A Cautionary Tale on Data Protection: a reminder on ensuring specific adherence to the lawful processing of personal information as an essential to compliance under POPIA

On 1 September 2023, a major South African pharmaceutical company (“the Company”) was issued with an Enforcement Notice by the Information Regulator of South Africa.


In a novel finding by the Information Regulator, the Company was issued with an Enforcement Notice following a finding of a breach of various sections of the Protection of Personal Information Act of 2023 (“POPIA”).

As a terse anecdote, the Company’s e-Statement Service database was managed by its third-party service provider (“Third Party Service Provider”). Around April and May 2022, the Third-Party Service Provider suffered a brute-force attack. The Company became aware of the security compromise and/or data breach through an SMS sent to some employees, it was at this point that the Company notified the Information Regulator of the occurrence.

It became apparent to the Information Regulator that the Company had failed to notify its data subjects in accordance with the provisions of section 22 of POPIA.

Outcome by the Information Regulator

Upon conducting an investigation into the security compromise, the Information Regulator found that the Company compromised the protection of personal information of its data subjects and the conditions for lawful processing of personal information. As such, the Company was required to:

To read the entire article, please click here.