Likelihood of regulatory enforcement

When looking at enforcement of privacy legislation in Europe it appears that there is a low level enforcement. 1 For example, the UK Information Commissioner’s Office reports only 84 enforcement actions during the whole of 2014. 2 It remains to be seen how active the South African Information Regulator will be in enforcing our own Protection of Personal Information Act (4 of 2013).

Breach conundrum

Given the probable low level of enforcement, you could be forgiven for asking ‘why bother to comply with POPI at all?’ Putting aside the benefits of compliance, there is one scenario where enforcement directed at your business actually becomes very likely. That occurs when personal information is lost or disclosed from your organisation, whether through theft or accident.

Information loss or disclosure is hardly a remote possibility when you consider it could occur when a staff laptop or phone is stolen, memory stick lost, paper not shredded etc.

Once the personal information leaves your organisation, you are essentially at the mercy of whoever is in possession of it. If you’re lucky it’s a person who destroys or returns the information to you, if not, it could be in the hands of someone who will attempt to use or sell it, or notify the regulator or the data subjects (your customers).

Given that you probably will not know the nature of the person, you will now be faced with a tough choice: notify each data subject (customers etc) and the Regulator of the breach OR attempt to keep it quiet and hope for the best. What makes this choice all the more difficult is that the sanctions in POPI increase ten fold if the Regulator is in any way obstructed, topping out at R10m in fines and 10 years in prison s100. Additionally, keeping it quiet may prove difficult since at least a couple of employees would be aware of the breach already.

While it is true that any organisation can experience a breach, compliance with the largely common sense requirements of POPI will minimise the risk of a breach occurring in the first place and avoid any sanctions by the Regulator.

  1. https://dbis.ipd.kit.edu/download/bu09edemocracy.pdf
  2. https://ico.org.uk/action-weve-taken/enforcement/?facet_type=&facet_sector=&facet_date=custom&date_from=01%2F01%2F2014&date_to=01%2F01%2F2015