Data protection is an expensive exercise, requiring a fully resourced Information Regulator, even in terms of money.

So said Sizwe Snail ka Mtuze, cyber and IT law attorney and member of the Information Regulator of SA, emphasising that a well-resourced regulator will go a long way to fully capacitate and really give effect to what the Protection of Personal Information Act (POPIA) has envisaged.

Snail ka Mtuze was speaking at the ITWeb Security Summit 2020, which kicked off yesterday. The 15th annual information and cyber security conference is taking place virtually amid the coronavirus (COVID-19) pandemic and restrictions on the number of people at public gatherings.

His comments come at a time when the role of the Information Regulator has been heightened amid increasing data breaches in the country. Organisations such as Experian and Momentum Metropolitan have suffered data breaches recently.

Although he didn’t elaborate on the desired budget for the Information Regulator, Snail ka Mtuze noted the example of the data protection authority of Bavaria in Germany, which has a budget of €200 million to deal with protection of personal information.

“I think money is a problem everywhere, especially now with the COVID-19 situation,” he said. “Right from the beginning, the office of the regulator was really given a minute budget.

“We are in discussion with [National] Treasury, we are in constant discussion every year. We always try to get more money so that the regulator can really get all its ducks in a row, so that when the grace period is over, we can go fully and start dealing with complaints and also enforcing the Act, and not just proactively handling complaints as we have been now.”

Getting compliant

Even though POPIA was signed into law in 2013, only certain sections of the Act were enforced during this time, which dealt with the establishment of the Information Regulator.

The purpose of POPIA is to ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity's personal information by holding them accountable should they abuse or compromise personal information in any way.

Businesses that don't comply with the POPI Act, regardless of whether it’s intentional or accidental, can face severe penalties. The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.

In June, it was announced that more sections of the Act will come into force from 1 July 2020, except for sections 110 and 114 (4), which shall commence on 30 June 2021. However, the sections that are enforced are suspended, or a grace period is given, for 12 months, allowing everyone to get their houses in order.

Snail ka Mtuze explained that when the grace period ends, the regulator can then fully enforce POPIA and use its powers against transgressors of the Act.

“If you look at section 40 – it gave us the power to handle complaints and deal with complaints. As early as 2017, we’ve been dealing with complaints pertaining to personal information.

“We have always taken an attitude of proactive compliance. In the instance where there was abuse of personal information or a big data breach, the regulator would really go and engage those parties to ensure that if it happens again after the 12-month grace period, then obviously people will not be able to hide behind that.”

He continued: “We are trying to get people to comply. In other words, those who have experienced breaches, we encourage you to self-report, comply with the Act, protect your customers… protect the data subjects. There is nothing wrong with proactive compliance.

“Currently, the hands of the regulator are sort of tied in terms of punishing transgressors, but we do act on things.”

Self-reporting

When a breach occurs, the Information Regulator does involve the parties and has a breach register, Snail ka Mtuze noted.

In the data breach involving Experian, the chairperson of the Information Regulator, Pansy Tlakula, revealed they were informed months after it occurred.

“We expect responsible parties… to self-report, tell us what the incident was about, where the leaks were and how they’ve tried to protect people going forward,” Snail ka Mtuze stressed.

“Where there are breaches, please report these things. Let us assist you – that is what the regulator is there for, to deal with these data breaches.”

He also advised that people should use the grace period to invest in doing assessments of their organisations, to see whether or not they are in compliance with the Act.

“It’s [the grace period] not a period for people not to comply, it’s a period for people to get fully compliant,” he said. “We urge everyone to comply now because this is the future; it’s not going to change.

“They need to ensure that they put things in place, to ensure that by the time the grace period is over, they are fully compliant, so that they don’t run the risk of getting fines and the like from the Information Regulator.”