In terms of the Protection of Personal Information Act 2013 (POPIA), the Information Regulator (IR) may initiate an investigation into the interference with the protection of a data subject’s personal information. Specifically, the IR may investigate any breach of the conditions for the lawful processing of personal information, any non-compliance with sections 22, 54, 69, 70, 71 or 72 of POPIA, or a breach of the provisions of a code of conduct issued in terms of section 60 of POPIA.
The IR may also assess (in the prescribed manner) whether an instance of processing of personal information complies with the provisions of POPIA.
The IR recently hosted a webinar during which it indicated that it will take a robust stance on compliance with, and enforcement of, POPIA, with a particular focus on data breaches and direct marketing. Specifically, the IR intends to issue POPIA enforcement notices concerning data breaches that have occurred in the banking and insurance sectors in the past two years.
Several of our clients in these sectors have already been subject to:
- investigations in terms of section 76 of POPIA, following a complaint made to the IR; and
- own-initiative compliance assessments in terms of section 89 of POPIA.
Assessments in terms of section 89 of POPIA may be initiated mero motu by the IR or upon request by the responsible party, data subject or any other person. The IR has recently been conducting assessments in certain sectors, based on its analysis of complaints that it has received and if it appears that there are certain sectors in which violations of POPIA are more prevalent.
If the IR undertakes such an assessment, it is obliged to serve an information notice on the responsible party, requiring the responsible party to provide information or a report indicating its compliance with POPIA within a specified period.
The IR is empowered to refer a complaint or investigation to the Enforcement Committee. The Enforcement Committee may recommend that the IR serve an enforcement notice on the responsible party requiring that it:
- take specified steps within a period specified in the notice, or refrain from taking specified steps; and/ or
- stop processing personal information specified in the notice or stop processing personal information for a purpose or manner specified in the notice.
Where the IR conducts an own-initiative assessment in terms of section 89, the IR will report to the responsible party the results of that assessment, which report is deemed to be the equivalent of an enforcement notice (here the involvement of the Enforcement Committee is not required).
Non-compliance with an enforcement notice can result in significant penalties, including an administrative fine of up to ZAR 10 million.
Clients in the banking and insurance sectors are advised to prepare for the prospect of POPIA assessments by the IR.
