- Home
- Products & Services
- About
- Blog
- Faq
- Contact Us
Insights | 2024-12-20
Stay Ahead of POPIA – Lessons Learnt from Recent Enforcement
Notices: Part One
On 8 October, we hosted a webinar, Stay Ahead of POPIA – Lessons Learnt from Recent Enforcement Notices, led by keynote speaker Adv. Pansy Tlakula, and Elizabeth de Stadler and Ilze Luttig-Hattingh of Novation Consulting. The session offered valuable insights into recent enforcement notices, exploring critical compliance pitfalls and the regulator’s expectations for organisations operating under the Protection of Personal Information Act (POPIA).
As businesses navigate the complexities of data protection and cybersecurity, understanding the role of the regulator has never been more important. In this first part of our blog, we’ll unpack some of the key takeaways from the webinar, focusing on the regulator’s mandate, enforcement actions, and lessons learned from real-world cases.
Understanding the Regulator's Role in Cybersecurity and Direct Marketing
In 2023, South Africa saw over 1,700 data breach notifications—a stark reminder of the growing cyber threats faced by businesses and government entities. The regulator plays a crucial role in ensuring compliance with data protection laws and safeguarding personal information across both public and private sectors.
We take a closer look at the regulator’s mandate under POPIA and the Promotion of Access to Information Act (PAIA), focusing on how they address security breaches and regulate direct marketing practices.
The Regulator: Safeguarding Privacy and Transparency.
The regulator's mandate focusses on two key areas:
Data Protection: Enforcing compliance with POPIA to safeguard personal information.
Access to Information: Promoting transparency and access under PAIA
Through investigations, enforcement notices, and proactive measures, the regulator ensures adherence to best practices in data protection and privacy management.
Addressing Security Breaches
South Africa faces an alarming rise in data breaches across sectors. The regulator's efforts to address security compromises include:
Investigating breaches to determine causes and impact.
Issuing enforcement notices to address non-compliance.
Conducting assessments to identify systemic vulnerabilities.
A Growing Concern: Breach Statistics
2022: 500 breach notifications.
2023: 1,700 breach notifications—a 240% increase.
2024 (April-September): 1,130 breaches reported within six months.
These figures reveal that no sector is immune to cyber threats, emphasising the importance of robust cybersecurity measures.
Lessons from Key Cases
Case Study: Independent Electoral Commission (IEC)
A temporary staff member at the IEC gained access to sensitive systems, resulting in the unauthorised disclosure of candidates' personal information on social media.
Key Findings: The IEC lacked sufficient organisational measures and failed to notify affected data subjects promptly.
Regulator’s Response: The IEC was mandated to improve access controls and restrict sensitive systems to authorised personnel only.
Case Study: WhatsApp Privacy Policy
WhatsApp’s 2021 privacy policy update sparked concerns about its compliance with POPIA.
Key Issues:
Privacy safeguards didn’t meet GDPR standards.
WhatsApp failed to comply with POPIA’s conditions for lawful data processing.
WhatsApp refused to acknowledge PAIA’s applicability.
Outcome: The regulator issued an enforcement notice, giving WhatsApp a timeframe to align with local privacy laws.
Direct Marketing: Ensuring Compliance
Direct marketing, particularly through unsolicited communication, remains a compliance challenge. POPIA requires strict compliance with Section 69, which governs electronic direct marketing via SMS, email, or automated calls.
Types of Direct Marketing:
Non-Electronic Marketing (e.g., postal mail or in-person delivery): Must have a legal basis for processing personal information.
Electronic Marketing:
Consent must be obtained before sending marketing messages.
Databases must track individuals who withhold or withdraw consent.
Despite these guidelines, many organisations fail to comply. For instance, the first communication with consumers is often direct marketing rather than a consent request, violating POPIA’s requirements.
The Role of Telecommunication in Direct Marketing
A common debate is whether telephones qualify as electronic communication under POPIA. The regulator maintains that modern telecommunication technologies classify telephones as electronic devices.
What’s Next?
The regulator plans to:
Investigate complaints about non-compliant telemarketing.
Issue a guidance note clarifying compliance expectations.
Advocate for judicial clarification if necessary.
Enhancing Engagement: Practical Suggestions
The regulator encourages proactive collaboration to improve compliance. Suggestions include:
Encouraging departments to share cybersecurity challenges ahead of discussions.
Utilising interactive platforms like WhatsApp for Q&A sessions during events.
Conclusion
The regulator’s proactive measures are essential in addressing cybersecurity challenges and ensuring responsible direct marketing practices. By holding organisations accountable and raising awareness, they protect personal information and promote compliance with POPIA. As the data protection landscape evolves, staying informed and proactive is key to maintaining compliance.
For more insights on data protection and cybersecurity, stay tuned for part 2 of this series.
Want to know more?
If you missed the webinar or would like a recap, view it here
We’ve compiled a Q&A document with all the questions from our recent webinar, along with detailed answers. Download it out here: https://bit.ly/41kNT71
Struggling with POPIA Compliance? Let Juta Help!
Our POPIA Portal takes the guesswork out of compliance with easy-to-use tools and expert support. Click here to arrange a consultation with a Juta representative and discover the benefits of the POPIA Portal.
© 2025 Juta. All rights reserved.
Kagiso Tiso & Kagiso Media Fraud Hotline: 0800 21 25 83