South Africa: POPIA: Do Not Allow Yourself To Be The First Example Of The Regulator's Bite

The chairperson of the Information Regulator ("Regulator"), established in terms of the Protection of Personal Information Act, 2013 ("POPIA"), issued a stern warning at a media breakfast briefing address on 29 June 2022.

Since July 2021, the Regulator has received and concluded preliminary investigations on over 700 complaints from various data subjects. Most complaints received relate to direct marketing, indicating that many responsible parties are not complying with the sections of POPIA relating to unsolicited electronic communication and consent, justification, and objection.

The Regulator mentioned that it has received a notification from the National Credit Regulator regarding a report about entities engaging in the sale of personal information of consumers (such as names and surnames; identity numbers; contact numbers; credit scores; and consumer debt review statuses).

The Regulator said:

"... we are warning responsible parties that continue to trade in personal information that this is in violation of POPIA, and we will not tolerate it. We are sending an unequivocal message to players in the credit granting and direct marketing sectors of our economy: this must stop."

According to the Regulator, the country is experiencing an alarming rate of security compromises with over 330 reports of data breaches being recorded since POPIA became effective just over a year ago.

To address this, the Regulator has decided to establish a dedicated unit to conduct extensive investigations and assessments into these security compromises and will issue reports with findings and recommendations. According to the Regulator, these reports will be deemed to be enforcement notices.

The Regulator is also responsible for overseeing the regulatory functions of the Promotions of Access to Information Act, 2000 ("PAIA"), which governs the right to access to information.

After completing targeted compliance assessments on 15 South African municipalities, the Regulator found that none of these municipalities had valid PAIA manuals. PAIA manuals are required to be held by all public and private bodies in South Africa and must outline how records of those bodies can be accessed.

The Regulator has also been investigating complaints alleging that requests for access to records in terms of PAIA have been wrongly refused.

Given the warning from the Regulator, now is a good time to conduct a POPIA and PAIA health check, including on your organisation's direct marketing practices, security measures, and PAIA manuals, to avoid the Regulator's teeth.

We have assisted many organisations with navigating direct marketing activities in compliance with POPIA and it is indeed possible. We can also assist you with your data brokering initiatives, which if structured correctly, will be lawful and effective.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.