By 
The regulator might slap companies with sanctions, including fines of up to R10m or company directors facing imprisonment for up to 10 years. Companies in the regulator’s firing line would ordinarily have weak control systems that fail to protect sensitive information belonging to consumers or even fail to take corrective measures once there is a data breach.
South Africa’s information regulator is getting tough on companies found to have been negligent in safeguarding the personal information of consumers, which lands in the wrong hands through data breaches.
The Information Regulator South Africa is a watchdog that monitors compliance with information protection legislation by private and public sector companies to prevent, among other incidents, data breaches.
The spate of high-profile data breaches in South Africa in recent months has jolted the regulator to launch a unit within its office — supported by forensic investigation and IT skills — that will investigate and impose sanctions against errant companies. Companies in the regulator’s firing line would ordinarily have weak control systems that fail to protect sensitive information belonging to consumers or fail to even take corrective measures once there is a data breach.
The regulator was launched in 2016, but its powers were limited because the Protection of Personal Information Act (Popia) wasn’t operational at the time. Popia became fully operational on 1 July 2021, on which date the 12-month grace period for company compliance ended, paving the way for the regulator to impose sanctions.
Data breach incidents
Data breaches have worsened in recent months, with the regulator receiving more than 330 reports or complaints since July 2021 against companies. These complaints were lodged by people whose personal information had been compromised.
No fines or other sanctions were imposed against companies that suffered data breaches, with the regulator saying during a press briefing on Wednesday that Popia is still new in South Africa. The information regulator’s chair, Pansy Tlakula, says her office prefers to engage with errant companies and allow them to remedy a suspected data breach before imposing fines.
“But we are prepared to take the route of fines and demonstrate the regulator’s bite,” she says.
The regulator is still willing to show grace to companies that proactively inform it about suspected data breaches, immediately inform affected consumers (and do this publicly), and take demonstrable steps to protect sensitive information.
Regulator’s cash crunch
Arguably, the regulator doesn’t want to find itself in a legal tussle with companies that are flush with cash and have the appetite to appeal against its fines and other sanctions. Companies can lodge an appeal against the regulator’s enforcement notice — detailing how a company breached the Protection of Personal Information Act, and the sanctions against it — by approaching the high court to set aside or vary the notice.
After all, the regulator’s funding from the government is limited and it doesn’t have extensive human resources. The regular is expected to function optimally this year with approved funding of R100-million from the government, five members (or heads) — two of whom serve on a part-time basis — and about 90 support staff.
Similar information regulators in the UK and US usually have more than 20 members and hundreds of support staff, and extensive budgets that allow them to take on multinational corporations. Tlakula recently said that her office was seriously underfunded by the government and needed more resources to hire individuals with forensic investigative, IT and communications skills. The latter skills are needed to inform and educate the public about the regulator’s mandate and Popia compliance.
Comments