The Importance of Data Protection Compliance

The importance of data protection compliance: A Case Study of Dis-Chem’s Recent Enforcement Notice- By Claire Gibson-Pienaar

It is important for organisations to prioritize data protection, not only to safeguard personal information but also to comply with the ever-evolving landscape of data protection laws and regulations. To emphasize the importance of compliance, we will delve into a recent enforcement notice issued to Dis-Chem, a pharmacy retail giant, by the South African Information Regulator.

The Dis-Chem Case: A Cautionary Tale

The Information Regulator has demonstrated a firm stance on non-compliance with data protection laws, particularly the Protection of Personal Information Act (POPIA). Dis-Chem was issued an enforcement notice on 31 August 2023, following an investigation that revealed multiple violations of POPIA. The enforcement notice requires Dis-Chem to provide a comprehensive report on the implementation of actions ordered within 31 days. Failure to comply within this timeframe could result in severe consequences,

including administrative fines of up to R10 million or even imprisonment upon conviction.
The data breach that triggered this enforcement notice occurred in 2022 when Dis-Chem fell victim to a cyberattack originating from its third-party service provider. This breach exposed the personal data of over 3.6 million South Africans, including names, surnames, email addresses, and cell phone numbers.

The regulator noted that Dis-Chem was aware of the breach on 1 May 2022, but failed to notify affected data subjects as required by section 22 of POPIA. This lapse in notification prompted the regulator to launch an own initiative assessment into the security compromise, leading to the enforcement notice.

Key Violations Highlighted by the Regulator

The assessment by the Information Regulator revealed several shortcomings in Dis-Chem’s data protection practices, which included:

  • Weak Passwords: Dis-Chem failed to identify the risk of using weak passwords and to prevent their usage.
  • Inadequate Monitoring: The company lacked adequate measures to monitor and detect unlawful access to its environment.
  • Operator Agreement: Dis-Chem did not have an operator agreement in place with the third party service provider, nor did it ensure the service provider had adequate security measures to protect personal information.
  • Reporting Obligations: The company failed to outline clear processes for reporting security compromises with the service provider.

To rectify these issues and ensure compliance with POPIA, the regulator’s enforcement notice mandates Dis-Chem to:

  • Conduct a personal information impact assessment to ensure compliance with the lawful processing of personal information.
  • Develop and implement an adequate incident response plan.
  • Adhere to Payment Card Industry Data Security Standards.
  • Establish written contracts with all operators processing personal information.
  • Develop and maintain a compliance framework that outlines reporting obligations for Dis-Chem and its operators.

The Dis-Chem case is just one example of the Information Regulator’s proactive stance on data protection. As the number of data breaches continues to rise in South Africa, organisations across various sectors must prioritize data protection and compliance. The consequences of neglecting these responsibilities can be dire, not only in terms of financial penalties but also in the loss of trust among customers and stakeholders.

It is crucial to ensure that your organisation is compliant with data protection laws so as to reduce legal risks, and safe guard your organisation’s reputation. The Dis-Chem case serves as a stark reminder of the real-world consequences of data breaches and the importance of addressing data protection within an organisation.

As the threat landscape evolves, proactive measures and legal expertise are paramount to navigate the complex terrain of data protection and privacy laws, both in South Africa and on a global scale. Contact the DKVG data protection team to help you assess whether your organisation is meeting its data protection obligations and how to close the gaps in areas its not.







Claire Gibson-Pienaar
B.Sc. LL.B.

Phone:  +27 21 914 4020