After many years of hearing about the Protection of Personal Information (POPI) Act and the effect it would have on businesses in terms of their responsibility to protect personal data, businesses have finally seen the warning shot fired by the Information Regulator. Get your house in order or you could easily be next to fall foul of POPI and pay a fine, suffer reputational damage, and even possible criminal liability.
The Information Regulator dishing out a R5-million fine to the Department of Justice and Constitutional Development should cause pause for thought for all businesses that process personal information.
Fines can go up to R10 million and there can even be jail time if it is found that there was malicious intent leading to a data breach. In this instance, the Information Regulator fined the department over a data breach that occurred about two years ago. The Information Regulator had initially sent an enforcement order to the department, which was not adhered to, with the result being the country’s first fine issued in terms of the POPI Act.
Perhaps the lesson in this is how easily this could have been averted, as it was found that the department had not renewed licences for cybersecurity software – something seemingly so simple but which proved to open the door to the hackers.
The obligation in the event of a data breach is to prove that you did everything in your power to prevent the data breach. In other words, the Information Regulator needs a business to prove that it had put in its best effort to prevent a breach of personal data, and in the case of the department, it was required to demonstrate the steps it had taken to rectify the problems. Not renewing licences for cyber security software may seem small, but the consequences can be huge.
No business is safe from hackers, and that cybercrime is growing exponentially. The larger an organisation becomes, the more attractive it becomes to hackers. The Act refers to personal information and special personal information, which includes things such as medical records or biometric information, and that special personal information carries a higher degree of care by the responsible party.
There absolutely have to be contingencies in place for businesses of all sizes. For example, a monitoring tool may not necessarily give you protection, but it will point you to where there was unusual activity, which could be the site of a data breach. The Information Regulator has been informed of thousands upon thousands of data breaches and so this fine is most certainly a warning shot for businesses across industries. If you haven’t yet, it is time to get your house in order.
"*" indicates required fields
By ticking the box, you provide consent to receive electronic marketing communication on Altron Solutions and Services and the solutions of our key strategic partners. You may personalize your subscriptions based on your interests.
You can manage your communication preferences or opt-out via the Altron website.