POPIA in Practice: What the Latest Developments Mean for South African Businesses

In the initial years following the commencement of the Protection of Personal Information Act No. 4 of 2013 (POPIA), the Information Regulator adopted a measured approach, focusing primarily on education, awareness, and cooperative engagement with responsible parties. This period was marked by a willingness to guide organisations toward compliance rather than penalise them for missteps.

However, this approach has shifted significantly in recent years, and the Information Regulator has increasingly asserted its authority and taken a more proactive approach to its enforcement of the Act. Given the recent developments, businesses would do well to make the shift from treating POPIA as a compliance checkbox to treating compliance as a regulatory priority. As POPIA evolves, the costs of complacency are rising, making it crucial for businesses to stay updated and reassess their policies and practices as soon as possible.

Some of the key POPIA developments and what these mean for South African businesses are discussed below.

Data Belongs to the Data Subject

POPIA entrenches the principle that personal information belongs to the individual, not the business that processes it, thereby imposing specific obligations on businesses to handle such personal information responsibly. As confirmed by the Gauteng High Court in Discovery Ltd v Liberty Group 2020 (4) SA 160 (GJ), even information that has been generated by a business based on an individual’s participation in a loyalty or wellness programme is considered that individual’s property. Organisations must not treat personal information as a commercial commodity to be freely exploited; instead, they must adhere to their responsibilities as set out in POPIA and be aware of the potential consequences if this information is not processed lawfully.

Direct Marketing Under Scrutiny

The Information Regulator issued its first enforcement notice for direct marketing non-compliance in February 2024. FT Rams Consulting was accused of sending unsolicited direct marketing emails despite the data subject opting out multiple times and requesting removal from the company’s mailing list. The Information Regulator determined that the company had breached the conditions for the lawful processing of personal information by interfering with the protection of personal information of the data subject and, further, that it had violated section 69 of POPIA which regulates direct marketing by means of unsolicited electronic communications. FT Rams Consulting was ordered to cease sending unsolicited emails, to use the Information Regulator’s prescribed consent form, and to build a database of data subjects who had not consented to direct marketing and who had previously opted out. Failure to comply with the enforcement notice could result in fines of up to R10 million or imprisonment for up to ten years.

In December 2024, the Information Regulator published a Guidance Note on Direct Marketing, which emphasised that before sending direct marketing via electronic means (e.g., email, SMS, or automated calls) the data subject’s informed, specific, and voluntary consent must be obtained. Additionally, the Guidance Note stated that only one unsolicited message may be sent for the purpose of requesting such consent, and if no response is received, no further messages may be sent unless and until the data subject opts in.

Data Breaches and Cybersecurity

In April 2025, the Information Regulator launched an e-Services Portal for mandatory reporting of data breaches. This online system is now the official channel for submitting notifications of security compromises that have been experienced by businesses. It brings South Africa closer to global best practices by enabling faster, more transparent regulatory oversight.

The most significant enforcement action to date came in July 2023, when the Department of Justice was fined R5 million for failing to renew key cybersecurity software, exposing sensitive personal data. This case makes it clear that POPIA compliance is not just about paperwork – it demands proactive investment in security measures to ensure the integrity and confidentiality of personal information in a business’s possession or under its control.

New Powers and Obligations for Information Officers

Amendments to POPIA’s Regulations, effective from 17 April 2025, simplify how data subjects can object to processing of their personal information, request deletion thereof, or opt out of receiving marketing communications. The amendments also introduce new obligations for Information Officers, and allow administrative fines to be paid in instalments, thereby acknowledging financial realities whilst maintaining accountability.

Balancing Privacy and Transparency

The Constitutional Court in Arena Holdings (Pty) Ltd t/a Financial Mail and Others v South African Revenue Service and Others 2023 (5) SA 319 (CC) ruled that certain provisions limiting public access to tax records were unconstitutional. This judgment reiterates that privacy rights are not absolute and must be balanced against the public interest. Businesses should therefore not assume that POPIA automatically shields all information from disclosure.

AI, Ethics, and the Digital Frontier

In April 2025, the Information Regulator announced plans to address ethical use of AI and automated decision-making. This signals a growing focus on emerging technologies that use personal information in complex, opaque ways. Businesses adopting AI tools – whether for recruitment, customer profiling, or marketing – should prepare for future compliance obligations specific to algorithmic data processing.

Reputational and Legal Risk Are Real

Recent developments – including the issuance of enforcement notices, imposition of administrative fines, and the launch of formal breach reporting mechanisms – signal a more assertive regulatory stance. The Information Regulator mandates that organisations must now actively and continuously comply, as ignorance or inaction is no longer tolerated. This evolution reflects the maturing of South Africa’s data privacy regime, where support and education are giving way to accountability and enforcement.

Given these changes, it is crucial to assess, update, and futureproof your data governance frameworks. This is necessary, not only to meet regulatory standards, but also to build public trust in an increasingly privacy-conscious market.

Our team is ready to assist with guidance on assessing your POPIA compliance or implementing a privacy-by-design strategy.