The judiciary is top among those that require upskilling on all aspects of the Protection of Personal Information Act (POPIA).
This is according to advocate Pansy Tlakula, chairperson of the Information Regulator, the entity empowered to monitor and enforce compliance by public and private bodies within the provisions of POPIA.
Tlakula was speaking at the ITWeb Governance, Risk and Compliance 2023 conference yesterday, where she was the main guest at a fireside discussion with ITWeb editor-in-chief Adrian Hinchcliffe.
Key among what POPIA requires is training people on how to apply the legislation when dealing with data breaches, for example, she noted.
For judges, Tlakula said they don’t like to be trained by non-judges. “You can’t just go to the judiciary and say to them ‘we’re going to train you on POPIA’.”
In the case of lawyers, she indicated some of them have had some training. “Until they go to court and litigate on POPIA, it is all theory at the moment.”
She continued: “I think there’s a need for upskilling of the judiciary, because very soon there’s going to be cases going before the courts. With a fine of R10 million or 10 years of imprisonment, I don’t think any private or public sector body will just take out R10 million and hand it to the regulator; obviously they are going to challenge our decision.
“The decisions of the Information Regulator are binding, so if you don’t want to abide by that decision, you have to challenge it in court. There is a need for everyone to upskill themselves in this piece of legislation.”
As far as the skillset at her organisation is concerned, Tlakula said the skills are adequate at the moment. “A time is going to come, obviously, where we’re going to need more training or even outsourcing.
“If you’re dealing with a data breach of the magnitude of TransUnion, we can investigate it, but at the same time you have to include forensic investigators, IT to investigate that kind of breach.
“What we are doing now, we are creating a special unit in the organisation called the security compromise unit. We have already advertised positions.”
Tlakula said with a staff complement of 100 people, her office’s role is enforcing compliance, as well as educational.
“We are so overwhelmed with requests for education, especially from the private sector. We’re even talking about a strategy of how we are going to do it, because we cannot provide education to individual companies.
“We’re thinking that we should combine sectors, so that if we’re going to be speaking to people we can group them according to the banks, mobile operators or credit bureaus – that’s the strategy we are going to adopt.
“The demand is high. POPIA is a complex piece of legislation and the enforcement thereof is also quite complex.”
Fines on the horizon?
Amid the spate of data compromises in SA, the regulator last June revealed none of the perpetrators had been brought to book, indicating no fines had been issued.
Tlakula acknowledged the complex nature of this process, saying it will require a strategic approach from the regulator.
“We are not naïve, because we live in a country that experiences a high level of crime − serious crime − and the police are not coping with the investigations of serious crime. If we go to the police and say company X has violated POPIA and can you please prosecute, do you think they are going to do that?
“Let’s be realistic about it; they can’t prosecute crime. I’m not saying it will not happen, but what I’m saying is that we have to be strategic as the regulator, in terms of the enforcement of our powers.
“If you have, for instance, one responsible party that was negligent in the way they handled the personal information of four employees; maybe they did not delete the personal information of those employees once they left the company.
“We’ll just inform them to delete that personal information and show us proof it has been deleted, and that will be the end of the matter. We will not go to the police for prosecution of that kind of non-compliance.
“The strategy that we have taken is to look at the magnitude, seriousness, impact and scale of a data breach. These are the cases that we’re going to take forward to the police as far as fines are concerned. We can’t just take any small case – we’ll take the serious ones.”
She wouldn’t be drawn to divulge timeframes as to when to expect the first case for POPIA non-compliance, simply saying she is “not sure”.
Tlakula revealed that, unlike the private sector, the public sector has been slow in acknowledging this piece of legislation.
“POPIA compliance in the private sector is quite high; maybe it’s because the private sector knows that non-compliance will affect their bottom-line. With the public sector, it’s all our monies, isn’t it? If there is a fine, who pays for it? It’s us as taxpayers. Compliance in the public sector is not as good,” she concluded.
Share