From CompliNEWS | Financial Service Intelligence Watch
A year after the Protection of Personal Information Act (PoPIA) came into effect on 1 July 2021, none of the organisations involved in a spate of data compromises in SA have been fined by the Information Regulator. An IT Web report notes that SA’s data privacy legislation − PoPIA − came into force on 1 July 2021, following a year-long grace period for organisations to comply with the Act. PoPIA sets down firm frameworks that companies have to abide by to avoid fines, criminal prosecution and potential reputation loss.
Breaching the rules and regulations outlined by this Act can have serious financial implications for the business, which can cost more than money and have long-lasting consequences. The Act makes provision for fines of up to R10m and a jail sentence of up to 10 years, depending on the seriousness of the breach. Speaking at a media briefing last week, Lebogang Stroom-Nzama, advocate and full-time member at the Information Regulator, stated: ‘We can levy fines up to the maximum of R10m but we haven’t levied any fines at this stage.’ ‘PoPIA is still new,’ Stroom-Nzama added.
‘Most of the time we try to educate, but we’re now in a stage whereby after an investigation or an assessment, we’ll take that route.’ While the regulator has taken a patience stance in issuing fines, Information Regulator chairperson Advocate Pansy Tlakula believes PoPIA is on a par with international data protection and privacy laws. ‘It compares quite favourably with the General Data Protection Regulation, which people put out there as the ultimate data protection law, but ours is better,’ she said.