South African businesses and regulatory authorities will have watched – with one eye – the actions of European data regulators who issued a record R55 billion in fines for data and privacy breaches last year, with Facebook owner, Meta the hardest hit. The highest fine of R7 billion was imposed by the Irish Data Protection Commissioner (DPC) against Meta Platforms Ireland Limited – specifically to Instagram for its various alleged failure to protect children’s personal data.
South Africa’s equivalent to GDPR, the Protection of Personal Information Act (POPIA), was introduced with a great deal of vigor and fanfare, along with stern warnings that there would be retribution from the Information Regulator if enterprises failed to implement the requirements of the privacy rules on time and in a correct fashion. However skeptical that any real action would be taken immediately after the deadline for implementation, most businesses quickly scrambled towards compliance with the POPIA regulation.
The purpose of the POPI Act is to give individuals increased control over how their personal data is collected and used by public and private entities. The deadline for being compliant with POPIA was 01 July 2021, and the 12-month grace period has long-since passed. Yet, despite the Act and the increased controls in place, storing and selling personal data is still a booming industry. In recent months, the battle for data privacy has been hard-fought and often lost by organisations such as Transunion, Experian and Dis-Chem. The Information Regulator has been inundated with complaints and breaches in several industries from banking to healthcare. Still, it has appeared that the Regulator has been quite lenient in this sense and so naturally, for many companies, POPIA compliance has taken a back seat despite the risk. In the eyes of the public, the watchdog has been letting breaches slip by, so it’s no wonder companies have not flinched at the thought of facing the legal consequences of non-compliance.
However, despite the lack of fines and the difficulty of registering Information Officers via the Information Regulator’s website, the perceived ‘stay-of-execution’ is actually – and surprisingly – in line with international standards. In fact, it took almost two years for the first General Data Protection Regulation (GDPR) fines to be issued in Europe. This would indicate that the South African subjects of GDPR’s cousin should expect more and more action by the Regulator to trickle down from larger corporations to medium and small enterprises over the coming 18 months.
How should business owners respond? As we look to the Information Regulator to begin more actively monitoring and enforcing compliance by public and private bodies with the provisions of the POPIA Act, this is an ideal opportunity for businesses to begin stress-testing the robustness of their POPIA controls. This can be achieved by assessing any privacy risks that exist throughout their data processing activities and by performing personal information impact assessments to ensure that adequate safeguards are implemented. It is also advisable for business owners to regularly consult their legal expert who will be able to assess POPIA compliance requirements such accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation.
At the same time, businesses should take note that the Information Regulator has extended the reach of its regulatory mandate functions to the Promotion of Access to Information Act (PAIA) – related to the promotion of transparency, accountability, and the effective governance of all public and private bodies.
The temptation to apply a ‘wait and see’ policy to the enforcement of the regulations by many businesses is a dangerous tactic. It must be remembered that the Acts give data subjects (clients) the capacity to report transgressions directly to the Information Regulator, so it is only a matter of time before the proverbial chickens come home to roost.
Koos Benadie | Director