Addressing The Gaps In The Data Protection, Privacy And Surveillance Legislation 3.6. Security Breach Section 19 of the Cyber and Data Protection Act is too narrow in scope, and it accordingly fails to deal with the incident of data security breach adequately. For instance, it does not prescribe the minimum contents of the notification by the data controller to the National Data Authority in the event of a security breach.22 Further, it does not oblige the data controller to notify the affected data subject of the personal data breach. This is particularly necessary and important where the breach of personal data is likely to result in a high risk to the rights and freedoms of natural persons23. Accordingly, Section 19 of the Act needs to be amended to address these deficiencies. 3.7. Obligations of Data Controllers Section 22 of the Cyber and Data Protection Act implies that data controllers must seek specific authorisation from the National Data Authority regarding data processing, which poses specific risks to the fundamental rights of data subjects. It is submitted that Section 22 of the Act should be amended by imposing on the data controller an obligation to carry out a risk assessment as to the impact of the envisaged processing before the National Data Authority can grant the authorisation24. Further, it is submitted that there is a need for the Act to expressly impose on data controllers an obligation to have privacy policies in appropriate circumstances. In that regard, the Act should also prescribe the minimum content of such privacy policies to promote standardisation, harmonisation, and user-friendliness. For instance, the Act should require privacy policies to set out data subject rights and remedies clearly, concisely and simply. By the same token, data controllers should be required to incorporate in their data policies or codes the obligation to carry out data protection by design and by default25. Data protection by design entails considering data protection risks while designing a new process, product or service rather than treating it as an afterthought. This involves assessing carefully and implementing appropriate technical and organisational measures and procedures from the outset to ensure that processing complies with the Act and protects the rights of data subjects26. On the other hand, data protection by default entails having mechanisms to process only personal data necessary for each specific purpose. This obligation includes ensuring that only the minimum amount of personal data is collected and processed for a specific purpose; the extent of processing is limited to that necessary for each purpose; the data is stored no longer than necessary; and access is restricted to that necessary for each purpose.27 In addition, for transparency, accountability, and audit purposes, the Act needs to impose on data controllers an obligation to keep a detailed record of data processing activities, including the purpose of the processing, description of the categories of data subjects and personal data, and categories of the data recipients28. The obligation may be subject to the nature and size of the data controller. 22. See Article 33 (3) of the EU GDPR. 23. See Article 34 (2) of the EU GDPR. 24. See Articles 35 (1) of the EU GDPR. 25. See Section 25 of the EU GDPR. 26. See Data Protection Laws of the World at page 19 27. Ibid. 28. See Article 30 of the EU GDPR. 10 www.misa.org