In the past few weeks, the Information Regulator of South Africa (Regulator) has been conducting assessments on compliance in terms of South Africa's data protection law, the Protection of Personal Information Act (POPIA). The assessments were conducted on several private bodies across the country, these include Nedbank, a financial institution, and online-gifting company, Netflorist. The assessments covered critical aspects of compliance such as the type of information the private body processes, their privacy policy, adherence with the eight conditions for lawful processing of personal information, security safeguards put in place to avoid or minimise risks of security compromise incidents (data breaches), policies on direct marketing, and trans-border flows of information where applicable. Furthermore, the assessments sought to ascertain whether the private bodies have provided training to its employees on the application of POPIA as required in the Regulations.
The Regulator noted with concern the number of security compromises reported by public and private bodies which led to questioning whether the bodies have put in place reasonable measures to ensure the security, confidentiality and integrity for the personal information in their possession. It also raises concern if other aspects of processing personal information are done lawfully.
Recently IBM (International Business Machines Corporation) a multinational technology company released the 2023 Cost of a Data Breach Report, the report indicated that the financial sector had the highest average costs of data breaches in South Africa at US$3 885 703, followed by the industrial sector at US$3 789 946 and the services sector at US$3 120 644, respectively.
Following the concerns raised regarding security compromises the Regulator was prompted to take proactive action in accordance with section 89 of POPIA to conduct an own initiative assessment to ascertain if the processing of personal information is in accordance with provisions of the legislation. The Regulator is conducting many of these assessments in response to numerous complaints lodged on certain bodies.
It is crucial for private bodies to prioritise data security and ensure strict adherence to relevant regulations to safeguard sensitive information effectively. The Regulator endeavours to enforce the provisions of POPIA, however, it is equally important for private bodies to proactively evaluate their data protection practices. This will aid private bodies in identifying potential areas of non-compliance, protect their reputation, and foster a sense of trust and confidence from the people whose personal information they possess. The Regulator’s enforcement powers came into effect in 2021 following a grace period to afford bodies an opportunity to get their compliance and security safeguards in place. Therefore, bodies who are found to be negligent in their practices and are noncompliant, thus compromising the right to privacy of data subjects, will face the full might of the law.