A lot has been made of the maximum penalties in POPI. How exposed are business owners really to long jail terms and large fines?

The often quoted R10m and / or 10 years imprisonment provision is a maximum penalty and only applies if you:

  • hinder, obstruct or unlawfully influence the Regulator  POPI s100
  • fail to comply with an Enforcement Notice  POPI s103(1)
  • give false evidence  POPI s104(2)
  • seriously or persistently, unlawfully process account numbers where it is likely to cause substantial damage or distress  POPI s105(1-3)
  • without justification or consent acquire account numbers, sell them or try to sell them  POPI s106(1,3 & 4)
    • ‘Account number’ above refers a code assigned by a (financial) institution that allows someone to access funds or credit facilities  POPI s105(5)

The  1 year imprisonment or fine provision is again a maximum penalty and only applies if you:

  • process information that carries a particular risk to the Data Subject which requires prior approval AND you fail to get approval from the Regulator POPI s57 – see note 1 below
  • work for or on behalf of the Regulator and then breach confidentiality POPI s54 & 101
  • fail to reasonably cooperate with the execution a warrant POPI s102
  • falsely declare compliance with an Information Order issued on your organisation by the Regulator POPI s103(2)
  • fail to comply with a summons to give evidence before the Regulator POPI s104(1)

Clearly the Regulator has to be respected but it seems unlikely that reasonable and informed business owners have much to fear in terms of fines and imprisonment.

There are many good reasons to comply with POPI. Not least of these is being deserving of the trust placed in the organisation by it’s customers. The organisation’s reputation and civil liability are also important considerations.

By focussing on the penalties we risk missing the point and also the potential benefits of compliance.

Notes

  1. Some examples of processing that requires prior approval are: secretly linking databases with 3rd parties on ID number, documenting criminal behaviour, credit reporting and exporting sensitive information to countries without privacy protections POPI s57