The Information Regulator issued a POPIA enforcement notice against Lancet Laboratories in September 2024 for failing to comply with the breach notifications required by POPIA. The Information Regulator conducted a POPIA compliance assessment following the numerous security compromises experienced by Lancet Laboratories. The regulator found that Lancet had not notified the affected data subjects within a reasonable time as required by section 22 of POPIA. The Information Regulator instructed Lancet Laboratories to strengthen its security safeguards and improve breach notification processes. When the company did not meet these requirements, the regulator imposed a R100,000 penalty through a POPIA infringement notice.

The Lancet Laboratories enforcement notice

The regulator ordered Lancet Laboratories to urgently take the following actions:

  • Implement adequate security safeguards to protect personal information and prevent unauthorised access.
  • Establish and maintain proper breach notification processes to ensure affected data subjects are notified without undue delay.
  • Review and update internal procedures to comply with section 22 of POPIA.

Lancet Laboratories must comply with the enforcement notice within the timeframe specified by the Information Regulator (exact date not publicly disclosed). Otherwise, failure to comply could result in a fine of up to R10 million, imprisonment, or both.

Regulator’s findings in the Lancet Laboratories enforcement notice

Based on the regulator’s compliance assessment and media statement, they found that Lancet Laboratories breached POPIA by:

  • Failing to notify affected data subjects of a security compromise within a reasonable time, as required by section 22.
  • Failing to have adequate systems and procedures in place to ensure timely and effective breach notifications.
  • Experiencing multiple security compromises without implementing sufficient remedial measures to prevent recurrence.
  • Not ensuring that personal information in its possession was adequately protected against loss, damage, or unauthorised access.

What organisations can learn

What organisations can learn from the Lancet Laboratories enforcement notice:

  • Importantly, timely breach notification is critical. Under POPIA, you must inform both the Information Regulator and affected data subjects without unreasonable delay after discovering a data breach.
  • In addition, the organisation should have breach response procedures ready. Organisations should maintain an incident response plan with clear steps and responsibilities for notifying stakeholders.
  • Furthermore, organisations must learn from prior incidents. If you experience a breach, you must take corrective action to address vulnerabilities and prevent recurrence.
  • Finally, security safeguards must be proactive. This includes strong access controls, regular security testing, and continuous monitoring to protect personal data.

The regulator issued an infringement notice

Lancet failed to comply with the enforcement notice and therefore the regulator sent Lancet an infringement notice with a fine of R100,000. Lancet Laboratories has complied with the notice and paid the fine.

Actions you can take