All articles

POPIA Compliance in 2026: What South African Businesses Must Have in Place

The Information Regulator has ramped up enforcement since 2023. South African businesses handling personal information need documented controls, a designated Information Officer, and a tested breach response process — here's the full picture.

The State of POPIA Enforcement

The Protection of Personal Information Act (POPIA) came into full effect on 1 July 2021. Since then, the Information Regulator of South Africa has steadily increased its enforcement activity — issuing enforcement notices, conducting audits, and publicly naming non-compliant organisations.

The maximum penalty for contravening POPIA is a fine of up to R10 million or imprisonment of up to 10 years for responsible parties and Information Officers. More practically, the reputational consequence of a public enforcement notice is often more damaging than any fine.

Key Obligations Every Business Must Address

1. Designate an Information Officer

Every private and public body that processes personal information must designate an Information Officer (IO) and register them with the Information Regulator. The IO is personally accountable for POPIA compliance and must:

  • Ensure compliance with POPIA conditions
  • Handle requests for access to records under PAIA
  • Liaise with the Information Regulator on compliance matters

Failure to register an IO is itself a contravention.

2. Document Your Processing Activities

You must be able to demonstrate that personal information is collected lawfully, for a specific purpose, and is not retained beyond that purpose. At minimum, you need:

  • A Processing Register — every category of personal information, its purpose, legal basis, and retention period
  • Data Subject Consents that are properly obtained and recorded
  • Third-party operator agreements — operators (processors in GDPR language) must be bound by contract to process only as instructed

3. Implement Security Safeguards

Section 19 of POPIA requires responsible parties to secure the integrity and confidentiality of personal information through appropriate, reasonable technical and organisational measures. The Information Regulator’s guidance specifies:

  • Access controls — role-based access, least privilege, MFA for systems holding personal information
  • Encryption — in transit and at rest, proportionate to the sensitivity of the data
  • Vulnerability management — regular patching, penetration testing, and vulnerability scanning
  • Incident response — a documented and tested plan for responding to security compromises

4. Breach Notification

Section 22 requires that where there are reasonable grounds to believe that personal information has been compromised, the responsible party must notify:

  1. The Information Regulator as soon as reasonably possible
  2. Affected data subjects once a risk assessment is completed

Unlike GDPR’s 72-hour window, POPIA does not specify a fixed timeframe — “as soon as reasonably possible” is the standard. However, the Information Regulator expects this to mean days, not weeks.

Common Gaps We Find

Unregistered Information Officers remain the most common finding in our POPIA gap assessments. Many businesses appointed an IO internally but never completed the formal registration.

Third-party operator agreements are frequently absent or inadequate. Cloud providers, HR platforms, payroll systems, and marketing tools are all operators — each requires a binding written agreement.

Retention schedules are often vague or theoretical. If you cannot demonstrate that personal information is deleted or anonymised at the end of its retention period, you are not compliant.

Cross-border transfers require explicit conditions to be met — either the recipient country has an adequate protection standard, or a binding agreement with equivalent POPIA protections is in place.

How Rhentech Supports POPIA Compliance

Our POPIA compliance programme delivers:

  • Gap assessment against all eight POPIA conditions
  • Processing register development and documentation
  • Information Officer support — registration, training, and ongoing advisory
  • Technical security audit — assessing your Section 19 safeguards
  • Incident response planning — so breach notification is structured and timely

We combine legal knowledge with technical cybersecurity capability — giving your IO the tools they need to demonstrate genuine compliance, not just paperwork.

This article is for informational purposes. It does not constitute legal advice. Consult qualified legal counsel for compliance matters specific to your organisation.

Back to all articles

Ready to act on what you've read?

Book a free cybersecurity audit and get a clear view of your risk — with a practical roadmap to address it.

Book a Free Audit