Businesses cannot afford to wait for the proper enforcement of the POPI Act before they start taking steps to safeguard their clients’ information


When news broke of the Liberty data breach in June, a spotlight fell on SA’s data privacy laws. It prompted an investigation by the Information Regulator into the first publicly admitted violation by an SA company of the EU’s General Data Pro-tection Regulations (GDPR). In a conversation with TimesLive, the head of the Information Regulator, Pansy Tlakula said recent data breaches high-lighted ‘the importance of understanding cyber-criminal activities and how they relate to the protection of personal information’.

According to Novation Consulting co-founder Elizabeth de Stadler, data breaches might not be unique to SA, but the country is now ranked as one of the top three worldwide most exposed to cyber risks. De Stadler says that one of the issues is that data privacy and cybercrimes are not effectively regulated yet. ‘The Cybercrimes and Cybersecurity Bill has still not been finalised and no effective date has been announced for the Protection of Personal Information Act, despite the act being signed into law in 2013.’

Another significant data breach was the Jigsaw Holdings leak, in which the personal data of mil-lions of South Africans was compromised when a database backup file, ‘masterdeeds.sql’, was made available online in a public space. ‘This breach highlighted the need for an overarching regulatory framework addressing data protec-tion,’ says Melanie Hart, partner at Fasken.
SA businesses also need to be aware that the GDPR, which came into effect on 25 May 2018, applies not only in the EU member states but also where data is transferred from or to. ‘This means that businesses operating in South Africa that engage in business with persons in EU member states will fall within the ambit of the GDPR and will have to comply with South African law as well as EU law,’ says Hart.

The Protection of Personal Information Act 4 of 2013 – POPIA –was enacted to give effect to the constitutional right to privacy by safeguarding personal information and to align SA’s laws with international legislation addressing data protec-tion. Hart adds that POPIA has been in legislative limbo for some time, with only limited sections (predominantly those relating to the office of the Information Regulator) coming into effect in April 2014. ‘The remaining provisions will come into effect on a date to be determined by the President and it’s unclear when this will be. Until such time as the law is in force, there’s not much one can do about a data breach.
‘Once POPIA is in effect, apart from the penalties and fines that may be imposed by the Information Regulator, the data subject whose rights have been infringed may institute a civil action against the responsible party. The civil action is based on strict liability with only a few limited defences being avail-able to the responsible party.’

The GDPR and POPIA mirror each other in many ways, with transparency being a key requirement under both. Individuals or ‘data subjects’ own their personal information and have the right to be informed about its collection and use. Other than in a few limited instances, personal information must be collected directly from the data subject. However, this requirement does not apply if the data subject has deliberately made the personal information public. Hart says the collection rule will outlaw the practice of companies selling their databases to other companies, ‘unless the data subject has given consent’, says Hart. The EU being one of SA’s biggest trade partners means that another factor that will drive GDPR com-pliance is the ‘risk of reputational harm’.

Gary Allemann, MD of Master Data Manage-ment, believes the Liberty breach should serve as a wake-up call to companies, and a reminder that GDPR compliance is a complex, far-reaching and non-trivial exercise. ‘It applies to an extensive set of personal data elements that may be housed in a number of different systems. How many multi-national organisations do you know of that have all their customer, supplier or employee data in a single system?’ What’s harder to grasp though is the exponential growth of technology within the legal framework. Ian de Beer, CEO of EOH Data Labs, says data is being generated at an unprecedented rate, not only by people, but by devices: sensors, point-of-sale and GPS. He believes that the power of big data, coupled with an analytics ecosystem, lies in the ability to correlate seemingly unrelated events and offer insights that can improve our lives.
‘Predictive and prescriptive analytics allow business, governments and individuals to plan better for a more sustainable future in a resource-constrained world. This unfortunately also allows the same groups to try and manipulate people into making decisions to the benefit of those possessing the technology, rather than for the benefit of the subject or the collective,’ says De Beer. He comments that the individual’s freedom to evolve their choices should never be impeded or obstructed by a narrow view on past behaviour. ‘Therefore the “right to be forgotten” is key to GDPR. Despite POPIA and GDPR, the use of AI on big data sets is not going away, but will continue to increase. According to the IDC, 75% of all busi-ness applications will use AI by 2021.’

Under the GDPR – and POPIA – individuals have a right to request the deletion of their data or a limi-tation of the processing of their data in certain circumstances, explains Hart. In terms of both, all organisations have a duty to report any data breach to the Information Regulator within 72 hours of becoming aware of the breach, where feasible.

Novation Consulting co-founder Paul Esselaar agrees. ‘When you have EU legislation that requires that any company contracting with the EU company must comply with the GDPR then it follows that South African companies must comply if they want to do business with EU companies.’ The laws relating to data protection, including POPIA and the GDPR, do contain exceptions though, and organisations can use data in specific circumstances.

Verlie Oosthuizen, head of social media law at Shepstone and Wylie, re-iterates that the overarching premise of the law is to protect the privacy of individuals. ‘The laws also prevent unwanted intrusions into people’s personal lives, whether that is by reducing excessive approaches from companies selling wares or more nefarious “thought control” through social media campaigns by companies wishing to influence political thought’. Owing to the GDPR, many SA companies are required to ensure data-protection compliance where it has not been an area of focus before.

Oosthuizen believes that compliance will not happen overnight, but that it must be built into business systems and strategies step by step as a matter of priority. ‘A compliance audit exercise needs to be started immediately.’ Esselaar goes on to say that larger organisations must understand that it can take three to six years to become GDPR compliant. ‘This is a massive sea change for South African companies.’ What’s impor-tant to note though is that acceptable security now will not be acceptable security in six months’ time.
‘It’s not good enough to have a standard that is not updated – it must be dynamic to address new threats and developments,’ he adds. ‘This is the way the POPI Act is written, to be flexible enough to adapt to the changing privacy landscape. It can be difficult to pin POPIA down, but at the same time this is it’s saving grace – it is flexible enough to be relevant in ten year’s time.’

Esselaar explains that POPIA is applicable to every industry and in different ways; it is not a set of black and white rules. ‘Instead, lawmakers came up with a set of principles.’ Lawmakers ultimately aren’t going to decide for companies, but they require them to scrutinise their own behaviour and make those decisions themselves. It is those decisions, or the lack of them, that the Information Regulator will investigate.

Of course, some very big companies have their own POPIA projects – blue chip companies and big players know they have no choice but to comply. Legislators have made all sorts of companies out-side the EU subject to the GDPR by forcing the European company to contract the SA company to comply with the GDPR. This effectively allows the EU to export its privacy laws to other countries. ‘They are forcing companies to abide by the GDPR or stop doing business inside the EU. The EU has leveraged their trade muscle this way.’

Ultimately the penalties for a breach under the GDPR add up. They can amount to a fine of up to 4% of annual global turnover or 20 million (whichever is greater). POPIA’s penalty for non-compliance is a fine of up to R10 million and/or 10 years’ in prison, and a data subject whose privacy has been infringed, can also institute a civil action for damages against the responsible person. With further laws pending and with so much else at stake, it seems SA companies will need to respond in order to safeguard themselves in the long run.

By Laura Jones
Images: Andreas Eiselin, HMimages