Since May we have seen a flurry. Not the soft and sweet kind from McDonald, but rather a flurry of enforcement notices from the Information Regulator (“the Regulator”) in terms of the Protection of Personal Information Act 4 of 2013 (“POPIA”)1. The Regulator started cleaning their own house by issuing their first enforcement notice to the Department of Justice and Constitutional Development (“DoJ”). Shortly after, the South African Police Service (“SAPS”) followed and the latest one to Dis-chem.
All these notices sprung from data breaches that happened over the past few years. The Regulator expressed its concern last year about the prevalence of data breaches in South Africa and established the Security Compromise Unit to investigate data breaches and make recommendations based on their findings2.
As responsible parties we can choose to either learn the easy way or the hard way. The hard way is learning from your own mistakes. The Regulator has demonstrated this may mean a hefty fine3. The easy way is learning from others or in this case from what the Regulator says in the enforcement notices. Here are the top three things you can do:
Dust off your PIIA
Regulation 4(1)(b) of POPIA requires information officers to conduct a personal information impact assessment (“PIIA”). If the last time you did a PIIA was back in 2021 just before POPIA came into operation, it is time to dust off the PIIA and review it. Chances are that several changes have taken place in your business that affects the way you process personal information, and you will need to implement new measures to ensure that you comply with the conditions for lawful processing as set out in POPIA.
If you have never done a PIIA now is the time to get it done. Both Dis-chem and the DoJ were required to produce their PIIAs. If you do not know what personal information you process, what processing activities you conduct, the state of your security, etc. you will not know how to construct your compliance framework. In simple terms you need to conduct a risk assessment to identify the risks that your business faces when it comes to POPIA so that you know what measures to put in place to minimise or eliminate these risks and implement measures as part of your compliance framework.
In case of a data breach…
Over and above the fact that you should have appropriate security measures in place, you must also have a plan in place to deal with instances when things go wrong. Thinking that your business will not fall victim to a data breach would be misguided.
According to the enforcement notice issued to Dis-chem, the Regulator expects to see an Information Security Policy, an adequate Incident Response Plan and the implementation of any applicable industry specific data security standards as a minimum.
Prevention is better than cure and for this you need to ensure that your security measures stay up to date and are adequate. One of the findings against the DoJ was that they failed to renew the various security licenses that would have for example detected any unauthorised access to their systems.
You need to ensure that your employees are trained on their obligations in terms of POPIA as well as your policies and procedures. Human error remains one of the top causes of data breaches. Training your employees is therefore a valuable tool to mitigate the risk. Make sure that you can evidence attendance to the training as well as the training material used.
Both the enforcement notices issued against the DoJ and the SAPS indicated that all employees should receive training on POPIA. The Regulator also expected that internal investigations into data breaches should be conducted, and disciplinary hearings should take place where applicable. This further underlines the importance of training. Training should not be treated as an annual event, but employees should be made aware of their responsibilities on an ongoing basis.
- The Regulator also issued an enforcement notice in terms of The Promotion of Access to Information Act 2 of 2000.
- Media Breakfast Briefing by Adv Pantsy Tlakula:https://inforegulator.org.za/wp-content/uploads/2020/07/Information-Regulator-Media-Breakfast-Address_29-June-2022.pdf