A Cautionary Tale on Data Protection: a reminder on ensuring specific adherence to the lawful processing of personal information as an essential to compliance under POPIA

On 1 September 2023, a major South African pharmaceutical company ("the Company") was issued with an Enforcement Notice by the Information Regulator of South Africa.


In a novel finding by the Information Regulator, the Company was issued with an Enforcement Notice following a finding of a breach of various sections of the Protection of Personal Information Act of 2023 ("POPIA").

As a terse anecdote, the Company's e-Statement Service database was managed by its third-party service provider ("Third Party Service Provider"). Around April and May 2022, the Third-Party Service Provider suffered a brute-force attack. The Company became aware of the security compromise and/or data breach through an SMS sent to some employees, it was at this point that the Company notified the Information Regulator of the occurrence.

It became apparent to the Information Regulator that the Company had failed to notify its data subjects in accordance with the provisions of section 22 of POPIA.

Outcome by the Information Regulator

Upon conducting an investigation into the security compromise, the Information Regulator found that the Company compromised the protection of personal information of its data subjects and the conditions for lawful processing of personal information. As such, the Company was required to:

  • conduct a personal information impact assessment in accordance with Regulation 4(1)(b) of POPIA;
  • implement an adequate incident response plan;
  • conclude written contracts with all operators who process personal information on its behalf; and
  • develop, implement, monitor and maintain a compliance framework in terms of Regulation 4(1)(a) of POPIA.

Conclusion: key take aways for responsible parties/employers

This is an important decision for organisations/employers to be mindful of in their day-to-day processing of personal information of its employees and clients/customers. It is clear that merely having policies in place that regulate the processing of personal information is not sufficient in and of itself and that organisations are required to actively ensure that there is specific adherence and thus compliance with the provisions of POPIA and its Regulations. As such, ensuring that the designated personnel are fully aware of the provisions of POPIA and its Regulations as well as what is particularly expected of an organisation is of utmost importance.

The decision of the Information Regulator accordingly serves as a cautionary tale to organisations/employers who are not fully complying with the provisions of POPIA. With the rise of technology and cyber-security compromises on a global scale, it is not unlikely that more organisations will suffer brute-force attacks or similar occurrences. Therefore, ensuring that the appropriate and specific measures are in place is of paramount importance.

Additionally, this outcome by the Information Regulator highlights the far reaching implications of POPIA and its Regulations on organisations. In that, even if the breach or security compromise takes place on systems outsourced to a third party, the organisation ultimately remains responsible and accountable for the lawful management/processing and safe keeping of its data subjects' personal information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.