Skip to content

SA Information Regulator Investigates Data Breach of DisChem’s Customers

The Regulator has invited both DisChem and its third party service provider, Grapevine, to explain a major breach which has allegedly lost details of 3.6m of DisChem’s clients earlier this year. DisChem claimed that the breach was the fault of Grapevine, but the Regulator apparently was amazed to discover that there were no proper contracts between the companies, while the POPI Act expects companies which outsource data processing to have contracts in place to protect personal data. The regulator’s enforcement notice ordered Dis-Chem to conduct a personal information impact assessment to ensure that adequate measures and standards exist to comply with the Act. It must also, among other things, implement an adequate incident response plan and payment card industry data security standards (PCIDSS) by maintaining a “vulnerability management programme”, and maintain an information security policy and introduce strong access control measures. Fines may also be levied.

Meanwhile the Kenyan Data Protection Regulator is already picking up speed in investigating and fining companies for failing to apply the Kenyan Data Protection Act. In the latest case, a digital credit provider, which operates KeCredit and Faircash mobile lending apps, has been fined Sh2.98m for sharing the contact information and names of complainants with third parties. Some of these third parties then sent threatening messages and phone calls to those individuals. In the past month, the Regulator has also fined a school and a night club for failing to apply the law.

Alastair Tempest

Become a member

Join the Ecommerce Forum South Africa and benefit from industry insights in South Africa and Africa.

Sign up to newsletter

Sign up to our newsletter and stay informed of the progress we are making at the Ecommerce Forum South Africa with government during Coronavirus.