A comprehensive record of the breach is maintained, including:

All actions taken during the response
A complete timeline of events
All decisions made and their rationale
Copies of all notifications sent to the Information Regulator and data subjects
Evidence gathered during the investigation

h. Post-Incident Review

After the breach has been resolved, a post-incident review is conducted to identify:

Lessons learned from the incident
Whether the response plan was effective and what could be improved
Whether additional policies, training, or technical measures are needed
Updates to this response plan based on the review

5Notification Template -- Information Regulator

To: Information Regulator (South Africa)

From: Tapnet Solutions (Pty) Ltd, trading as TradeJournal

Date: [Date of notification]

Subject: Notification of Security Compromise -- POPIA Section 22

Dear Information Regulator,

We are writing to notify you of a security compromise involving personal information processed by Tapnet Solutions (Pty) Ltd.

1. Description of the breach:
[Describe the nature of the breach, how it occurred, and when it was discovered]

2. Categories of data subjects affected:
[e.g., registered users, subscribers, contact form respondents]

3. Approximate number of data subjects affected:
[Number or estimate]

4. Categories of personal information affected:
[e.g., names, email addresses, trading journal data]

5. Likely consequences of the breach:
[Describe the potential harm to data subjects]

6. Measures taken or proposed:
[Describe containment, remediation, and preventative measures]

7. Contact details of Information Officer:

Wynand de Beer
Email: wynand@tapnet.co.za
Phone: 079 174 8357

Yours faithfully,
Wynand de Beer
Information Officer
Tapnet Solutions (Pty) Ltd

6Notification Template -- Data Subjects

From: Tapnet Solutions (Pty) Ltd, trading as TradeJournal

Date: [Date of notification]

Subject: Important Notice: Security Incident Affecting Your Personal Information

Dear [Data Subject Name],

We are writing to inform you of a security incident that may have affected your personal information held by TradeJournal.

What happened:
[Plain-language description of the breach]

What information was affected:
[List the specific types of personal information compromised]

What we are doing:
[Describe the steps taken to address the breach and prevent recurrence]

What you should do:
[Provide specific, actionable recommendations, e.g., change your password, monitor account activity]

Contact our Information Officer:

Wynand de Beer
Email: wynand@tapnet.co.za
Phone: 079 174 8357

Contact the Information Regulator:

Information Regulator (South Africa)
Email: enquiries@inforegulator.org.za
Phone: 012 406 4818
Website: https://inforegulator.org.za

We sincerely apologise for any inconvenience or concern this may cause.

Yours faithfully,
Wynand de Beer
Information Officer
Tapnet Solutions (Pty) Ltd

7Record Keeping

All records relating to data breaches, including investigation reports, notifications, evidence, and post-incident reviews, are retained for a minimum of 7 years from the date of the breach.

These records are stored securely and access is limited to the Information Officer and authorised personnel involved in the response.

8Testing

This Data Breach Response Plan is tested annually through tabletop exercises to ensure that:

All personnel are familiar with their roles and responsibilities
The response procedures are practical and effective
Notification templates and contact details are up to date
Any weaknesses in the plan are identified and addressed

9Contact

To report a suspected data breach or for questions about this plan, please contact: