Sunday Times

Q&A

- Has it come into force yet? With a one-year grace period? Are you toothless until then? Do we need a year’s grace period? They’ve had years to do this … Will you be able to enforce it?

SA has just experience­d its biggest data heist so far. Chris Barron asked the Informatio­n Regulator SA’s chair, advocate PANSY TLAKULA …

How strictly are you able to regulate the sale of private data by credit bureaus etcetera?

The Protection of Personal Informatio­n Act gives us quite effective enforcemen­t powers.

It came into force in July.

Yes. It ends on June 30 2021.

We are not toothless as such. We are engaging with public and private bodies to assist them with compliance.

Can you act against those who don’t comply?

No, we can’t enforce, fine or prosecute them, no.

So you can’t act against credit bureau Experian?

We cannot.

Even for saying stolen data had been recovered, when it hadn’t?

We have appointed forensic analysts to review their investigat­ion to make sure whether what they told us is true or not.

Didn’t you investigat­e their assurances at the time?

After they gave their assurances, when the informatio­n was found on the website of WeSendit in Switzerlan­d, we decided no, we can’t just rely on their say-so.

Why has the law, passed in 2013, taken so long to be put it into effect?

It’s not in our hands.

How seriously do our legislator­s take cybercrime and data theft?

Maybe in the past they did not take it as seriously as they do now.

Are you concerned that the cybercrime­s bill is still sitting with the National Council of Provinces?

They have to pass it very quickly, because the number of data breaches in this country is quite scary.

Why has SA lagged so far behind in dealing with this?

I don’t think we have connected the whole digital economy, fourth industrial revolution, all that. We have not put data protection in the centre of that. We have to because data is now the new oil. That is what I suspect has not been fully appreciate­d by our authoritie­s. I don’t think you can talk about foreign direct investment without putting data protection in the centre of that, because whoever might want to come and do business here, especially from the European countries, will want to know the strength of our data protection regulation­s.

Does our legislator­s’ attitude explain why we have the thirdhighe­st number of cybercrime victims in the world?

It could be. The cybercrimi­nals are hovering all over the world, we’re not the only victims. But if they know they can strike in SA with impunity they’ll hit us. And that is what is happening.

I think so, yes. So that companies, everybody, can put their compliance in place.

Yes, but you know how we are. Everybody leaves things to the last minute. Maybe they’ve been thinking this act will not come into operation.

Our budget is miserable — R45m. And if you have a big data breach like Experian you need a forensic IT analyst. And they don’t come cheap.

?? ??

Newspapers in English

Newspapers from South Africa