The Protection of Personal Information (PoPI) Acthas changed since its inception four years ago. As of 2024, the Information Regulator had intensified enforcement, issuing at least seven enforcement notices for non-compliance. The notices were issued to the Department of Justice and Constitutional Development for failing to implement adequate security measures as required by the Act; the South African Police Services for failing to implement technical safeguards; Dis-Chem Pharmacies for breaching multiple PoPI Act sections with regards to data security and third-party management; FT Rams Consulting for breaching direct marketing rules; Lancet Laboratories for failing to notify data subjects of security compromises; the Electoral Commission for the inadequate protection of personal information; and TransUnion for failing to secure personal information.
The Act itself has undergone several permutations since the start, particularly with amendments in 2025, which have been designed to modernise and strengthen data protection. The definitions themselves have been clarified – words such as “complainant”, “complaint” and “relevant bodies”, for example, have been introduced to simplify understanding and interpretation of the Act. Data subjects, meanwhile, now have more ways of objecting to their information being processed, and can request corrections, and changes have been made to the roles and responsibilities of information officers. Ongoing amendments are expected over the coming years, including a Security Compromise Reporting Portal and new guidance around cross-border data transfers.
The challenge for many companies is that even though the law has been in force since July 1 2021, they’re still struggling to achieve compliance. These struggles include the changing nature of compliance, the risk that third-party service providers present, AI, and global alignment with international data protection regulations.
Over the past year, in addition to the enforcement notices, there have been hundreds of cyber incidents reported, including high-profile breaches in the healthcare and retail sectors. Michaelson’s Attorneys has highlighted a surge in direct marketing complaints to the Information Regulator, who is said to be preparing draft guidance, as well as challenges when it comes to managing and auditing third-party processors for compliance.
The intersection of the PoPI Act and AI is also a growing area of concern. According to the South African Journal of Information Management, while the Act’s principles align with the concepts of personal information protection, there are challenges when it comes to the dynamic risks brought about by AI. These include algorithmic bias, transparency and automated decision-making, which underscore the need to develop AI-specific guidelines and audits that are designed to detect bias and enhance transparency. Companies have to invest in compliance that allows them to remain in line with local and international laws, such as the EU’s GDPR, and undertake regular audits, ongoing education, and best practice security checks.
But first, they have to manage and measure their compliance accurately, in line with these changing standards. According to Rowan Terry, senior legal counsel, TPN Credit Bureau, prevention starts with awareness.
“Staff have to fully understand which information qualifies as personal and why they’re collecting it, and how they should handle this information responsibly,” he says. “We ensure that we only collect information that’s necessary, obtain clear and written consent for processing any person’s personal information, keep personal information held by the business up to date, and store all personal information securely.” TPN has its own compliance tool, the PoPI-Portal, which has been designed for the property industry and gives practitioners and landlords a centralised system to manage compliance documents, update risk assessments and store policies.
The South African credit bureau CPB usesa centralised and secure data storage platform that includes layered access controls, endpoint monitoring and operator- level audit trails. Alain Craven, its head of IT, says the system enforces rolebased permissions, and uses multifactor authentication and anomaly detection to protect sensitive data. It also makes use of vulnerability scans, patch management and cyber-resilience tools.
But compliance isn’t something that a single tool can manage. Data loss prevention platforms, endpoint protection, patch management, access control and user activity monitoring tools have to be paired with policies, employee training, and a business culture that prioritises data privacy.
“It starts with embedding a culture of awareness,” says Craven. “Technical controls are important, but people are often the weakest link. We maintain rigorous onboarding and ongoing verification of access rights, with regular staff assessments on data handling protocols.” He says it also uses a zero-trust framework that assumes breach and focuses on containment, access control and auditability.
Managed security services provider Galix has an information office that monitors the Act’s requirements and compliance in the business. Ryan Boyes, the company’s governance, risk, and compliance officer, says there are internal assessments to review how personal information is collected, stored and used. “The hardware and software we use is a mix to ensure compliance, which includes Azure for cloud, Wazuh for threat detection monitoring and incident response, and BitLocker for encryption.” The goal is to create a layered and riskbased security posture. And if the organisation intends to share its consumer data with a third party, it has to ensure it’s compliant with the collection, handling and sharing of the information. “Consumer consent is foremost, then it’s key to ensure that the data has been de-identified so all personally identifiable information (PII) has been removed before it leaves the data owner’s environment,” says Anton Grutzmacher, co-founder of Omnisient. If data is to be shared, he recommends it should be within a secure and neutral data collaboration environment. This ensures that PII doesn’t change hands or is in the possession of a third party.
And, as Neda Smith, CEO and founder of Agile Advisory Services, asks, why is the data being collected in the first place? “Most companies collect more than they need without understanding the risk,” she says. “You need to understand your data landscape, implement role-based access, and ensure your third-party vendors are included in your privacy oversight. Many breaches are because a supplier was compromised, and you need to remember that the reputational and legal risk still lands with you.”
Regardless of the system, the software, the hardware or the approach, companies must ensure their staff are trained to validate information, double-check that collection processes are in line with the law, identify which information has to undergo further processing, and implement role-based access controls so only authorised people handle sensitive information. Technical tools will help detect anomalies, improve data flows, identify issues and manage compliance protocols, but people have to work in tandem with these tools to ensure PoPIA compliance is maintained.
* Article first published on brainstorm.itweb.co.za
Share