Our last blog post detailed serious challenges associated with the Protection of Personal Information (PoPI) Act compliance. This post explains some additional issues:

Avoiding ‘Regulatory Paradox’

PoPI clearly requires insurers to reduce the nature and volume of personal information they hold and retain, in order to protect customers’ privacy. Paradoxically, though, regulators generally are requiring insurers to retain more and more customer data, to identify anti-money laundering, fraud, terrorist funds (FICA), etc. How will insurers find ways to resolve this paradox in a compliant manner?

Tracking Third Parties

The insurer must, in terms of a written contract, ensure that a third-party (operator) processing data on behalf of the responsible party establishes and maintains the required security measures. The third-party must:

  • Process personal information only with the responsible party’s knowledge, or authorisation, and must not disclose it unless required by law (or in the proper performance of their duties).
  • Immediately notify the responsible party where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.

Under PoPI, a written agreement relating to third-party access to personal information and customer consent is normally required, but not necessary in all circumstances. Insurers who offer customers access to their data via self-service capabilities and give third parties access to data must be able to track whenever and wherever personal data has been accessed, no matter the channel.


The regulator and data subjects must be informed, within a ‘reasonable timescale’, where there has been a breach of personal information. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A breach is more than just losing personal data; it includes any misuse, hacking, data sales, or any unauthorised use.

The regulator may direct that a data breach can be publicised if there are reasonable grounds to believe that publicity would protect an affected customer.

A breach may come to light via:

  • The individual ‘data subject’, via a complaint to the information regulator
  • The insurers – there is a PoPI requirement for organisations to notify the information regulator and the data subjects of any compromises of their personal information
  • The information regulator where s/he has initiated a review or investigation of an organisation’s compliance, which s/he is empowered to do under PoPI

For additional information, please check out our white paper: PoPI Challenges and Solutions for South African Insurers. It examines the difficulties facing insurers on the road towards full PoPI compliance, as well as some opportunities that will likely result from the regulations, and how insurers can maximise those opportunities.

Read more about Sapiens’ insurance software and related Sapiens’ solutions.

  • data privacy
  • data security
  • insurance fraud
  • insurers
  • Personal information
  • PoPI
  • regulation
  • South Africa
  • third party
Brian Heale

Brian Heale Brian Heale is a senior insurance consultant with Sapiens. He is an international insurance, risk, product, and technology specialist, with significant experience in strategic product management, developing core administration/BPO and actuarial/risk modelling solutions for the global insurance industry. He possesses in-depth knowledge of the South African and UK markets and the major regulatory initiatives, including PoPI, GPDR, RDR, IFRS 17, and Solvency II.