Five key takeaways from recent POPIA cases

01 November 2023 Masthead Compliance Manager Shanal Boodiram
Shanal Boodiram

Shanal Boodiram

After making headlines in July with a historic R5 million fine imposed on the Department of Justice and Constitutional Development (DoJ&CD), the Information Regulator is back in the spotlight after it issued an enforcement notice against Dis-Chem Pharmacies.

We delve into the recent Dis-Chem case and distil the five crucial lessons that anyone handling personal information should learn from the enforcement notices issued by the Regulator this year.

The Dis-Chem enforcement notice
On 31 August 2023, the Information Regulator issued an enforcement notice against Dis-Chem for failing to comply with various sections of the Protection of Personal Information Act (POPIA). The Regulator expected the retail pharmacy chain to enhance its data security processes – or face penalties, which could include a fine of up to R10 million, imprisonment, or both.

The data breach incident dates to last year when Grapevine, a third-party service provider of Dis-Chem, was hacked by a cybercriminal. This resulted in about 3,6 million data subjects’ records being accessed from Dis-Chem’s e-statement service database, which was managed by Grapevine. The affected records were limited to names, surnames, e-mail addresses and cell phone numbers of the data subjects.

Dis-Chem was alerted to the security compromise when some of its employees started receiving SMS messages. Within four days of becoming aware of the breach, the retail chain notified the Regulator in writing of the security compromise. However, according to the Regulator, they failed to notify the data subjects of the breach, which is a requirement in terms of Section 22 of POPIA.

This prompted the Regulator to conduct an own initiative assessment into the security compromise. It found that Dis-Chem failed to:
• Identify the risk and prevent the use of weak passwords.
• Implement adequate measures to monitor and detect unlawful access to their environment.
• Sign an operator agreement with Grapevine that would have ensured robust protection of personal information security measures and clear protocols for reporting security breaches to Dis-Chem.

Dis-Chem was ordered to implement the following remedial actions within 31 days:
• Conduct a personal information impact assessment to ensure compliance with POPIA’s personal information processing obligations.
• Establish an adequate incident response plan, adhere to payment card industry data security standards (PCIDSS), enforce strong access controls and maintain an information security policy.
• Require written contracts with all operators who process personal information on its behalf, ensuring that these contracts compel operators to establish and maintain security measures equal to or exceeding those outlined in POPIA.
• Develop, implement, monitor and maintain a POPIA compliance framework that clearly makes provision for the data breach reporting obligations of Dis-Chem and all its operators.

Dis-Chem has hit back at the Regulator, disputing the accuracy of the allegations in the enforcement notice. This includes, amongst others, the Regulator’s view that the company failed to notify the affected data subjects. Furthermore, the pharmacy chain stated they had already addressed and acted upon all orders outlined in the enforcement notice, and they would respond to the Regulator within 31 days.

Complaints on the rise
In the 2022/23 financial year, the Regulator received 895 POPIA complaints, compared to the preceding financial year’s total of 544. Of the 895 complaints received, 616 have been successfully resolved.
Under POPIA, the Regulator can investigate complaints filed by individuals or initiate investigations on its own initiative, as it did in the Dis-Chem case. Additionally, it can conduct assessments on compliance with both POPIA and PAIA.

Most complaints are resolved through settlement or mediation procedures. In cases where a resolution can’t be reached, the matter is escalated to a full investigation. Thereafter, an investigation report is referred to the Enforcement Committee, who will use the report to make their findings. The Committee will also recommend the appropriate actions that must be taken.

A handful of enforcement notices have been issued in 2023, but it is when these notices are ignored that businesses or entities run into serious trouble. A prime example of this is the DoJ&CD. Much like the Dis-Chem case, the DoJ&CD’s IT systems were compromised. Consequently, the Regulator issued them with an enforcement notice that required the department to implement several remedial steps within 31 days. The DoJ&CD failed to do this, resulting in the Regulator imposing its very first administrative fine.

Key takeaways
In light of all the recently published enforcement notices, what lessons can institutions handling personal information learn? There are five key insights:

1) Training is crucial: In most of this year’s enforcement notices, the Regulator has asked for evidence of POPIA awareness training. Therefore, it’s essential to train all employees on POPIA. In terms of Regulation 4(1)(e) of the Act, it’s the information officer’s responsibility to ensure internal awareness sessions are held regarding POPIA provisions, regulations, codes of conduct or information obtained from the Regulator. Moreover, it’s advisable to provide cybersecurity training to your employees, covering security measures and response procedures for security compromises, such as data breaches.

2) Maintain an up-to-date risk management plan that addresses privacy and security risks: This can include a risk register to identify and record foreseeable internal and external privacy and security risks your business may be exposed to. Outline what steps you will take to mitigate these risks to prevent breaches and safeguard personal information in your possession or control.

3) Plan for your response: Ensure that you have an incident response plan in place, and that your staff members know what to do in the event of a security compromise. This plan should include the necessary steps for notifying both the Regulator and the data subjects (unless their identities cannot be established) as required in terms of Section 22 of POPIA.

When notifying the Regulator, make use of the Security Compromise Notification Form (Form SCN1). This form, as well as a guideline on how to complete it, is available on the Regulator’s website.

4) Third-party service provider contracts: Maintain written contracts with all third-party service providers who process personal information on your behalf. These contracts should also address security measures that the third party will maintain in terms of Section 19 of POPIA.

5) Implement a compliance framework: Ensure that you have in place a compliance framework in terms of Regulation 4(1)(a) of POPIA. This framework can include policies, procedures and controls for ensuring POPIA compliance in your business.

Proactive POPIA compliance
With cybercriminals continually developing innovative ways to gain access to personal information, data breaches pose a real threat to companies and institutions.

To safeguard against these threats, entities handling personal information must sharpen their cybersecurity measures. Equally important is maintaining robust procedures and practices to ensure POPIA compliance. Failing to do so can cost you dearly in terms of administrative fines.

What’s more, POPIA compliance goes a long way in protecting your clients’ personal information and limiting the fallout – including reputational damage to your business – should a data breach occur.

Quick Polls


The shocking crime and motor vehicle accident statistics shared during a recent SHA presentation suggests that group personal accident and personal accident cover are a no-brainer. Do you agree?


Not sure
fanews magazine
FAnews April 2024 Get the latest issue of FAnews

This month's headlines

FAIS Ombud lashes broker for multiple compliance blunders
TCF… a regulatory misfit initiative?
The impact of NHI on medical malpractice insurance
Fixed versus variable: can you have your cake and eat it too?
The future world of work
Subscribe now