That was the word from advocate Johannes Collen Weapond, full-time member of Information Regulator, who spoke at the ITWeb POPI Update 2017 conference. The event was held in Sunninghill this morning.
The Information Regulator is a new regulator that has been created by the Protection of Personal Information (POPI) Act.
According to law firm Michalsons, POPI gives the Information Regulator teeth – it has extensive powers to investigate and fine responsible parties.
"Data subjects will be able to complain to the Information Regulator and it will be able to take action on behalf of data subjects, the firm notes. The Information Regulator reports to Parliament and is the South African equivalent of the Information Commissioner in the UK," according to Michalsons.
Last year, President Jacob Zuma appointed Pansy Tlakula as full-time member and chairperson of the Information Regulator. The other appointments included Lebogang Cordelia Stroom and Weapond as full-time members, and professor Tana Pistorius and Sizwe Snail Ka Mtuze as part-time members of the Information Regulator.
"Key to anything and everything that everybody in South Africa does is information. There is no transaction that can take place without information," said Weapond.
He highlighted that as any other regulator in SA, like ICASA and the Public Protector, the Information Regulator also needs to be independent. This can be realised when the Information Regulator gets its own offices.
He explained that currently the Information Regulator is occupying four offices at the department of justice and constitutional development.
"The office has engaged the department of public works to source interim and permanent office space and a needs analysis has already been completed. Currently, we are squatting at the department of justice because we are still in the start-up phase."
According to Weapond, the waiting period for interim office space is four to six months and budget for office space is available.
The Information Regulator is still understaffed with the office looking to boost its human resources if it is to meet its goals, he noted.
"We are looking to get about 80 to 100 individuals during this first phase so we can be comfortable that all complaints and enquiries of all the South Africa public are sufficiently addressed in an appropriate time frame."
He explained that these individuals will mainly be tasked with spreading awareness about all the functions of the Information Regulator.
Because the Information Regulator does not have office space yet, Weapond said it will go through a phased approach to hiring new people. In a period of 12 months, the office will also be borrowing staff from other government departments, he added.
The Information Regulator is also looking to create some sub-committees in order to meet its mandate.
He noted that since they took office, there have been a lot of complaints coming through.
"That on its own underpins the importance of the work of the Information Regulator."
He pointed out that the Information Regulator has a five-year strategy plan which started in 2017 and will end in 2020. This plan has been completed and approved.
The other challenge is the budget, said Weapond. "There was a lot of criticism about the small budget that the regulator has but what we also need to appreciate is that when we start we need little money. But as we grow, we will need more money."
Besides the magnitude of the job facing the Information Regulator's office, it only has a R25 million budget.
"The budget allocation covers support and core functions of the Information Regulator and the budget is currently under control of the department of justice and constitutional development," he said.
Under POPI, companies face a fine of up to R10 million - or a decade in jail - if they breach its provisions, and could also encounter civil class-action lawsuits. However, the most damaging penalty will be reputational damage, because organisations will have to inform people if their data has been breached.
Nonetheless, Weapond said the Information Regulator will not be in a hurry to slap organisations with fines in the first two years. "We are still looking for organisations' buy-in and we are taking a friendly approach. However, we will be tougher after the grace period."