Privacy implementation in South Africa – Quo vadis?

By Johanette Rheeder


The Protection of Personal Information Act, 2013 (POPIA) is yet to be implemented, and every now and again, South Africa is faced with the effect of privacy violations and cybercrime.

The City of Johannesburg (COJ), on 24 October 2019, announced a breach of its network by hackers and shut down its website and all e-services as a precautionary measure. In a tweet, the City said it had detected a network breach "which resulted in an unauthorised access to our information systems". A deadline to pay bitcoin as ransomware, set by a group calling themselves "Shadow Kill Hackers" has passed without COJ complying. The group sent a ransom note to the City of Johannesburg, demanding payment of 4.0 bitcoins by October 28 at 17:00, or it would upload all data it had hacked from the City's servers.[1] 

This again, brings to the forefront, the question as to when POPIA is going to be implemented to provide the users of these systems such as COJ’s network, with privacy protection?

According to recent studies in the South African privacy environment, 77% of South African decision-makers admit their organisation will suffer reputational damage, if fined for non-compliance with POPIA(Protection of Personal Information Act, 2013). The reputational damage can be more damaging than the financial penalties, as it involves loss of goodwill, unplanned costs and loss in client or customer trust. Penalties can include fines up to 10 million rand or imprisonment for Privacy officers (Heads of the organisations).

The burning questions with regard to Privacy protection in South African is not why we must comply anymore, but when are we going to start the process? Privacy protection are Constitutionally recognised in South Africa and places privacy protection in our Country on par with international protection such as found in Europe and England.

POPIA and its regulations require each organisation to do a protection of personal information impact assessment or commonly known as a Gap assessment, a compliance framework and a continued implementation plan. The regulations also require organisations to do awareness training amongst all its employees. After implementation, organisations will have one year to comply. High priority in terms of POPIA compliance should translate to determine the readiness of the organisation; and without a concrete PIIA and action plan to protect personal information, organisations will lag behind and may be caught off guard.

Unfortunately, in terms of data breaches, nobody knows when or where it is going to strike next, which is why being prepared is so important. Data breaches, such as experienced by COJ, is not the only risk organisations face, as technical and organisational security measures are but one of the eight conditions of POPIA that an organisation must comply with. 

One year to comply is very short, especially taking into consideration that GDPR in Europe allowed two years to become compliant and only 30 to 40% of these international organisations are complaint yet, after GDPR came into operation on 25 May 2018.



You can download this newsletter as a PDF document, or send the link to a friend.
Download as PDF
Title Description Published By
Dec 2019
The development of vicarious liability in employment law Alex Davies View
Oct 2019
Prescription of Labour law Wanya Cloete View
Sep 2019
Litigation Privilege: when and how can it be waived? Ivor Heyman View
Aug 2019
Refusal to accept a demand by an employer a legitimate operational requirements? Alex Davies View
July 2019
The Concept of Job Security & Fairness For Employees in Retrenchments Alex Davies View
June 2019
Can a union suspend a strike and take it up again? Johanette Rheeder View
May 2019
Social Media – Clash between Freedom of Expression & Privacy Ivor Heyman View
April 2019
Canabis in the workplace Wanya Cloete View
March 2019
GDPR/POPIA – Where Technology and Ethics have reached crossroads Megan Grindell View
February 2019
Strikes – certificates of outcome and matters of mutual interest – how far does it stretch? Johanette Rheeder View
Jan 2019
Regulations relating to the Protection of Personal Information Johanette Rheeder View
Dec 2018
Collection of debt from Employees Johanette Rheeder View
Nov 2018
Strikes – certificates of outcome and matters of mutual interest – how far does it stretch? Johanette Rheeder View
October 2018
The right to strike – A matter of mutual interest Johanette Rheeder View
July 2018
Extension of Collective Agreements Alex Davies View
June 2018
GDPR / POPIA – Where Technology & Ethics Have Reached a Crossroad Megan Grindell View
May 2018
Exemption Clauses: an assessment of the burden of proof Ivor Heyman View
April 2018
Companies that cannot afford the National Minimum Wage Department Of Labour View
March 2018
Portfolio Committee on Labour Extended Invitation for Commentary By SASLAW View
February 2018
Business Rescue Proceedings – A Brief Overview Alex Davies View
January 2018
Collection of debt from employees Alex Davies View
November 2017
Publication Of New Bills Which Impact Employment Alex Davies View
September 2017
POPI Regulations & the duties of the Information Officer Johanette Rheeder View
August 2017
Is a Break in the Trust Relationship, a prerequisite to Dismissal? Alex Davies View
July 2017
Temporary Employment Services - NUMSA vs Asign Services Alex Davies View
June 2017
Probation and probation related dismissals in the CCMA Johanette Rheeder View
May 2017
Job descriptions and extra duties required of an emplyee Johanette Rheeder View
March 2017
The extention of collective agreements in the workplace Alex Davies View
January 2017
The application of the prescription act to disputes under the labour relations act Alex Davies View
November 2016
Who can represent parties at CCMA proceedings? Yozan Botha View
September 2016
“Solidarity for Ever” Collective bargaining – rights and duties Johanette Rheeder View
July 2016
POPI Implementation on the horizon Johanette Rheeder View
May 2016
Applying the rule test in disciplinary hearing Johanette Rheeder View
April 2016
Does the managerial prerogative still apply during the recruitment process? Johanette Rheeder View
March 2016
The Stigmatising Effect of Medical Testing on Mental Illness Kellie Hennessy View
February 2016
Office Romance - A Lesson in managing personal relationships at work Kellie Hennessy View
January 2016
Rights for Males to Maternity Leave Benefits Kellie Hennessy View
December 2015
Interdicting Disciplinary Hearings Johanette Rheeder View
November 2015
The Right to Natural Justice in Disciplinary Hearings Xander Wehncke View
October 2015
The Protection of Personal Information Act No 4 of 2013 (“POPI”): Rethink the ‘architechture’ of your business Kellie Hennessy View
September 2015
Load Shedding in the Workplace: Negotiate Back the Power Kellie Hennessy View
July 2015
Retrenchment - Do We Recognise The Effect? Johanette Rheeder View
June 2015
The new CCMA rules - The ultimate relief? Johanette Rheeder View
May 2015
Medical Incapacity, Disability and Discrimination Kellie Hennessy View
April 2015
Breach of the trust relationship in employment: What to prove and how to prove it Xander Wehncke View
March 2015
The exposure of senior employees in terms of Labour Relations Amendment Act 2012 Johanette Rheeder View
February 2015
The Correct Approach to a Reviewable ‘Error in Law' Kellie Hennessy View
January 2015
E-Cigarettes and the Workplace Kellie Hennessy View