This is not a paywall.

Register for free to continue reading.

The news sucks. But your reading experience doesn't have to. Help us improve that for you by registering for free.

Please create a password or click to receive a login link.

Please enter your password or get a login link if you’ve forgotten

Open Sesame! Thanks for registering.

First Thing, Daily Maverick's flagship newsletter

Join the 230 000 South Africans who read First Thing newsletter.

We write for you

It’s a public service and we refuse to erect a paywall and force you to pay for truth. Instead, we ask (nicely and often) that those of you who can afford to, become a Maverick Insider and help with whatever you can. In order for truth not to become a thing of the past, we need to keep going.

Currently, 18,000 (or less than 0.3%) of our brave and generous readers are members; which says a lot about their characters and commitment to our country. These people are paying for a free service in order to keep it free for everyone.

They are the true South AfriCANs.(Sorry, we couldn’t help ourselves.)

Support Daily Maverick→
Payment options

SA information regulator ready to use newfound teeth ag...

Business Maverick


SA information regulator ready to fine and jail company directors for data breaches

(Photo: iStock)

The regulator might slap companies with sanctions, including fines of up to R10m or company directors facing imprisonment for up to 10 years. Companies in the regulator’s firing line would ordinarily have weak control systems that fail to protect sensitive information belonging to consumers or even fail to take corrective measures once there is a data breach.

South Africa’s information regulator is getting tough on companies found to have been negligent in safeguarding the personal information of consumers, which lands in the wrong hands through data breaches.  

The Information Regulator South Africa is a watchdog that monitors compliance with information protection legislation by private and public sector companies to prevent, among other incidents, data breaches.  

The spate of high-profile data breaches in South Africa in recent months has jolted the regulator to launch a unit within its office — supported by forensic investigation and IT skills — that will investigate and impose sanctions against errant companies. Companies in the regulator’s firing line would ordinarily have weak control systems that fail to protect sensitive information belonging to consumers or fail to even take corrective measures once there is a data breach. 

The regulator was launched in 2016, but its powers were limited because the Protection of Personal Information Act (Popia) wasn’t operational at the time. Popia became fully operational on 1 July 2021, on which date the 12-month grace period for company compliance ended, paving the way for the regulator to impose sanctions. 

The unit that will investigate data breaches — the Security Compromise Unit — may now make findings and recommendations against companies entrusted to safeguard the personal information of consumers. The recommendations might include the regulator slapping negligent companies with sanctions including fines of up to R10-million or company directors facing imprisonment for up to 10 years.  

Data breach incidents  

Data breaches have worsened in recent months, with the regulator receiving more than 330 reports or complaints since July 2021 against companies. These complaints were lodged by people whose personal information had been compromised.  

Companies that have reported suspected breaches in recent months include Liberty, Standard Bank, Absa, Dis-Chem, Shoprite, Experian and TransUnion (consumer credit bureaus), and others that don’t usually grab headlines. In some cases, the personal information of consumers (such as their names, surnames, cellphone numbers and email addresses) was exposed.

No fines or other sanctions were imposed against companies that suffered data breaches, with the regulator saying during a press briefing on Wednesday that Popia is still new in South Africa. The information regulator’s chair, Pansy Tlakula, says her office prefers to engage with errant companies and allow them to remedy a suspected data breach before imposing fines. 

“But we are prepared to take the route of fines and demonstrate the regulator’s bite,” she says.  

The regulator is still willing to show grace to companies that proactively inform it about suspected data breaches, immediately inform affected consumers (and do this publicly), and take demonstrable steps to protect sensitive information. 

Regulator’s cash crunch   

Arguably, the regulator doesn’t want to find itself in a legal tussle with companies that are flush with cash and have the appetite to appeal against its fines and other sanctions. Companies can lodge an appeal against the regulator’s enforcement notice — detailing how a company breached the Protection of Personal Information Act, and the sanctions against it — by approaching the high court to set aside or vary the notice.  

After all, the regulator’s funding from the government is limited and it doesn’t have extensive human resources. The regular is expected to function optimally this year with approved funding of R100-million from the government, five members (or heads) — two of whom serve on a part-time basis — and about 90 support staff.   

Similar information regulators in the UK and US usually have more than 20 members and hundreds of support staff, and extensive budgets that allow them to take on multinational corporations. Tlakula recently told Business Maverick that her office was seriously underfunded by the government and needed more resources to hire individuals with forensic investigative, IT and communications skills. The latter skills are needed to inform and educate the public about the regulator’s mandate and Popia compliance.  

Beyond data breaches, Tlakula’s office also monitors call centres and telemarketing groups that often use irregular means to access people’s contact details to sell them products. On this pernicious behaviour, the information regulator has received more than 700 complaints from the public since last July that it is still investigating. DM/BM


Comments - share your knowledge and experience

Please note you must be a Maverick Insider to comment. Sign up here or sign in if you are already an Insider.

Everybody has an opinion but not everyone has the knowledge and the experience to contribute meaningfully to a discussion. That’s what we want from our members. Help us learn with your expertise and insights on articles that we publish. We encourage different, respectful viewpoints to further our understanding of the world. View our comments policy here.

All Comments 1

Please peer review 3 community comments before your comment can be posted