South Africa: Announced Information Regulator investigation into Dis-Chem Pharmacies Ltd for alleged contravention of the provisions of Protection of Personal Information Act

On 31 August 2023, the Information Regulator issued an enforcement notice in the context of its investigation into Dis-Chem Pharmacies Ltd for contravention of various sections of the Protection of Personal Information Act relating to a security breach affecting around 3.6 million data subjects. It was highlighted that Dis-Chem failed to implement adequate security measures, including addressing the risks of weak passwords and entering into an operator agreement with its third-party service provider, Grapevine, which was compromised in a brute force attack. The notice requires Dis-Chem to conduct a personal information impact assessment and implement an incident response plan. The notice requires the company to adopt the payment card industry data security standards, and establish contracts with all operators processing personal data, along with maintaining a compliance framework to meet the obligations if the Act. The notice requires the company to respond to the Regulator within 31 days on the implementation of these actions, with non-compliance potentially resulting in fines of up to ZAR 10 million or imprisonment.