The office of South Africa’s Information Regulator has seen an increase in the number of data breaches reported by local firms; however, timeous notification to affected customers remains a challenge, it says.
This is according to advocate Collen Weapond, full-time member of the InfoReg, speaking during a panel discussion at the recent ITWeb Security Summit 2024.
According to Weapond, in the 2022 financial year (February 2023), the InfoReg received 500 notifications of data breaches or security incidents. In the 2023 financial year (February 2024), the number spiked to over 1 700 reported security compromises – more than triple the amount.
“The difficult part of our job is that there are still many companies that are unaware they have a security compromise. In other instances, we still continue to hear about some data breaches in the media,” he commented.
“While there has been an improvement in the level of reporting, there are still gaps in certain areas – including the failure to notify data subjects [affected customers and stakeholders] of the security compromises within reasonable time, as per the requirements of the Protection of Personal Information Act (POPIA).”
Established in December 2016, the InfoReg is mandated to ensure organisations put in place measures to protect the data privacy of South Africans.
Under POPIA, organisations must inform the InfoReg if they expose the personal information of data subjects to unauthorised third-parties without their approval.
The Act sets down firm frameworks that companies have to abide by to avoid fines, criminal prosecution and potential reputation loss. Organisations face fines of up to R10 million or 10 years of imprisonment, depending on the seriousness of the breach.
Weapond highlighted that if data subjects are not notified on time, this is still a contravention of POPIA and warrants a fine.
“In terms of the issuing of fines, so far, we have issued one fine to the Department of Justice and Constitutional Development. We are not able to predict how many more fines will be issued this year, and the reason being that, according to the Act, there are certain factors that need to be taken into account prior to the issuing of fines. These include asking questions like: Is this the first offence? What is the severity of the offence? Which sections of the Act has the company failed to comply with?”
Combining efforts
Meanwhile, the InfoReg yesterday signed a memorandum of understanding (MOU) with delegates from the Eswatini Communications Commission (ESCCOM) at the regulator’s Johannesburg offices.
ESCCOM’s country visit, led by CEO Mvilawemphi Dlamini, was aimed at formalising its relationship with the regulator and signing the MOU on the cooperation and regulation of laws protecting personal data.
“The MOU aims to recognise the nature of the modern global economy, the increase in the circulation and exchange of personal information across borders, the increasing complexity of information technologies, and the resulting need for increased cross-border enforcement cooperation,” said the InfoReg in a statement.
The MOU also acknowledges that the parties have similar powers, functions and duties for the protection of personal information in their respective countries and intends to establish relations and promote exchanges that assist each other in the enforcement of laws protecting personal information.
Share