If your organisation has not yet complied with the Protection of Personal Information Act (POPIA) and the Promotion of Access to Information Act (PAIA), you are exposing yourself to significant legal, financial, and reputational risks.

The time for leniency has passed. The Information Regulator is actively monitoring and enforcing POPIA and PAIA.

Non-Compliance is not an option

Failure to appoint and register an Information Officer

If you have not appointed and registered an Information Officer (IO) with the Information Regulator, you are already in breach of both POPIA and PAIA.

The IO is legally responsible for your organisation’s compliance. Ignoring this requirement is a direct violation of the applicable legislation.

Incomplete or outdated PAIA manual

Every public and private body must have a PAIA manual that is up-to-date and accessible to the public. This manual must include information required by POPIA. If your manual is missing, incomplete, or outdated, you are in breach and this is easily verifiable by the Information Regulator.

Failure to submit an annual report

Annual reporting is not optional. If you have not submitted your PAIA report for the current year (Section 32 for public bodies, Section 83(4) for private bodies), you are in clear violation of the Act. The Information Regulator’s systems track these submissions and failure to comply is a red flag for enforcement action.

Lack of security measures and record keeping

If you have not implemented adequate security safeguards to protect personal information, you are at risk. Data breaches and complaints are on the rise and the Information Regulator has the power to investigate and impose substantial penalties.

Ignoring data subject and access requests

Failing to respond to requests from individuals for access to, correction, or deletion of their personal information is a direct contravention of both POPIA and PAIA.

These requests are a right, not a privilege, and your organisation must be prepared to handle them.

The Consequences: fines, criminal charges, and reputational damage

1. Financial penalties: the Information Regulator can impose fines of up to R10 million for serious breaches.
2. Criminal liability: non-compliance can result in criminal charges, with the possibility of imprisonment for up to 10 years.
3. Reputational harm: public enforcement actions and data breach notifications can severely damage your organisation’s reputation and erode customer trust.
4. Business disruption: regulatory investigations and enforcement actions can disrupt your operations, leading to loss of business and legal costs.

The Information Regulator is watching

The Information Regulator has made it clear: ignorance is no excuse. It is empowered to conduct audits, investigate complaints, and take enforcement action against non-compliant organisations. Recent years have seen an increase in enforcement activity.

If you have not yet complied with POPIA and PAIA, you must take immediate steps to:

• appoint and register your Information Officer;
• compile, update, and publish your PAIA manual;
• submit your annual PAIA report by 30 June 2025;
• implement robust security and data protection measures;
• train your staff and ensure everyone understands their obligations.

Do not wait for a complaint, a data breach, or a visit from the Information Regulator. The risks are real and the consequences of inaction are severe. Compliance is not just a legal requirement, it is essential for the survival and integrity of your organisation.

For further information or assistance, please contact Ryszard Lisinski and/or Brett Weinberg