The importance of compliance has once again been highlighted as the Information Regulator issued an Enforcement Notice to Dis-Chem Pharmacies Ltd (“Dis-Chem“) on 1 September 2023 for non-compliance with the Protection of Personal Information Act 4 of 2013 (“POPIA“).
The Information Regulator is casting their net wide when it’s come to investigating contraventions, whether it be against large, small, private or public companies and is cracking down on ensuring consumers’ information is safeguarded and lawfully processed.
The Information Regulator found that Dis-Chem failed to identify the risk of using weak passwords, failed to implement measures to monitor and detect unlawful access to their environment and that they hadn’t entered into any operator agreement with their third party service provider which would have, amongst other things outlined the process of reporting to Dis-Chem in the event of a security compromise.
The Information Regulator has ordered Dis-Chem to conduct a Personal Information Impact Assessment and to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information. They have also been mandated to implement an adequate Incident Response Plan, involving strong access control measures, maintaining a vulnerability management programme, implementing strong access control measures and maintaining an Information Security Policy.
Dis-chem have been ordered to conclude written contracts with all operators who process personal information on its behalf and to develop, implement, monitor and maintain a compliance framework. Failure to comply with such obligations will result in an administrative fine or result in a conviction of imprisonment or both.
A breach of this nature, and the finding as to the lack of safeguards in place should come as a shock for an organisation of this size and an organisation which holds such a vast quantity of data. One would expect that all prominent companies in South Africa would have conducted an impact assessment and would give credence to their responsibilities in protecting their customers’ data. The Information Regulators guidance to Information Officers is clear. Understanding the privacy landscape together with rights, obligations and duties are not negotiable. A robust privacy programme empowers companies to demonstrate that they reasonably comply with the obligations as stipulate in POPIA.
The Werksmans regulatory team has developed electronic tools and a sound methodology which aim to assist with impact assessments and the implementation of a compliance road map. Compliance with POPIA is not a template that is downloaded and copied. A clear understanding of the legislation is paramount.
Written by Ahmore Burger-Smidt, Head of Regulatory and Chiara Ferri, Candidate Attorney; Werksmans