Many people are asking why they need to be aware of and comply with data privacy laws (like the Protection of Personal Information Act or POPIA)? What are the privacy risks? What is the impact on an organisation? What is the risk of non-compliance? What are these risks? Below are what we consider the top risks related to privacy issues. Some of them are quite scary. We list the risks for both organisations and individuals.
Privacy risks for organisations
Lose customers due to loss of trust
People are more inclined to do business with companies that they can trust. People will be hesitant to do business with an organisation if they are unsure that their personal information is secure, or that the organisation will use that information in an inappropriate way. Since POPIA was drafted specifically to deal with these types of issues, if customers find out that you are not compliant, they may start to lose trust in your organisation, and move their business elsewhere, especially if you handle sensitive personal information.
Failure to attract new customers
If your organisation has been identified as one that does not comply with POPIA, it will deter new customers from doing business with you. Customers would unlikely want to do business with a person or organisation that disregards laws aimed at protecting customers.
Bad publicity = damage to reputation
If there is a breach of your security and personal information is stolen or leaked, POPIA will require you to notify the regulator and affected customers (see section 22). If your organisation lacks the means of communicating on a one-to-one basis with your customers, or there are a huge amount of customers affected by the breach, the regulator may require you to publish a public notice, such as in a newspaper, informing the public of the breach (see section 22(4)). Invariably this will be an embarrassment for the organisation, customers will lose faith in the ability of the organisation to protect their personal information, and its reputation will suffer. This could result in serious indirect financial consequences.
Civil action for damages – class actions
If there is a security compromise, or you breach the provisions of POPIA, the organisation may be liable for damages suffered by affected customers. Section 99 of the POPIA deals with civil actions for damages. To an extent enforcement of POPIA has been decriminalised – civil action is the penalty rather than a fine or imprisonment. Often a breach of security does not involve a single client, but many. This may lead to customers forming a class action suit against the organisation. An example of this can be seen in the Netflix Case, in which several clients are suing the DVD rental organisation for inappropriately disclosing personal information to a third party. The suit is asking for $2,500 in damages for each of the more than 2 million customers – that amounts to about $5 billion.
In South Africa, class actions have not been as popular as in other parts of the world. However, recent court decisions have brought class actions into focus. For example, in Children’s Resource Centre Trust v Pioneer Food, the Supreme Court of Appeal (SCA) handed down a landmark judgment setting out the procedural requirements for instituting a class action. The SCA also gave clear guidance on when someone can pursue a class action.
Regulatory investigations and enforcement notices
POPIA allows the regulator to investigate (section 81) and send certain notices to an organisation that has breached POPIA. Once the regulator completes investigations into a complaint, the regulator may issue enforcement notices, information notices, or infringement notices to organisations that have had complaints levied against them. Recieving one of these notices can be very disruptive to your operations. As an example, section 82 allows the regulator to seize hardware or systems of the organisation to investigate the truth of the complaint. Even if no damages or suits arise from the investigation, the potential losses from the downtime the organisation may experience could be huge.
Fines
The regulator can also issue a fine on an organisation if it commits an offence under POPIA. Data protection authorities in other countries have issued many fines to organisations that have flouted data protection laws. For example, the Information Commission in the UK can fine organisations up to £500,000. Countries with more mature data protection laws have been known to issue more fines because they can apply data protection principles.
Liable for the actions of your operator
If you (as the responsible party) outsource the processing of personal information to a third party (an operator), you will be held liable for their actions. The proper structuring of these relationships is vital. Data protection laws (such as the GDPR or POPIA) generally require that organisations processing personal data together enter into written agreements with one another. These agreements are called data processing agreements (or data processing addendum or DPA).
Your main business activity becomes unlawful
The greatest risk, for some organisations, is that their main business activity may become unlawful. This is especially relevant for direct marketers, as section 69 regulates marketers from sending unsolicited SMS, email, and other forms of electronic communications. Physical means of direct marketing must follow various principles. If the correct procedures and methods are not followed you will be in breach of POPIA, and will be open to possible lawsuits from affected customers. Therefore, you must ensure that your current business activities comply with POPIA, so that you do not end up acting unlawfully. Remember, ignorance of the law is no defence!
Privacy Risks for the Individual
A Fine or Jail Sentence
POPIA provides for offences, fines and administrative penalties for non-compliance. For example, interfering with the investigations of the regulator is a criminal offence, and could lead to a fine or up to 10 years imprisonment. It is surprisingly easy to interfere with the investigations of the regulator, so much so that you may not even realise that you are doing it. Because of the serious consequences for non-compliance, it is vital that you are fully aware of the responsibilities and duties imposed on you by POPIA.
You could get fired
If there is a privacy breach or a successful claim for damages against your organisation and it ends up paying out a lot of money, your organisation will look for someone to blame, and it may be you. You may face disciplinary action, including dismissal. The best way to avoid this will be to make sure your organisation complies with POPIA and that you have complied with your obligations. For example, in the US a nurse was fired for disclosing a patient’s medical information. She faces up to 10 years in prison, a fine of as much as $250,000, and up to three years of supervised probation.
In January 2021, ABSA confirmed that it dismissed an employee for unlawfully making selected customer data available to an external platform and then selling it to third parties.
You could be held personally liable for damages suffered by data subjects
If a customer claims damages, section 99 allows the damages to be levelled against an individual, especially if your negligence was the cause for the security breach, or unlawful processing of personal information. While an organisation may be able to afford a multi-million ran suit for the breach of privacy, very few individuals would be able to do so. There are more means available to data subjects to protect their personal data. The regulator published rules on the procedure a complainant should follow to submit a complaint to the regulator. The rules set out detailed information on how the regulator will handle complaints.
Find out more about these risks, and active measures you can take to govern them, by attending one of our workshops.
