The Information Regulator on Thursday issued an R8m administrative fine against a mid-sized financial-services firm — the name remains under non-disclosure pending appeal — for a failure to notify affected data subjects within the 72-hour window stipulated by the Protection of Personal Information Act.
The size of the fine is unremarkable. The fact that it was issued at all is the news.
Why it matters
POPIA came into force in 2021. For three years it has been a regulation that companies wrote policies about but did not, in practice, fear. The Regulator's enforcement actions before this week were limited to warnings, "engagements," and one symbolic fine of R5m against the Department of Justice (which has not paid).
A R8m fine against a private-sector firm changes the calculus. It establishes (a) that the Regulator will pursue large administrative fines, (b) that the 72-hour notification window will be enforced literally, and (c) that "we patched it within 24 hours" is not a defence if you did not also notify.
Who should be paying attention
Every CIO and every audit-committee chair at any company holding personal data on more than 50,000 South Africans. The Regulator's stated focus areas for the next twelve months are financial services, healthcare, education, and the mobile-network operators.
What to do this week
- Re-read your incident-response playbook. Find the line that says "we will notify affected data subjects within X hours." If X is not 72 or smaller, update it.
- Confirm who at your firm has the authority to send that notification at 02:00 on a Saturday.
- Confirm the Regulator's contact email is in the playbook. It is enquiries@inforegulator.org.za.
The Regulator publishes its enforcement orders on inforegulator.org.za under "Decisions."
