• Subscribe to our newsletter
The Media Online
  • Home
  • MOST Awards
  • News
    • Awards
    • Media Mecca
  • Print
    • Newspapers
    • Magazines
    • Publishing
  • Broadcasting
    • TV
    • Radio
    • Cinema
    • Video
  • Digital
    • Mobile
    • Online
  • Agencies
    • Advertising
    • Media agency
    • Public Relations
  • OOH
    • Events
  • Research & Education
    • Research
    • Media Education
      • Media Mentor
  • Press Office
    • Press Office
    • TMO.Live Blog
    • Events
    • Jobs
No Result
View All Result
  • Home
  • MOST Awards
  • News
    • Awards
    • Media Mecca
  • Print
    • Newspapers
    • Magazines
    • Publishing
  • Broadcasting
    • TV
    • Radio
    • Cinema
    • Video
  • Digital
    • Mobile
    • Online
  • Agencies
    • Advertising
    • Media agency
    • Public Relations
  • OOH
    • Events
  • Research & Education
    • Research
    • Media Education
      • Media Mentor
  • Press Office
    • Press Office
    • TMO.Live Blog
    • Events
    • Jobs
No Result
View All Result
The Media Online
No Result
View All Result
Home Advertising

POPIA challenges organisations should not overlook in 2025

No dawn raids but the Information Regulator has teeth – and is sharpening them.

by Nadine Mather & Talita Laubscher
January 29, 2025
in Advertising
0 0
0
IAB SA launches POPIA compliance best practice handbook

Image: Geralt/Pixabay

Share on FacebookShare on Twitter

Based on the many questions organisations in South Africa are asking their legal advisors, it is clear there are still certain grey areas and misconceptions about the implementation the Protection of Personal Information Act (POPIA).

 The Information Regulator (IR) has conducted several own-initiative assessments of organisations’ compliance with the provisions of POPIA. These assessments do not take the form of “dawn raids” – rather, organisations are given prior notice that an assessment will take place and these generally take place by way of in-person engagements between representatives of the IR and the organisation concerned.  

The IR generally does not hesitate to publicly announce where such engagements occur as it considers them a learning experience for others. It publishes the enforcement notices it issues, if any, on its website with details of the organisation’s name, the complaint, the IR’s assessment, and the alleged shortcomings to be corrected.

Public spotlight

Non-compliant organisations may face some embarrassment and reputational damage by being in the public spotlight. Enforcement notices must furthermore be attended to as a matter of priority:  In our experience, the IR affords organisations a limited period of time in which to ensure that they are compliant.

There are consequences for not complying with an enforcement notice. It is an offence that, on conviction, carries a fine of up to 10 years’ imprisonment, or a fine and imprisonment. Alternatively, the IR may impose an administrative fine of up to a maximum of ZAR10 million (although, to date, has imposed administrative fines in the amount of ZAR5 million).

Meanwhile, the IR chairperson, Advocate Pansy Tlakula, has asked Parliament to amend POPIA to allow the IR to impose immediate sanctions on offending organisations, rather than wait for the enforcement notice process to run its course.

Impact assessments versus compliance frameworks

 Topping the lengthy list of documents to have on hand when the IR pays a visit are personal information impact assessments and compliance frameworks. These two documents are a major area of uncertainty for many organisations.

To date, the IR has not issued a guidance note or template on either of these documents. However, from organisations’ engagements with the IR, we understand that a personal information impact assessment is a risk assessment looking at the risks associated with the organisation’s information processing activities and the level of risk with reference to the provisions of POPIA.

A compliance framework, on the other hand, must demonstrate how the organisation intends to address these risks and the steps it has taken, or intends to take, to comply with the requirements of POPIA.

Some organisations are under the mistaken impression that a security policy or access management policy constitutes a compliance framework. This is not so. The POPIA compliance framework must specify exactly what steps are being taken to comply with POPIA, in particular each of the conditions of lawful processing.

Technical measures are not enough

Another common misperception is that POPIA compliance and data breach prevention are mainly about technology. One of the conditions for lawful processing of personal information is that an organisation must put in place appropriate technical and organisational security measures to prevent unauthorised access to personal information under its control.

Organisations often emphasise the technical measures they have in place to prevent data breaches but overlook the organisational measures.

The IR has stressed that organisations also need to pay attention to the operational measures taken – and particularly the conduct of their employees. Employee error is the cause of most data breaches in South Africa.

A common error is sending an email to the wrong person by mistake. The consequences can be severe if the misdirected email is, for example, an employee’s salary advice or a customer’s unique requirements.

This raises an important question: does a single, missent email constitute a data breach and if so, must the organisation notify the IR?

Is a single email a notifiable data breach?

As it stands, POPIA does not contain a risk or materiality threshold for reporting a data breach. This is unlike the European Union, where only data breaches posing a high risk to individuals’ rights and freedoms have to be reported to the data protection authorities.

POPIA states that any data breach, regardless of form or size, must be reported if there are reasonable grounds to believe that an unauthorised person has accessed or acquired someone else’s personal information.

However, if the organisation reacts immediately, such as by contacting the unintended recipient to delete the missent email, and the person confirms it has been deleted, it may not be necessary to notify the IR. The decision could be a close call, though, and not one to be taken lightly.

Ultimately, the question is whether there the organisation reasonably believes that the personal information has been accessed or acquired.

Green for go, red for stop

Another common misconception is that the processing of personal information is only ever possible with the data subject’s consent. This is not so. POPIA provides for several justifiable grounds for the processing of personal information based on necessity, for example where the processing is “necessary” for the conclusion or performance of a contract or where it is “necessary” to comply with an obligation in law.

Relying on consent has its limitations. There is a widespread belief that as long as an organisation has the consent of a data subject to process their personal information, there is nothing to worry about. Not so fast. Consent can be withdrawn at any time and is therefore not an ideal basis on which to rely in all cases.

Having said this, there are certain situations where consent will be required– such as the processing of special personal information, which includes photographs and videos, in the absence of a legal obligation to do so. What then would one do at corporate events where photographs are being taken of the guests?

Obtaining consent in these circumstances can be tricky, and we can only applaud the ingenuity of the company that devised a novel solution. The guests were asked to wear a red name tag if they did not want to be photographed and a green tag if they agreed.

As a result, its photographer had an easy time identifying who consented and who did not, and there was no danger of posting the wrong pictures.

Even POPIA, a complex piece of legislation, can bring out South African creativity.

Staying POPIA-compliant in 2025 might seem like a challenge, but with the right focus and proactive measures, it’s a hurdle worth clearing. After all, a little compliance today saves a lot of headaches tomorrow.

Nadine Mather and Talita Laubscher are partners at Bowmans.


 

Tags: agenciesBowmans LawbrandsInformation RegulatorIntellectual PropertyNadine MatherPOPIAprivacyTalita Laubscher

Nadine Mather & Talita Laubscher

Talita Laubscher is a partner at Bowmans.

Follow Us

  • twitter
  • threads
  • Trending
  • Comments
  • Latest
Kelders van Geheime: The characters are here

Kelders van Geheime: The characters are here

March 22, 2024
Dissecting the LSM 7-10 market

Dissecting the LSM 7-10 market

May 17, 2023
Keri Miller sets the record straight after being axed from ECR

Keri Miller sets the record straight after being axed from ECR

April 23, 2023
Getting to know the ES SEMs 8-10 (Part 1)

Getting to know the ES SEMs 8-10 (Part 1)

February 22, 2018
Sowetan proves that sex still sells

Sowetan proves that sex still sells

105
It’s black. It’s beautiful. It’s ours.

Exclusive: Haffajee draws a line in the sand over racism

98
The Property Magazine and Media Nova go supernova

The Property Magazine and Media Nova go supernova

44
Warrant of arrest authorised for Media Nova’s Vaughan

Warrant of arrest authorised for Media Nova’s Vaughan

41
South Africa’s commerce media moment has arrived

South Africa’s commerce media moment has arrived

May 30, 2025
Seven Days on Social Media: Child Protection Week, #MyDisappointment and a soppy seal

Seven Days on Social Media: Child Protection Week, #MyDisappointment and a soppy seal

May 30, 2025
Navigating the AI tide without losing our humanity

Navigating the AI tide without losing our humanity

May 29, 2025
The marketing mission remains clear

The marketing mission remains clear

May 29, 2025

Recent News

South Africa’s commerce media moment has arrived

South Africa’s commerce media moment has arrived

May 30, 2025
Seven Days on Social Media: Child Protection Week, #MyDisappointment and a soppy seal

Seven Days on Social Media: Child Protection Week, #MyDisappointment and a soppy seal

May 30, 2025
Navigating the AI tide without losing our humanity

Navigating the AI tide without losing our humanity

May 29, 2025
The marketing mission remains clear

The marketing mission remains clear

May 29, 2025

ABOUT US

The Media Online is the definitive online point of reference for South Africa’s media industry offering relevant, focused and topical news on the media sector. We deliver up-to-date industry insights, guest columns, case studies, content from local and global contributors, news, views and interviews on a daily basis as well as providing an online home for The Media magazine’s content, which is posted on a monthly basis.

Follow Us

  • twitter
  • threads

ARENA HOLDING

Editor: Glenda Nevill
glenda.nevill@cybersmart.co.za
Sales and Advertising:
Tarin-Lee Watts
wattst@arena.africa
Download our rate card

OUR NETWORK

TimesLIVE
Sunday Times
SowetanLIVE
BusinessLIVE
Business Day
Financial Mail
HeraldLIVE
DispatchLIVE
Wanted Online
SA Home Owner
Business Media MAGS
Arena Events

NEWSLETTER SUBSCRIPTION

 
Subscribe
  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2015 - 2023 The Media Online. All rights reserved. Part of Arena Holdings (Pty) Ltd

No Result
View All Result
  • Home
  • MOST Awards
  • News
    • Awards
    • Media Mecca
  • Print
    • Newspapers
    • Magazines
    • Publishing
  • Broadcasting
    • TV
    • Radio
    • Cinema
    • Video
  • Digital
    • Mobile
    • Online
  • Agencies
    • Advertising
    • Media agency
    • Public Relations
  • OOH
    • Events
  • Research & Education
    • Research
    • Media Education
      • Media Mentor
  • Press Office
    • Press Office
    • TMO.Live Blog
    • Events
    • Jobs

Copyright © 2015 - 2023 The Media Online. All rights reserved. Part of Arena Holdings (Pty) Ltd

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?