Based on the many questions organisations in South Africa are asking their legal advisors, it is clear there are still certain grey areas and misconceptions about the implementation the Protection of Personal Information Act (POPIA).
The Information Regulator (IR) has conducted several own-initiative assessments of organisations’ compliance with the provisions of POPIA. These assessments do not take the form of “dawn raids” – rather, organisations are given prior notice that an assessment will take place and these generally take place by way of in-person engagements between representatives of the IR and the organisation concerned.
The IR generally does not hesitate to publicly announce where such engagements occur as it considers them a learning experience for others. It publishes the enforcement notices it issues, if any, on its website with details of the organisation’s name, the complaint, the IR’s assessment, and the alleged shortcomings to be corrected.
Public spotlight
Non-compliant organisations may face some embarrassment and reputational damage by being in the public spotlight. Enforcement notices must furthermore be attended to as a matter of priority: In our experience, the IR affords organisations a limited period of time in which to ensure that they are compliant.
There are consequences for not complying with an enforcement notice. It is an offence that, on conviction, carries a fine of up to 10 years’ imprisonment, or a fine and imprisonment. Alternatively, the IR may impose an administrative fine of up to a maximum of ZAR10 million (although, to date, has imposed administrative fines in the amount of ZAR5 million).
Meanwhile, the IR chairperson, Advocate Pansy Tlakula, has asked Parliament to amend POPIA to allow the IR to impose immediate sanctions on offending organisations, rather than wait for the enforcement notice process to run its course.
Impact assessments versus compliance frameworks
Topping the lengthy list of documents to have on hand when the IR pays a visit are personal information impact assessments and compliance frameworks. These two documents are a major area of uncertainty for many organisations.
To date, the IR has not issued a guidance note or template on either of these documents. However, from organisations’ engagements with the IR, we understand that a personal information impact assessment is a risk assessment looking at the risks associated with the organisation’s information processing activities and the level of risk with reference to the provisions of POPIA.
A compliance framework, on the other hand, must demonstrate how the organisation intends to address these risks and the steps it has taken, or intends to take, to comply with the requirements of POPIA.
Some organisations are under the mistaken impression that a security policy or access management policy constitutes a compliance framework. This is not so. The POPIA compliance framework must specify exactly what steps are being taken to comply with POPIA, in particular each of the conditions of lawful processing.
Technical measures are not enough
Another common misperception is that POPIA compliance and data breach prevention are mainly about technology. One of the conditions for lawful processing of personal information is that an organisation must put in place appropriate technical and organisational security measures to prevent unauthorised access to personal information under its control.
Organisations often emphasise the technical measures they have in place to prevent data breaches but overlook the organisational measures.
The IR has stressed that organisations also need to pay attention to the operational measures taken – and particularly the conduct of their employees. Employee error is the cause of most data breaches in South Africa.
A common error is sending an email to the wrong person by mistake. The consequences can be severe if the misdirected email is, for example, an employee’s salary advice or a customer’s unique requirements.
This raises an important question: does a single, missent email constitute a data breach and if so, must the organisation notify the IR?
Is a single email a notifiable data breach?
As it stands, POPIA does not contain a risk or materiality threshold for reporting a data breach. This is unlike the European Union, where only data breaches posing a high risk to individuals’ rights and freedoms have to be reported to the data protection authorities.
POPIA states that any data breach, regardless of form or size, must be reported if there are reasonable grounds to believe that an unauthorised person has accessed or acquired someone else’s personal information.
However, if the organisation reacts immediately, such as by contacting the unintended recipient to delete the missent email, and the person confirms it has been deleted, it may not be necessary to notify the IR. The decision could be a close call, though, and not one to be taken lightly.
Ultimately, the question is whether there the organisation reasonably believes that the personal information has been accessed or acquired.
Green for go, red for stop
Another common misconception is that the processing of personal information is only ever possible with the data subject’s consent. This is not so. POPIA provides for several justifiable grounds for the processing of personal information based on necessity, for example where the processing is “necessary” for the conclusion or performance of a contract or where it is “necessary” to comply with an obligation in law.
Relying on consent has its limitations. There is a widespread belief that as long as an organisation has the consent of a data subject to process their personal information, there is nothing to worry about. Not so fast. Consent can be withdrawn at any time and is therefore not an ideal basis on which to rely in all cases.
Having said this, there are certain situations where consent will be required– such as the processing of special personal information, which includes photographs and videos, in the absence of a legal obligation to do so. What then would one do at corporate events where photographs are being taken of the guests?
Obtaining consent in these circumstances can be tricky, and we can only applaud the ingenuity of the company that devised a novel solution. The guests were asked to wear a red name tag if they did not want to be photographed and a green tag if they agreed.
As a result, its photographer had an easy time identifying who consented and who did not, and there was no danger of posting the wrong pictures.
Even POPIA, a complex piece of legislation, can bring out South African creativity.
Staying POPIA-compliant in 2025 might seem like a challenge, but with the right focus and proactive measures, it’s a hurdle worth clearing. After all, a little compliance today saves a lot of headaches tomorrow.
Nadine Mather and Talita Laubscher are partners at Bowmans.
