Despite the spate of data compromises in SA, none of the organisations that suffered a data breach have been fined, the Information Regulator has revealed.
South Africa’s data privacy legislation − the Protection of Personal Information Act (POPIA) − came into force on 1 July 2021, following a year-long grace period for organisations to comply with the Act.
POPIA sets down firm frameworks that companies have to abide by to avoid fines, criminal prosecution and potential reputation loss.
Breaching the rules and regulations outlined by this Act can have serious financial implications for the business, which can cost more than money and have long-lasting consequences.
The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.
The Information Regulator, which is empowered to monitor and enforce compliance by public and private bodies with the provisions of the data privacy law, has yet to issue any such fine since POPIA was enforced.
Speaking at a media briefing yesterday, Lebogang Stroom-Nzama, advocate and full-time member at the Information Regulator, stated: “We can levy fines up to the maximum of R10 million but we haven’t levied any fines at this stage.”
InfoReg sounds alarm over POPIA non-compliance, breaches
Info watchdog reveals 139 data breaches since POPIA
“POPIA is still new,” Stroom-Nzama added. “Most of the time we try to educate, but we’re now in a stage whereby after an investigation or an assessment, we’ll take that route.
“We’re trying to be patient to educate and say: ‘POPIA is now in operation, kindly make sure you comply.’ On some matters, we are doing assessments and that will therefore lead us to that route of planning those fines.”
Data breach central
Between 2020 and 2022, an increasing number of South African organisations have fallen prey to data breaches as well as data leaks, with credit bureau TransUnion’s data compromise becoming the second big hack to rock the country.
In August 2020, Experian, a consumer, business and credit information services agency, made headlines after it experienced a data breach that exposed the personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster.
In September 2021, South African banks acknowledged some of their customers’ data was compromised by the cyber attack on debt recovery solutions provider Debt-IN Consultants.
First National Bank, Absa, Standard Bank and African Bank are some of the financial institutions that make use of Debt-IN’s services.
Big-four bank Standard Bank and property firm Lightstone last December confirmed they suffered a data breach that exposed the personal information of property owners. The organisations said information of some property owners in South Africa was accessed without permission through the LookSee online platform.
Other organisations which have also been hit by cyber attacks include Transnet, the South African National Space Agency, and the Department of Justice and Constitutional Development.
More recently, pharmacy retail giant Dis-Chem and retailer Shoprite suffered a data compromise, exposing the personal details of millions of people.
While the regulator has taken a patience stance in issuing fines, Information Regulator chairperson advocate Pansy Tlakula believes POPIA is on par with international data protection and privacy laws.
“It compares quite favourably with the General Data Protection Regulation (GDPR), which people put out there as the ultimate data protection law, but ours is better.”
“POPIA is a complex piece of legislation just to interpret and to apply, and everyone is battling with the interpretation of POPIA.
“We have been patient enough in trying to take our stakeholders along and assist them, but we’ve now come to a point where we have to exercise our powers."
“We are aware that we’ll be acting against big players and that they have the money to fight and take us to court, but that is a challenge that we’ve geared up for.”