The Impact of the POPIA Amendments on South African Businesses

In today's digital era, safeguarding customer information has become a top priority for organisations worldwide. The Protection of Personal Information Act (POPIA) in South Africa plays a crucial role in governing the handling of personal data. Businesses are now compelled to adapt their data processing procedures to align with the recent revisions to POPIA, which carry significant implications for them. In this blog post, we look at the lessons learned from the first case where an enforcement notice issued by the Regulator was not complied with, and what businesses can expect in terms of amendments to POPIA going forward. 

Covered in this article

The Purpose of POPIA
The Focus of the Information Regulator 
Principles and Case Law
Understanding the Implications of POPIA Judgments and Amendments
What Kind of Action Should Your Business Take? 

The Purpose of POPIA 

With the increasing importance of data privacy around the globe, the POPIA was enacted to promote the protection of personal information processed by public and private bodies. The introduction of certain conditions that established minimum requirements for the processing of personal information had a significant impact on digital marketers. 

The Focus of the Information Regulator 

The Information Regulator’s core functions in terms of the Promotion of Access to Information Act (PAIA) are to consider complaints received, assist complainants, and investigate complaints, including: 

• Serving an information notice to the Information Office or head of a private body
• Referring a complaint to the enforcement committee
• Deciding to take no action on the complaint
• Attempting to settle a complaint through conciliation and
• Issuing enforcement notices after considering the recommendations of the enforcement committee.

In terms of the POPIA, the Regulator is also mandated to issue notices and make assessments on whether public and private bodies comply with the provision of PAIA.

Plans For The Next Few Years

The Information Regulator has indicated, in their strategic plan for 2022/2023 to 2026/2027, that their second term focus will be on improving the understanding of the Promotion of Access to Information Act (PAIA) and of the POPIA amongst the public and other stakeholders. According to the Chairperson, “The public can only assert the protection of their personal information and exercise their right of access to information if they understand POPIA and PAIA.” 

In addition, there will be a strong emphasis on the implementation of the Information Regulator’s constitutional and legislative mandates. This will enable the Regulator to effectively enforce POPIA and PAIA and assist complainants through effective remedies in cases where their rights have been violated.

Principles and Case Law

POPIA is a law based on principles. That means that South African courts apply the principles of the Act to real-world scenarios. Sometimes the outcomes of these cases have implications for businesses - especially those that handle data. It may be challenging to keep track of what changes you need to make in your business in response to these judgments. This is where legal experts can provide additional value to help you mitigate the risk of non-compliance.  

Understanding the Implications of POPIA Judgments and Amendments

Although no express amendments to the POPIA have, as yet, been proclaimed, the various court judgments do contain important factors to consider. With the penalties for non-compliance reaching up to R10 million or imprisonment for up to 10 years, it is critical for business owners to remain aware of how these judgments impact them. Let’s look at the first case where the Information Regulator imposed a fine on a public body for failing to abide by an enforcement notice, and the lessons learned from this. 

Do Not Ignore Any Enforcement Notices

In May 2023, the Information Regulator found the Department of Justice and Constitutional Development had contravened Sections 19 and 21 (both dealing with security measures and confidentiality of information) of the POPIA based on data breaches in its IT environment that occurred back in September 2021. 

According to the media statement issued by the Information Regulator, the data breach resulted in the department’s systems not being available to employees, which also impacted service delivery to members of the public. An investigation revealed that the department had failed to implement adequate security measures to monitor and detect unauthorised exfiltration of data from their systems, which resulted in more than 1200 files being lost. The issue was compounded by the fact that the department had failed to renew various data security, intrusion detection, and antivirus software licences in 2020. Had these been renewed in time, the department would have received alerts of suspicious activity on its network. 

In addition, the investigation noted that the department had failed to take reasonable measures to identify and mitigate internal and external risks to the protection of data in its possession or under its control.  As a result of these failures, the Information Regulator issued the department with an Enforcement Notice ordering them to take corrective actions, including renewal of licences, and disciplinary action against officials who failed to implement the required data security measures. The department was given 31 days within which to respond to the Regulator with evidence of remedial actions being taken.

Not only did the department fail to take corrective action, they also failed to communicate with the Information Regulator on the matter. As a result, the department was fined R5 million for failing to comply with the enforcement notice. 

Lessons Learned

Businesses can learn various lessons from this case: 

• Conduct a regular risk assessment to identify all risks pertaining to data security.
• Make sure that you have adequate technical safeguards and internal controls in place to comply with the requirements of POPIA and mitigate data security risks. 
• Ensure that the team members in your business dealing with these matters have sufficient skills and tools to achieve security objectives. 
• Notify the Information Regular of any data breaches. The breach in and of itself is not an offence under POPIA, but the failure to have appropriate security measures in place to protect personal information is a major red flag. 
• Comply with enforcement notices - these give you an opportunity to take swift corrective actions and manage reputational risk to your business. Where an enforcement notice is issued and no action is taken, you are very likely to receive a fine from the Regulator. 
• The Information Regulator will take action against violations of personal information. The wheels of justice may turn slowly but sooner or later, they do turn. Make sure that your business is not caught off guard. 

What Kind of Action Should Your Business Take? 

The outcome of court judgments and amendments to POPIA have significant implications for businesses in South Africa. By staying informed, reviewing and updating your policies, implementing robust security measures, training your staff, and seeking legal advice, you can help ensure that your business remains compliant and can avoid the severe penalties, and related reputational damage, associated with non-compliance.