The Information Regulator of South Africa is on the proverbial warpath, and directors are very much in the line of fire. Knowing this, are you sure you have personally done enough to ensure your company’s compliance?
If you’re at the head of a company (whether you’re a director, owner or CEO) chances are that you’ve already learned one of the vital lessons of business – surround yourself with experts and assign the right responsibilities to the right people. Unfortunately, if you’ve been compartmentalising your company’s data security responsibilities, you are putting your business and yourself at dire risk.
Over the last 12 months, the Information Regulator has been particularly active and making sure that it can make as many examples out of organisations in breach of the Protection of Personal Information (POPI) Act as possible. Over the course of 2024, the watchdog has gone after a marketing firm, several security estates, the Department of Education, and a host of others both big and small.
The truth is that we have reached the point where no business can afford to ignore cyber risks. If you are working with clients, store any information, make use of artificial intelligence or simply have a website, you are in the game for good – and you need to know what it takes to keep your head.
Of course, PoPI is a talking point that pretty much every South African business is familiar with by now. Ever since it was enacted all the way back in 2013, the importance of PoPI compliance has been drilled into the minds of business leaders.
The fines of up to R10 million, steep compensation for victims and the potential for jail time are well understood, and there is certainly no need to keep repeating the fact that just one data breach can sink a company.
Indeed, after more than a decade of warnings, the vast majority of directors will proudly proclaim that their businesses are PoPI compliant – after all, they’ve appointed IT firms and invested in “data security training” for their employees.
However, it is highly likely that most of these directors are under a very false assumption. In reality, data protection is a company-wide responsibility. It is also an ever-evolving risk. Data thieves keep getting more sophisticated, data breaches are more frequent than ever before and employees unknowingly breach the PoPI Act with frightening regularity.
That last point brings us to the other major factor to consider. The Companies Act has recently seen some crucial amendments, particularly in the area of Directors Liability. In a nutshell, you, the director, are personally responsible for your company’s failings in PoPI compliance if the steps you have taken are deemed to be inadequate. The most recent amendments have extended the prescription period, meaning that you now face liability even longer after your company made its fatal mistake.
As an aside, surveys have shown that nearly half of directors in South Africa are still not adequately aware of their duties as outlined under the Companies Act. This in itself is a considerable risk that should worry any business owner or company Board. It is crucial to make sure that you and your fellow directors never find yourselves in that unfortunate demographic.
So I ask the question again: have you done enough to protect your business (and yourself), or have you passed that responsibility on to the IT department and hoped for the best?
Data security is not an IT issue
The most important message to take from this article is the fact that your company’s data security is a management issue, not an IT issue.
Certainly, if you are to stay ahead of this incredible risk, data security has to become its own department. A responsible Board member needs to be assigned to this function, and this ever-evolving risk needs to be acknowledged and discussed at Board meetings.
Next, you and your directors have to make the time to stay abreast of developments relating to the PoPI Act, be aware of major compliance cases taking place right now, and brush up on related regulation. This includes the Companies Act, and in the event that you have clients from the European Union, the General Data Protection Regulation (GDPR).
Your company also needs to get a head start on the legal side of data security. If the Regulator starts knocking on the door after accusations have been made, it is too late to start looking for a PoPI-savvy lawyer.
Appoint a legal advisor as soon as humanly possible to review your company’s data policies, contracts, practices and employee training. Listen to the advice, close all the possible loopholes and fix your glaring risks. After all, prevention is better than cure.
Lastly, train everyone in your organisation in data security. Far too frequently, data security training is approached in exactly the same way as maintaining compliance.
How often have you heard directors say that employees or new hires all receive data security training on day one? Now, how often have you heard those same director talk about the training that Board members receive? Or for that matter, how often does company-wide training really take place? If you want to keep your business safe, you need training at every station and rank, and it will require regular updates and retraining.
Follow these steps and your risk falling foul of the Regulator will have decreased dramatically. Nevertheless, may you never become complacent by believing the above measures will ever completely mitigate all the threats your business faces on this front.
Stay up to date, know that you (yes, you the director) are personally responsible for managing this risk, and ensure that you understand exactly what your organisation needs to stay ahead of the threats wherever they emerge.
Hendre Vorster
Jonker Vorster Attorneys
Tel: 021 001 4757
Email: hendre@jvattorneys.co.za
