Q&A
SA has just experienced its biggest data heist so far. Chris Barron asked the Information Regulator SA’s chair, advocate PANSY TLAKULA …
How strictly are you able to regulate the sale of private data by credit bureaus etcetera?
The Protection of Personal Information Act gives us quite effective enforcement powers.
It came into force in July.
Yes. It ends on June 30 2021.
We are not toothless as such. We are engaging with public and private bodies to assist them with compliance.
Can you act against those who don’t comply?
No, we can’t enforce, fine or prosecute them, no.
So you can’t act against credit bureau Experian?
We cannot.
Even for saying stolen data had been recovered, when it hadn’t?
We have appointed forensic analysts to review their investigation to make sure whether what they told us is true or not.
Didn’t you investigate their assurances at the time?
After they gave their assurances, when the information was found on the website of WeSendit in Switzerland, we decided no, we can’t just rely on their say-so.
Why has the law, passed in 2013, taken so long to be put it into effect?
It’s not in our hands.
How seriously do our legislators take cybercrime and data theft?
Maybe in the past they did not take it as seriously as they do now.
Are you concerned that the cybercrimes bill is still sitting with the National Council of Provinces?
They have to pass it very quickly, because the number of data breaches in this country is quite scary.
Why has SA lagged so far behind in dealing with this?
I don’t think we have connected the whole digital economy, fourth industrial revolution, all that. We have not put data protection in the centre of that. We have to because data is now the new oil. That is what I suspect has not been fully appreciated by our authorities. I don’t think you can talk about foreign direct investment without putting data protection in the centre of that, because whoever might want to come and do business here, especially from the European countries, will want to know the strength of our data protection regulations.
Does our legislators’ attitude explain why we have the thirdhighest number of cybercrime victims in the world?
It could be. The cybercriminals are hovering all over the world, we’re not the only victims. But if they know they can strike in SA with impunity they’ll hit us. And that is what is happening.
I think so, yes. So that companies, everybody, can put their compliance in place.
Yes, but you know how we are. Everybody leaves things to the last minute. Maybe they’ve been thinking this act will not come into operation.
Our budget is miserable — R45m. And if you have a big data breach like Experian you need a forensic IT analyst. And they don’t come cheap.