By now most individuals know that the Protection of Personal Information Act 4 of 2013 (the “PoPI Act”) is with effect 1 July 2020, law.  Every public and private enterprise has to comply with the PoPI Act and a grace period of 1 year applies.

By 1 July 2021 the full might of the law will apply.

Data Breaches

Non-compliance with the PoPI Act and worse still, data breaches occurring at a company, could be costly.

Data breaches relating to personal information of a company’s clients or suppliers have occurred up to now but little incentive exists for it to be communicated with the affected parties.

Not any more.

The PoPI Act outlines a series of procedures, all of them costly and management-time intensive, to be taken by the company where the breach occurred.  These are always notifiable to the Information Regulator (the “IR”). Many hours of management time will inevitably be needed, with the concomitant negative publicity associated with this.

The most common types of data breaches come about because of IT hacking.  The exploitation of vulnerabilities in the IT network and systems of the company allows access to personal information.

Another common type of data breach could occur when personnel take laptops and/or documents home, and these are lost or stolen.  The Covid-19 lockdown experienced across SA since March this year is an excellent example of what could, and do go wrong.

Yet another type of data breach happens when a disgruntled employee walks away with a memory stick loaded with personal information of clients, personnel, and suppliers.  This could easily end up with the company’s competitor.  There is always a market for your company information.

All these types of data leakages are defined as data breaches and must be responded to by the company as outlined in the PoPI Act.

The slow pace of compliance

Despite these risks, it would seem as if few companies are committed to meeting the onerous compliance requirements of the PoPI Act.

Do not be left behind.  Every public and private enterprise has to comply.

Be aware that as Compliance Manager your CEO could be hauled before court and slapped with a significant penalty.  Failure to implement the required control procedures to mitigate non-compliance with the PoPI Act makes you expendable – like a soccer coach.