In today's digital era, safeguarding customer information has become a top priority for organisations worldwide. The Protection of Personal Information Act (POPIA) in South Africa plays a crucial role in governing the handling of personal data. Businesses are now compelled to adapt their data processing procedures to align with the recent revisions to POPIA, which carry significant implications for them. In this blog post, we look at the lessons learned from the first case where an enforcement notice issued by the Regulator was not complied with, and what businesses can expect in terms of amendments to POPIA going forward.
The Purpose of POPIA
The Focus of the Information Regulator
Principles and Case Law
Understanding the Implications of POPIA Judgments and Amendments
What Kind of Action Should Your Business Take?
With the increasing importance of data privacy around the globe, the POPIA was enacted to promote the protection of personal information processed by public and private bodies. The introduction of certain conditions that established minimum requirements for the processing of personal information had a significant impact on digital marketers.
The Information Regulator’s core functions in terms of the Promotion of Access to Information Act (PAIA) are to consider complaints received, assist complainants, and investigate complaints, including:
In terms of the POPIA, the Regulator is also mandated to issue notices and make assessments on whether public and private bodies comply with the provision of PAIA.
The Information Regulator has indicated, in their strategic plan for 2022/2023 to 2026/2027, that their second term focus will be on improving the understanding of the Promotion of Access to Information Act (PAIA) and of the POPIA amongst the public and other stakeholders. According to the Chairperson, “The public can only assert the protection of their personal information and exercise their right of access to information if they understand POPIA and PAIA.”
In addition, there will be a strong emphasis on the implementation of the Information Regulator’s constitutional and legislative mandates. This will enable the Regulator to effectively enforce POPIA and PAIA and assist complainants through effective remedies in cases where their rights have been violated.
POPIA is a law based on principles. That means that South African courts apply the principles of the Act to real-world scenarios. Sometimes the outcomes of these cases have implications for businesses - especially those that handle data. It may be challenging to keep track of what changes you need to make in your business in response to these judgments. This is where legal experts can provide additional value to help you mitigate the risk of non-compliance.
Although no express amendments to the POPIA have, as yet, been proclaimed, the various court judgments do contain important factors to consider. With the penalties for non-compliance reaching up to R10 million or imprisonment for up to 10 years, it is critical for business owners to remain aware of how these judgments impact them. Let’s look at the first case where the Information Regulator imposed a fine on a public body for failing to abide by an enforcement notice, and the lessons learned from this.
In May 2023, the Information Regulator found the Department of Justice and Constitutional Development had contravened Sections 19 and 21 (both dealing with security measures and confidentiality of information) of the POPIA based on data breaches in its IT environment that occurred back in September 2021.
According to the media statement issued by the Information Regulator, the data breach resulted in the department’s systems not being available to employees, which also impacted service delivery to members of the public. An investigation revealed that the department had failed to implement adequate security measures to monitor and detect unauthorised exfiltration of data from their systems, which resulted in more than 1200 files being lost. The issue was compounded by the fact that the department had failed to renew various data security, intrusion detection, and antivirus software licences in 2020. Had these been renewed in time, the department would have received alerts of suspicious activity on its network.
In addition, the investigation noted that the department had failed to take reasonable measures to identify and mitigate internal and external risks to the protection of data in its possession or under its control. As a result of these failures, the Information Regulator issued the department with an Enforcement Notice ordering them to take corrective actions, including renewal of licences, and disciplinary action against officials who failed to implement the required data security measures. The department was given 31 days within which to respond to the Regulator with evidence of remedial actions being taken.
Not only did the department fail to take corrective action, they also failed to communicate with the Information Regulator on the matter. As a result, the department was fined R5 million for failing to comply with the enforcement notice.
Businesses can learn various lessons from this case:
The outcome of court judgments and amendments to POPIA have significant implications for businesses in South Africa. By staying informed, reviewing and updating your policies, implementing robust security measures, training your staff, and seeking legal advice, you can help ensure that your business remains compliant and can avoid the severe penalties, and related reputational damage, associated with non-compliance.