It is important for organisations to prioritize data protection, not only to safeguard personal information but also to comply with the ever-evolving landscape of data protection laws and regulations. To emphasize the importance of compliance, we will delve into a recent enforcement notice issued to Dis-Chem, a pharmacy retail giant, by the South African Information Regulator.
The Information Regulator has demonstrated a firm stance on non-compliance with data protection laws, particularly the Protection of Personal Information Act (POPIA). Dis-Chem was issued an enforcement notice on 31 August 2023, following an investigation that revealed multiple violations of POPIA. The enforcement notice requires Dis-Chem to provide a comprehensive report on the implementation of actions ordered within 31 days. Failure to comply within this timeframe could result in severe consequences,
including administrative fines of up to R10 million or even imprisonment upon conviction.
The data breach that triggered this enforcement notice occurred in 2022 when Dis-Chem fell victim to a cyberattack originating from its third-party service provider. This breach exposed the personal data of over 3.6 million South Africans, including names, surnames, email addresses, and cell phone numbers.
The regulator noted that Dis-Chem was aware of the breach on 1 May 2022, but failed to notify affected data subjects as required by section 22 of POPIA. This lapse in notification prompted the regulator to launch an own initiative assessment into the security compromise, leading to the enforcement notice.
The assessment by the Information Regulator revealed several shortcomings in Dis-Chem’s data protection practices, which included:
To rectify these issues and ensure compliance with POPIA, the regulator’s enforcement notice mandates Dis-Chem to:
The Dis-Chem case is just one example of the Information Regulator’s proactive stance on data protection. As the number of data breaches continues to rise in South Africa, organisations across various sectors must prioritize data protection and compliance. The consequences of neglecting these responsibilities can be dire, not only in terms of financial penalties but also in the loss of trust among customers and stakeholders.
It is crucial to ensure that your organisation is compliant with data protection laws so as to reduce legal risks, and safe guard your organisation’s reputation. The Dis-Chem case serves as a stark reminder of the real-world consequences of data breaches and the importance of addressing data protection within an organisation.
As the threat landscape evolves, proactive measures and legal expertise are paramount to navigate the complex terrain of data protection and privacy laws, both in South Africa and on a global scale. Contact the DKVG data protection team to help you assess whether your organisation is meeting its data protection obligations and how to close the gaps in areas its not.
Claire Gibson-Pienaar
B.Sc. LL.B.
Attorney
Tygervalley
Phone: +27 21 914 4020
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |