Compliance report

Regulatory compliance report

The IRCC oversees the discharge of regulatory compliance responsibilities. The Committee monitors, assesses, researches and reports on the regulatory environment in which the Group operates. The IRCC reports to the ARCC.

The process of compliance management encompasses:

  • identifying and prioritising all Acts and regulations at a national level applicable to Blue Label;
  • incorporating regulatory requirements into control measures such as standard operating procedures, processes, manuals and policies;
  • recommending corrective measures or steps to ensure compliance; and
  • monitoring compliance through the adequacy and effectiveness of control measures.

The risk of non-compliance is being managed through:

  • the annual review and update of the Group regulatory universe;
  • the compilation of compliance risk management plans for high-risk legislation; and
  • the continuous monitoring of the regulatory environment.

The regulatory environment changes constantly. We proactively contribute to and manage our regulatory environment by taking care of the interests of all our stakeholders and clients.

The information below summarises the status of the top three pieces of legislation within the Group:

Protection of Personal Information Act, 2013 (POPIA)

POPIA gives effect to section 14 of the constitution, which provides that everyone has the right to privacy. The Act promotes the protection of personal information processed by public and private bodies and seeks to balance the right to privacy against other rights such as access to information. POPIA has been implemented incrementally, with the President proclaiming 1 July 2020 as the commencement date of sections of the Act with a 12-month grace period for compliance: Sections 2 to 38 which set out provisions dealing with the application of POPIA, the listed conditions for lawful processing of personal information as well as the respective exemption from conditions for processing of personal information and sections 55 to 109, which regulate the following aspects:

  • The information officer
  • Prior authorisation
  • Codes of conduct
  • Data subject’s rights in terms of direct marketing
  • Trans-border information flow
  • Enforcement
  • Offences, penalties and administrative fines
  • Fees and transitional arrangements.

Sections 111 and 114(1), (2) and (3) of POPIA became effective as of 1 July 2020, with the compliance deadline being 30 June 2021. Sections 110 and 114(4) will commence on 30 June 2021 and these sections pertain to the amendment of laws and the effective transfer of functions of POPIA from the South African Human Rights Commission to the Information Regulator.

The following POPIA initiatives have been implemented to ensure compliance at 30 June 2021:

  • Group Compliance Framework has been developed;
  • POPIA information sessions have been presented to the various subsidiaries/stakeholders;
  • POPIA questionnaires have been completed;
  • POPIA-related policy documents have been prepared/updated;
  • POPIA Committee established to meet monthly;
  • POPIA Control Risk Management Plan has been completed to assist in risk management;
  • PAIA manuals are being developed/updated; and
  • POPIA impact assessments have been prepared to perform gap analyses.

Disaster Management Act, 57 of 2002

The Disaster Management Act governs the management and regulatory requirements surrounding the COVID-19 pandemic. The Group’s governance framework supports a secure and safe working environment.

The impact of the COVID-19 pandemic has been elevated to a critical piece of legislation in 2021. COVID-19 risk assessments were performed and mitigating controls were implemented including all compliance requirements in terms of the Disaster Management Act.

A task team was established which kept the Board abreast of COVID-19-related matters. We introduced the necessary protocols and materials to protect our employees and stakeholders. A concerted drive was undertaken to encourage employees to work off site and thus reduce the risk of infection. Mandatory digital employee awareness campaigns have been rolled out to educate staff focusing on COVID-19 preventative and detective measures.

The COVID-19 pandemic presented one of the biggest challenges since our inception but it also gave us an opportunity to adapt and think differently.

Cyber Crimes Act 19 of 2020

The Cyber Crimes Act, which seeks to bring SA’s cyber security laws in line with the rest of the world, has been signed into law by President Cyril Ramaphosa.

BLT operations rely heavily on technology platforms to facilitate service delivery which increases the risk of cybercrime. It is thus of critical importance to maintain the integrity and stability of key IT systems to protect stakeholder interests against increasingly sophisticated targeted attempts at digitally assisted fraud which is one of the main objectives of the Cyber Crimes Act.

Examples of data messages deemed harmful by the new law include those which incite violence or damage to property; threaten persons with violence or damage to property; and those which contain an intimate image. Other offences include cyber fraud, forgery, extortion, and theft of incorporeal property.

The unlawful and intentional access of a computer system or computer data storage medium is also considered an offence, along with the unlawful interception of, or interference with data.

This creates a broad ambit for the application of the Cyber Crimes Act, which defines ‘data’ as electronic representations of information in any form. It is interesting to note the Act does not define ‘cybercrime’ but rather creates a number of offences such as those canvassed above. The Cyber Crimes Act will be of particular importance to electronic communications service providers and financial institutes, as it imposes obligations upon them to assist in the investigation of cybercrimes; for example, by furnishing a court with certain particulars, which may involve the handing over of data or even hardware on application. There is also a reporting duty on electronic communications service providers and financial institutions to report, without undue delay and where feasible, cyber offences within 72 hours of becoming aware of them. A failure to do so may lead to the imposition of a fine not exceeding R50 000.

A person who is convicted of an offence under the Cyber Crimes Act is liable to a fine or to imprisonment for a period of up to 15 years, or to both a fine and such imprisonment, as may be ordered in terms of the offence.

There is a certain amount of overlap between this Act and POPIA. One of the conditions for lawful processing in terms of POPIA is security safeguards which prescribes that the integrity and confidentiality of personal information must be secured by a person in control of that information. This is prescribed by POPIA to prevent loss, damage, or unauthorised access to or destruction of personal information. POPIA also creates a reporting duty on persons responsible for processing personal information, whereby they must report any unlawful access to personal information (data breach) to the Information Regulator within a reasonable period.

Training programmes will be rolled out during FY2022 to increase awareness in this legislation.