Skip to content

South Africa: Information Regulator shows its teeth and conducts an increasing number of assessments

31 May 2023
– 3 Minute Read


Share on LinkedIn

Since the Protection of Personal Information Act (POPIA) became enforceable, the Information Regulator has actively been taking steps to monitor and enforce its provisions.

During the 2022-2023 financial year, the Information Regulator received 895 complaints relating to POPIA, which was a 30% increase on the 544 complaints received in the previous financial year. In addition, the Information Regulator has vigorously been conducting assessments in respect of various sectors, including the retail sector, either on its own initiative or in an effort to address the surge in the number of complaints received against organisations in those sectors. The assessments, to date, have resulted in two enforcement notices being issued.

In terms of POPIA, every responsible party (i.e. a public or private body that determines the purpose of and means for the processing of personal information) is required to ensure it is compliant with the provisions of POPIA. The Information Regulator has extensive powers to monitor and enforce compliance, to handle and investigate complaints, and to conduct an assessment of a public or private body to ascertain whether or not personal information is being processed according to the conditions for lawful processing of personal information under POPIA.

Organisations accordingly need to make sure that if the Information Regulator pays them a visit, they are fully compliant with their obligations under POPIA. The consequences of non-compliance are significant and may include enforcement proceedings which may, in turn, result in administrative fines of up to ZAR 10 million, civil liability or even imprisonment in certain circumstances.

Typically, during these assessments, the Information Regulator requires organisations to produce the following to demonstrate compliance with POPIA:

  • a copy of the appointment letters and registration certificates of the information officer and deputy information officers (if applicable);
  • a copy of the organisation’s manual implemented in terms of the Promotion of Access to Information Act;
  • a copy of the organisation’s POPIA compliance framework and impact assessment;
  • copies of processing / privacy notices applicable to the various categories of data subjects whose personal information is processed;
  • a summary of the type of personal information that is processed and the purposes for the processing;
  • proof that employees have been provided with training on the application of POPIA;
  • proof that there are adequate security safeguards in place to avoid data breaches as well as any incident response plans;
  • a copy of the organisation’s records retention policy, if any;
  • information regarding the manner in which the organisation conducts direct marketing or makes use of cookies; and
  • information regarding the transborder flow of personal information.

These assessments include physical inspections, the review of documents and interviews with staff members. We would accordingly encourage all organisations to ensure that they are fully compliant with the provisions of POPIA before the Information Regulator comes knocking.