Despite mounting criticism around the lack of compliance and enforcement of the country’s data protection law, the Information Regulator is of the view it is making strides, albeit slowly.
Some members of the public expressed their frustrations to ITWeb, accusing the regulator of taking too long to respond to queries about unauthorised disclosure of personal information.
Industry insiders have also said the compromiseof credit bureau TransUnion’s data would have been the perfect case for the regulator to show its teeth.
Information Regulator part-time member Mfana Gwala yesterday acknowledged the criticism, saying since the regulator has been established, it is said to have “no teeth”.
“The regulator was established in SA in 2016, so we’re actually in the second term of the regulator,” he stated. “Unfortunately, we’re still dealing with a lot of data breaches…and in some cases, this is the result of capacity issues in dealing with those.”
Gwala was part of a high-level panel discussion at the 2022 Data Protection Africa Summit, which kicked-off yesterday in Illovo, Johannesburg.
Organised in partnership with the Information Regulator, the fifth annual summit takes place under theme “Developing data protection for Africa’s digital economy”, with the objective to build capacity, facilitate collaboration and explore data protection and privacy on the continent.
According to Gwala, the fact that the Information Regulator’s Enforcement Committee has been established signals steps in the right direction for the information watchdog.
The committee was established after the regulator came under fire from the public about its slow responsiveness to deal with data privacy complaints.
Gwala explained: “The enforcement powers of the regulator only came into effect recently. On the 15th of November, we had our first [Enforcement Committee] meeting, which I’m part of.
“The first thing that we dealt with was an assessment that was done by the regulator on compliance by municipalities. The assessment targeted about 15 district and metropolitan municipalities, focusing on access to information as defined by PAIA.
“Out of the 15 municipalities assessed, I think only one municipality came close to 100% compliance. Most of them had non-compliance... no deputy information officers in terms of the data protection Act and quite a few were confused about compliance with the provisions of the Act.”
No fines in sight
South Africa’s data privacy legislation − the Protection of Personal Information Act (POPIA) − came into forceon 1 July 2021, following a year-long grace period for organisations to comply with the Act.
POPIA sets down firm frameworks that companies have to abide by to avoid fines, criminal prosecution and potential reputation loss.
Breaching the rules and regulations outlined by this Act can have serious financial implications for the business, which can cost more than money and have long-lasting consequences.
The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.
However, not one fine has been issued, to date, the Information Regulator’s Lebogang Stroom-Nzama previously revealed.
Stroom-Nzama pointed to POPIA still being the cause of the delay in fines, adding that most of the time the regulator tries to educate.
She explained at the time: “We’re trying to be patient to educate and say ‘POPIA is now in operation, kindly make sure you comply.’ On some matters, we are doing assessments and that will therefore lead us to that route of planning those fines.”
Between 2020 and 2022, SA saw an alarming number of data compromise incidents, with organisations falling prey to data breaches as well as data leaks.
In August 2020, Experian, a consumer, business and credit information services agency, made headlines after it experienced a data breach that exposed the personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster.
In September 2021, South African banks acknowledged some of their customers’ data was compromised by the cyber attack on debt recovery solutions provider Debt-IN Consultants.
First National Bank, Absa, Standard Bank and African Bank are some of the financial institutions that make use of Debt-IN’s services.
Big-four bank Standard Bank and property firm Lightstone last December confirmed they suffered a data breach that exposed the personal information of property owners. The organisations said information of some property owners in South Africa was accessed without permission through the LookSee online platform.
Other organisations that have been hit by cyber attacks include Transnet, the South African National Space Agency, and the Department of Justice and Constitutional Development.
Pharmacy retail giant Dis-Chem and retailer Shoprite have also suffered data compromises, exposing the personal details of millions of people.
Share