In response to an Enforcement Notice issued by the Information Regulator of South Africa to Dis-Chem, following a data breach which occurred in May 2022, Dis-Chem has disputed the accuracy of the allegations.
Dis-Chem in a statement confirmed that it has already responded to and actioned all orders contained in the Enforcement Notice and will report to the regulator within 31 days as requested.
The regulator disclosed on Friday that enforcement notice was issued to Dis-Chem for violating POPIA.
The company confirms that the data held by the third-party provider was restricted to mailing details only and did not contain any sensitive medical, financial, or banking information. The provider can never have access to this type of information.
Dis-Chem strongly disputes the regulator’s claim that it failed to notify data subjects as it followed all required POPI guidelines to ensure that customers were immediately made aware of the breach. A formal notice was published on the Dis-Chem website and a media statement was released nationally.
Dis-Chem says the allegation that it did not implement an adequate Incident Response Plan by implementing the Payment Card Industry Data Security Standards (PCIDSS) has no bearing at all and is irrelevant to the enforcement notice. Dis-Chem is fully PCIDSS compliant, and the third-party provider has no access to or involvement in card payments.
“Following the data breach, Dis-Chem implemented all necessary steps and protocols to control access to the database and isolate the threat.”
The company added that it has responded to the regulator via written communication on all concerns raised.
“It has, and will, continue to work with the regulator to ensure full compliance on any relevant and accurate areas of concern.
“Dis-Chem has always been acutely aware of the critical nature of securing data and makes data protection an absolute priority.”