POPIA enters the terrible twos
4 July 2023
by Ridwaan Boda and Alexander Powell
Just over two years ago, many companies were panicking about POPIA coming into force and were rushing to comply by the deadline of 1 July 2021. We take a look at key developments and challenges that have affected companies since POPIA came into force.
In September 2021, the Department of Justice and Constitutional Development (the “Department”) suffered a security compromise as a result of weaknesses in its IT systems. During that month, the Department’s systems were unavailable to its employees which affected the services provided to the public. This security compromise resulted in the loss of approximately 1 204 files that contained personal information. All electronic services provided by the department were affected, and the IT systems of the Information Regulator, established in terms of POPIA, (“Regulator”) (which is overseen by the Department) were also impacted.
The Regulator found that the Department had failed to implement adequate technical measures to monitor and detect unauthorised access to data in its possession. It also found that the Department had not taken reasonable measures to identify or foresee internal and external risks to the protection of the personal information it processes. Additionally, the Department failed to establish and maintain appropriate safeguards against the identified.
On 9 May 2023, the Regulator issued an Enforcement Notice to the Department in which it ordered the Department to take several steps to remedy the non-compliance. The Regulator warned the Department that failure to comply with the notice would result in the Department being guilty of an offence under POPIA, which may incur an administrative fine of an amount not exceeding ZAR10-million. The individuals responsible for the security breach can also face conviction and imprisonment for a period not exceeding 10 years. The Regulator imposed a fine of ZAR5-million on 3 July 2023 after the Department failed to comply with the notice. This is the first fine that the Regulator has ever issued under POPIA.
Ironically, the Department was subject to another cyber-attack on 6 April 2023, but it was only discovered and reported several days later. This time, the hackers targeted the Department’s Guardian’s Fund in KwaZulu-Natal and the Free State and made off with R18-million.
According to section 22 of POPIA, a security compromise occurs when there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person. A responsible party’s obligations to notify the Regulator and data subjects affected by the compromise are triggered as soon as the responsible party becomes reasonably aware of the security compromise.
In the past two years, we have seen companies struggle to comply with their reporting obligations for various reasons:
- Reporting obligations are triggered by reasonable knowledge of a security compromise, not actual knowledge. This means that companies must have sufficient security measures in place to detect and investigate a potential security compromise the form a preliminary assessment as to whether there may have been unauthorised access to or acquisition of personal information. Practically, this means companies do not have the luxury of time to launch a thorough forensic investigation into the compromise to factually determine whether a compromise has occurred.
- Unlike other privacy laws around the world (such as the GDPR), there is no “harm” or “impact” threshold to trigger a responsible party’s reporting obligations under POPIA. Even if a compromise is unlikely to cause harm or loss to a data subject, reporting obligations still apply. This means that seemingly low-risk events, such as a stolen work laptop but which is subsequently locked by the company’s IT department to prevent unauthorised access, or an email containing personal information sent to the wrong person but successfully recalled before being read, fall within the scope of reportable security compromises.
Companies have shown varying degrees of compliance with their reporting obligations, with some reporting every security compromise; others weighing the risks of reporting a security compromise and sometimes elect not to report at all (an approach we wouldn’t endorse).
In the past year, the Regulator has been particularly critical of certain entities’ approach to security and reporting obligations, and in August 2022, it published Guidelines regarding the reporting of security compromises under POPIA and a .
Section 69 of POPIA prohibits direct marketing by means of unsolicited electronic communications, including automatic calling machines, facsimile machines, SMS or email, unless the data subject has given their consent to the processing or is a customer of the responsible party.
In a media briefing on 29 June 2022, the Regulator discussed the progress made since the enforcement of POPIA and proposed further measures to ensure the protection of personal information.
Notably, the Regulator mentioned that it has received and pre-investigated over 700 complaints from data subjects, most of which related to direct marketing. The Regulator expressed grave concern by the nature of these complaints as it indicates the lack of compliance with sections 69 and 11 (which relates to a lawful justification for the processing of personal information) of POPIA by responsible parties and the sale of personal information. A direct marketing code of conduct is currently being developed.
In addition to being the POPIA watchdog, the Regulator also oversees the enforcement of the Promotion of Access to Information Act, 2000 (“PAIA”).
During the briefing, the Regulator Chairperson reiterated the role of the Regulator by describing its public dual function of firstly ensuring the protection of personal information and secondly, of ensuring effective access to information.
The Regulator Chairperson stated that the public has a right to access information, and where they are denied access, they have a right to lodge a complaint with the Regulator. PAIA plays a pivotal role in ensuring transparency and accountability in both public and private sectors.
PAIA requires information officers from public bodies to submit annual reports on the access to information requests to the Regulator. The Regulator can also request reports setting out various details on requests for access to information.
On 7 May 2023, the Regulator issued a media statement calling for information officers and heads of private bodies to submit their annual reports on access to information for the 2022-2023 financial year by 30 June 2023 (the Regular since extended the deadline to 7 July 2023). The reports are needed for the generation of statistics and insights into whether both the private and public bodies are receiving and recording requests for information. The Regulator will rely on such information in its own Annual Report to the National Assembly on PAIA-related issues.
Whatever your current POPIA practices look like, it is important to remember that privacy compliance is an ongoing exercise. This means ongoing monitoring, review, and adaptating your compliance measures to evolving privacy requirements and changes in your organisation. Examples of ongoing efforts include:
- regularly test and verify your security measures – ensure that your security measures and employee training remain responsive and robust to the evolving landscape of cyber threats
- data breach and cyber security dry runs – ensure you are ready when the almost inevitable occurs
- continue performing privacy impact assessments – keep abreast of new projects, initiatives, or changes to existing systems or processes in your company that involve the collection or processing of personal information as this will require new privacy impact assessments to be completed
- connecting with privacy professionals – learn from and engage with other fellow privacy professionals to see what their companies are experiencing as they navigate this new era of privacy compliance
- staying tuned to regulatory updates – keep an eye out for updates, media statements and press releases from the Information Regulator so that you keep up to date with developments in law and industry best practices
- train, train, train – conduct regular privacy training for employees (especially new joiners) to ensure they understand the company’s policies and processes and their responsibilities in protecting personal information.
Technology, Media and Telecommunications | Executive and Co-Head of Data Protection
Banking and Finance | Executive and Co-Head of Data Protection
Technology, Media and Telecommunications | Senior Associate