The recent enforcement notice issued to Dis-Chem Pharmacies serves as a stark reminder of the importance of adhering to the Protection of Personal Information Act (POPI Act). Especially, businesses in the automobile and related industries should take note of this development and ensure they are fully compliant with the Act.
A Swift Recap of the POPI Act
The POPI Act, a piece of legislation that took effect in stages since its inception in 2013, gives life to section 14 of South Africa’s Constitution: everyone’s right to privacy. This Act emphasises the protection of personal information gathered and processed by both public and private entities. It ensures a balanced right to privacy against other rights, such as access to information.
The POPI Act is not just a mere guideline but a mandate. As of 01 July 2020, sections of the Act dealing with the obligations of a “responsible party” that processes and stores “personal information” became active. These sections significantly impact how businesses collect, share, and use personal data, especially through their marketing channels.
The Dis-Chem Case: A Cautionary Tale
On 31 August 2023, Dis-Chem Pharmacies faced the brunt of non-compliance. The Information Regulator, which had been relatively lenient until then, issued Dis-Chem an enforcement notice due to contraventions of multiple sections of the POPI Act. The breach in question revolved around Dis-Chem’s third-party service provider, Grapevine Interactive, which was hacked. Roughly 3.6 million unauthorised records were accessed.
Dis-Chem’s lapses were clear: weak password protocols, inadequate monitoring systems, and crucially, the absence of an operator agreement with Grapevine Interactive. Without this agreement, there was no defined process for Grapevine to report a security compromise to Dis-Chem.
The implications are severe. If Dis-Chem remained non-compliant within 31 days of the notice, they risked a fine of up to R10 million, a prison sentence of up to 10 years, or both.
The Implications for the Automobile and Related Industries
Why should the automobile and related industries be particularly concerned? Like other sectors, these industries handle vast amounts of personal data. Whether it’s customer details for car purchases, service and repair histories, or financing options, there’s a treasure trove of personal information. The failure to secure such data and ensure proper protocols are in place with third-party operators can lead to similar enforcement actions as seen with Dis-Chem.
Furthermore, directors of companies in contravention of the Act might not only face hefty fines but also risk personal criminal charges. The stakes are high.
Fasten Your Seatbelt
Companies must proactively address their compliance with the POPI Act. Here are some steps to consider:
- Understand the Act: Familiarise yourself with the Act’s requirements, especially concerning the collection, storage, and use of personal information.
- Establish Operator Agreements: Like Dis-Chem’s oversight, many companies lack operator agreements with third parties. Such agreements are pivotal to ensure third parties maintain the required security measures.
- Implement robust security protocols: From strong passwords to continuous monitoring, it’s essential to have systems in place that guard against breaches.
- Seek expertise: If unsure about compliance, consult with experts who can guide you through the Act’s nuances.
The POPI Act is not just another piece of legislation to be shelved and forgotten. The Dis-Chem case exemplifies the severe consequences of non-compliance. Automobile and related industries, given the nature of personal data they handle, must be particularly vigilant. The clock is ticking, and the Information Regulator is watching. Ensure your business is not the next on their radar.
By Koos Benadie | Director
RMI4law members enjoy the benefit of legal advice from an attorney 24 hours a day. If you wish to join RMI4law, call 0861 668 677.
Auto & General Insurance Company Limited is a licensed non-life Insurer and Financial Services Provider.