Topic 1 - Cybersecurity Awareness Month

Oct 5, 2020, 13:30 PM by Riaan De Villiers
Today we kickoff Cybersecurity Awareness Month with our discussion of the POPI Act Principle - Accountability.

Cybersecurity Awareness Month 

POPIA Principle 1 – Accountability

In today’s blog post, we will be taking a look at the first principle under POPIA, called Accoutability.

POPIA requires each organisation to appoint an information officer. By default this person is the CEO of the company, but deputies can be appointed and be given the role of information officer.

The CEO/Information Officer is accountable to the Information Regulator (who is the Regulator in terms of POPIA).


There is dual accountability. The information officer is also accountable to each and every data subject (the people whose information is being processed). This means that in the case of a breach, despite being fined by the Information Regulator, each individual can also hold the company liable personally (sue them).

In this context it is very important to bear in mind that accountability is something that you cannot get away from. The Information Regulator has a duty to publish security breaches, which means that if there was a breach your company’s name will be out there. So even if you thought that there was a chance of getting away with it, if the breach is reported to the Information Regulator (IR) either by yourself or a third-party, the IR will publish the breach if the report is found to be true.

The implications hereof are that not only may your company be fined, based on the size and nature of the breach, but each affected individual will be able to claim damages from you in their personal capacities or by way of a class-action.

By far the worst implication of a publication of a data breach is the reputational damage though. There are multiple examples of companies that have seen a massive impact on their share price through the publication of a data breach. The best example of this is when Facebook was fined for a data breach in February 2018, the publication of which resulted in a $100 billion drop in their market capitalisation. A company like Facebook can survive something like this and has more than made up the losses since, but can your company?

Questions you need to ask yourself when considering how much time and effort you should spend on preparing your company for POPIA compliance are:

1. What type of business am I in?

2. Does this type of business require that customers trust me?

3. What would happen if I lost their trust?

4. Who is my competition in this market?

5. What would they do if they found out that the IR published information about a data breach at my company?

6. Do I care about my company’s reputation at all?

7. What is that worth to me?

I think it is self-evident that most companies when confronted with these issues do believe that they have something to lose and that it may be worth their while to take the necessary steps to protect the personal information of their customers.

Compliance tip –

Do you have your customer’s consent to collect their data?
Take a step towards compliance by letting your customers sign a consent form with SigningHub.

- Rian Schoeman

POPI Principle - Accountability