A Sad Kind of POPI

First public POPI investigation in SA - image of coloured hands behind barbed wire

Heinous: hateful, odious, abominable, totally reprehensible.

We are all a little tired of hearing about the Protection of Personal Information Act (POPIA). But for the wrong reasons, this is the right topic for the week of Women’s Day.

Uniquely South African

The POPI Act is similar to the European Union General Data Protection Regulation (GDPR). We don’t know how some of POPIA will be interpreted. The GDPR has been in effect for longer, so it’s natural to look at GDPR cases for some ideas.

But this is South Africa. It will be different.

GDPR case history

I wondered what the first GDPR cases were. It’s not easy to find out, because each country has its own GDPR regulator. So I checked the Data Protection Commission site for news. The oldest news lists these two court cases:

  • Prosecution for the sale of personal data.
  • Prosecution for unsolicited marketing without an unsubscribe option, after previous warnings.

Since then, the GDPR regulators have gone after the big guns. They’ve fined Amazon, Google, WhatsApp and FaceBook. They’ve also fined British Airways, Vodafone Italy, H&M Clothing and many others.

Where will we start?

In the IT industry, we think about POPIA in terms of encryption, system security and data breaches. And there have been serious data breaches in South Africa.

Since July 2021, the Regulator has investigated over 700 complaints. None of these have made the news. None of the organisations that had data breaches have been fined.

At a media briefing in June 2022, the Information Regulator explained their approach:

“We have been patient enough in trying to take our stakeholders along and assist them, but we’ve now come to a point where we have to exercise our powers.”

I have wondered what the first POPIA investigation will be to make the news. Now I know.

We start here

We know that POPIA is not just about electronic data security. But the ITWeb article this week about the POPIA investigation into SAPS shocked me.

The Information Regulator is investigating the SAPS for leaking details of the Krugersdorp gang-rape victims. A list with the personal details of the victims was leaked across social media, allegedly by SAPS officials.

This is heinous. It’s evil. And, sadly, it seems very South African. I doubt that the GDPR regulators ever faced this kind of data breach. I certainly never imagined such a case.

Next time I am irritated by the effort that POPIA compliance needs, I will remember this. And I hope the perpetrators spend 10 years in prison.

Leave a Comment

Your email address will not be published. Required fields are marked *

Thank You

We're Excited!

Thank you for completing the form. We're excited that you have chosen to contact us about training. We will process the information as soon as we can, and we will do our best to contact you within 1 working day. (Please note that our offices are closed over weekends and public holidays.)

Don't Worry

Our privacy policy ensures your data is safe: Incus Data does not sell or otherwise distribute email addresses. We will not divulge your personal information to anyone unless specifically authorised by you.

If you need any further information, please contact us on tel: (27) 12-666-2020 or email info@incusdata.com

How can we help you?

Let us contact you about your training requirements. Just fill in a few details, and we’ll get right back to you.