The Information Regulator’s R5 million administrative fine, issued to the Department of Justice and Constitutional Development (“DoJ”) is not a true indication of the real cost of not complying with a privacy law like the Protection of Personal Information Act (“POPIA”).
Whilst the DoJ’s compliance failure costs are likely to also include “hidden” costs like legal fees, damages claims, public relations costs and reputational harm, the cost to South Africa, in potentially lost foreign direct investment, could be far higher.
As far as the DoJ’s hidden costs are concerned, they are likely to far exceed the cost of the Information Regulator’s R5 million administrative fine.
Legal fees, particularly representation in a specialised area like privacy law, can be eye-wateringly expensive. Remember, that there is the possibility of two separate legal processes where representation will be needed: the Information Regulator’s legal processes and the possibility of civil litigation by those affected by their personal information being compromised. If the civil litigation is successful, there is the added cost of having to pay damages claims to those whose information was compromised. In instances such as the DoJ’s, where the number of claimants could run into tens of thousands, damages claims could be huge.
There is also the cost of the public relations exercise that will need to be undertaken, to deal with the bad publicity. The cost of addressing this adverse publicity can also be costly, possibly necessitating the services of specialist public relations agencies and consultants. These consultants will need to address the reputational harm that comes with the bad publicity and further breakdown in trust, that comes with a fine like the DoJ’s.
The cost to South Africa, as a country, could be far higher though. This is because when the very government department tasked with promoting and respecting a law like POPIA, is seen to be ignoring the very regulator tasked with enforcing the law, there is a real impact on the country as an investment destination, especially for investors in the digital economy.
The DoJ’s failures are significant and have an impact because South Africa is positioning itself as an attractive destination for foreign direct investment in its digital economy. The digital economy has been identified as one of the sectors that will be able to rapidly create employment, especially in human resource-intensive sectors like business process outsourcing, information and communications technology and even tourism.
Research shows that the top three elements investors consider when investing in new digital activities are:
- data security regulations;
- copyright laws to protect intellectual property; and
- data privacy regulations.
The DoJ and the Minister are responsible for overseeing data privacy regulations, namely POPIA. The DoJ should be the poster child for POPIA compliance.
The DoJ’s “own goal” was not that it suffered a security compromise – compromises happen to the “best” of organisations. Its own goal was failing to respect the authority of the institution tasked with regulating POPIA, effectively treating the Information Regulator with disdain. Its failure to engage with the Information Regulator and demonstrate respect for the law, has broader implications for South Africa’s ability to attract foreign investment into its digital economy. The disdain with which it has treated the Information Regulator, and its lack of respect for POPIA, do not present a good impression to those looking at investing in South Africa.
The DoJ and other government departments and agencies that are yet to realise POPIA’s importance, need to do some serious introspection. Their failures are potentially costing us billions of rands in lost foreign direct investment and, even more importantly, desperately needed jobs.
Simply put, POPIA compliance means more investment in the digital economy and therefore more jobs. Please, just comply.
Contact us for more good, clear, precise advice.