South Africa’s information regulator is getting tough on companies found to have been negligent in safeguarding the personal information of consumers, which lands in the wrong hands through data breaches.  

The Information Regulator South Africa is a watchdog that monitors compliance with information protection legislation by private and public sector companies to prevent, among other incidents, data breaches.  

The spate of high-profile data breaches in South Africa in recent months has jolted the regulator to launch a unit within its office — supported by forensic investigation and IT skills — that will investigate and impose sanctions against errant companies. Companies in the regulator’s firing line would ordinarily have weak control systems that fail to protect sensitive information belonging to consumers or fail to even take corrective measures once there is a data breach. 

The regulator was launched in 2016, but its powers were limited because the Protection of Personal Information Act (Popia) wasn’t operational at the time. Popia became fully operational on 1 July 2021, on which date the 12-month grace period for company compliance ended, paving the way for the regulator to impose sanctions. 

The unit that will investigate data breaches — the Security Compromise Unit — may now make findings and recommendations against companies entrusted to safeguard the personal information of consumers. The recommendations might include the regulator slapping negligent companies with sanctions including fines of up to R10-million or company directors facing imprisonment for up to 10 years.  

Data breach incidents  

Data breaches have worsened in recent months, with the regulator receiving more than 330 reports or complaints since July 2021 against companies. These complaints were lodged by people whose personal information had been compromised.  

Companies that have reported suspected breaches in recent months include Liberty, Standard Bank, Absa, Dis-Chem, Shoprite, Experian and TransUnion (consumer credit bureaus), and others that don’t usually grab headlines. In some cases, the personal information of consumers (such as their names, surnames, cellphone numbers and email addresses) was exposed.

No fines or other sanctions were imposed against companies that suffered data breaches, with the regulator saying during a press briefing on Wednesday that Popia is still new in South Africa. The information regulator’s chair, Pansy Tlakula, says her office prefers to engage with errant companies and allow them to remedy a suspected data breach before imposing fines. 

“But we are prepared to take the route of fines and demonstrate the regulator’s bite,” she says.  

The regulator is still willing to show grace to companies that proactively inform it about suspected data breaches, immediately inform affected consumers (and do this publicly), and take demonstrable steps to protect sensitive information. 

Regulator’s cash crunch   

Arguably, the regulator doesn’t want to find itself in a legal tussle with companies that are flush with cash and have the appetite to appeal against its fines and other sanctions. Companies can lodge an appeal against the regulator’s enforcement notice — detailing how a company breached the Protection of Personal Information Act, and the sanctions against it — by approaching the high court to set aside or vary the notice.  

After all, the regulator’s funding from the government is limited and it doesn’t have extensive human resources. The regular is expected to function optimally this year with approved funding of R100-million from the government, five members (or heads) — two of whom serve on a part-time basis — and about 90 support staff.   

Similar information regulators in the UK and US usually have more than 20 members and hundreds of support staff, and extensive budgets that allow them to take on multinational corporations. Tlakula recently told Business Maverick that her office was seriously underfunded by the government and needed more resources to hire individuals with forensic investigative, IT and communications skills. The latter skills are needed to inform and educate the public about the regulator’s mandate and Popia compliance.  

Beyond data breaches, Tlakula’s office also monitors call centres and telemarketing groups that often use irregular means to access people’s contact details to sell them products. On this pernicious behaviour, the information regulator has received more than 700 complaints from the public since last July that it is still investigating. DM/BM