South Africa: Data protection – recent developments and enforcement trends

By Savanna Stephens, Senior Associate, Tanya Chivaura, Associate and Claire Franklyn Consultant, Bowmans

Recently, there have been several notable developments in the data protection landscape in South Africa accompanied by a surge in activity within the office of the Information Regulator (Regulator).

RELATED: POPIA Health Information Regulations cross the finish line

Most significant among these are the Regulator’s 2026/27 Annual Performance Plan (APP) stakeholder engagement, the publication of the final regulations relating to the processing of data subjects’ health information by certain responsible parties in terms of the Protection of Personal Information Act 4 of 2013 (POPIA), and the Gauteng High Court’s hearing of an application for leave to appeal brought by the Regulator in relation to its attempt to stop the publication of matric results by media outlets.

2026/27 APP Stakeholder engagement – data protection and enforcement focus

On 5 March 2026, the Regulator held its APP stakeholder engagement for the upcoming 2026/27 financial year. During the session, the Regulator reported on the previous financial year’s activities and provided an overview of its enforcement priorities, its investigation and compliance monitoring strategy, and anticipated guidance documentation and legislative updates for year ahead.

Investigations and assessments

The Regulator emphasised that it has significantly intensified its investigations across both the public and private sectors, distinguishing between simple complaints (which are resolved through basic intervention) and complex complaints (which require deeper investigation, evidence-gathering, or expert analysis). Current investigations include:

ADVERTISEMENT

• 10 ongoing investigationstriggered by complaints to the Regulator (section 76 of POPIA) focusing on insurance organisations, government departments, higher education institutions and local municipalities;
• 35own-initiative assessments (section 89 of POPIA) in various sectors including banking, insurance, retail, telecommunications, and higher education, and across governmental entities, that are being finalised (with appropriate enforcement action being issued).

In keeping with the Regulator’s approach of ‘naming and shaming’ non-compliant entities, the Regulator disclosed the names of several entities that are subject to the Regulator’s own-initiative assessments, and set out its reasons for such assessments being conducted, including an influx of reported security compromises or complaints from data subjects.

These assessments reflect the Regulator’s focus on ensuring compliance with POPIA by high‑risk sectors with large customer bases and recurring security compromises.

Monitoring

The Regulator launched its compliance monitoring exercise to monitor and enforce compliance with the provisions of POPIA by both public and private bodies in various sectors (section 40 of POPIA). This new compliance monitoring exercise reflects a more structured and proactive approach to regulatory oversight.

Enforcement

The Regulator confirmed that it has intensified enforcement efforts across both the public and private sectors. A summary of recent enforcement action includes the following:

• Lancet Laboratories, which was the subject of an enforcement notice and, subsequently, an infringement notice, with a fine of ZAR 200 000,for failing to comply with its reporting obligations in respect of several security compromises it had suffered;
• Blouberg Municipality, which was the subject of an enforcement notice and, subsequently, an infringement notice, with a fine of ZAR 500 000, following an investigation by the Regulator into a complaint regarding the publication of financial disclosures. Following Blouberg Municipality’s failure to pay the fine and to comply with the directions of the underlying enforcement notice, the Regulator initiated court proceedings to recover the fine (section 109 of POPIA); and
• FT RAMS Consulting, which was the subject of an enforcement notice and, subsequently, an infringement notice, with a fine of ZAR 200 000, following an investigation by the Regulator into unlawful direct marketing activities. Following FT RAMS Consulting’s failure to pay the fine and to comply with the directions of the underlying enforcement notice, the Regulator initiated court proceedings to recover the fine (section 109 of POPIA).

More enforcement action is coming

It is anticipated that there will be additional enforcement action taken, as there are currently several matters before the Regulator’s Enforcement Committee, including:

ADVERTISEMENT

• an investigation intoOUTsurance’s direct marketing activities, which the Regulator indicated will be the test case for validating the Regulators’ position that telemarketing is subject to section 69 of POPIA (in line with the Guidance Note on Direct Marketing issued by the Regulator on 3 December 2024); and
• investigations into Sanlamand the Companies and Intellectual Property Commission for certain alleged non-compliant activities.

Whilst the value of the administrative fines imposed by the Regulator are lower than the fines imposed by data protection authorities in other jurisdictions, it demonstrates the Regulator’s growing assertiveness and robust approach to holding entities accountable for non-compliance with POPIA, and its increasing willingness to impose financial consequences for contraventions of POPIA.

Security compromises

There has been a dramatic rise in reported security compromises, increasing from 202 reported incidents in the 2021/22 financial year, to 2 374 reported incidents in the 2024/25 financial year, to 2 898 reported incidents, thus far, in the 2025/26 financial year.

The Regulator noted that this surge reflects both heightened cybercrime activity and improved organisational reporting, as the Regulator’s enforcement and awareness mechanisms increase.

Proposed upcoming legislative changes and guidance notes

The Information Regulator acknowledged the need to strengthen the provisions of POPIA arising from investigation and enforcement gaps observed in recent years, and to provide appropriate guidance to responsible parties on priority provisions.

Provisions of POPIA – The Regulator is reportedly in the process of submitting its proposed amendments to POPIA, which is currently under internal review, to the Minister for consideration. These amendments will purportedly:

• remove the enforcement process under POPIA which affords responsible parties an opportunity to remedy non-compliance before any sanction can be imposed (ie responsible parties can immediately be sanctioned for contraventions of POPIA); and
• address practical gaps that hinder effective enforcement, including in relation to penalties, investigative powers, and other regulatory tools.

Upcoming guidance note – The Regulator indicated that it is in process of developing a guidance note on conducting personal information impact assessments  in terms of Regulation 4(1) (b) of the POPIA Regulations and is finalising a guidance note on transborder flows of information (in terms of section 72 of POPIA).

The Regulator further indicated that it will prioritise the following in the 2026/27 financial year:

• intensified investigations into non-compliance;
• targeted assessments in high-risk sectors such as banking and financial services, insurance and health, retail, and telecommunications and social media; and
• ensuring integrated, mature, and future-ready compliance by responsible parties.

Publication of matric results by media outlets

The Regulator addressed its ongoing matter in the High Court regarding the publication of matric results by newspapers and online media outlets.

In November 2024, the Regulator imposed a ZAR 5 million fine on the Department of Basic Education for contravening its notice not to publish matric results using examination numbers.

Following a challenge by the Department of Basic Education, the High Court found that there was no empirical evidence supporting the Regulator’s assertion that the publication of matric results breached the provisions of POPIA.

In its application for leave to appeal the High Court’s decision, the Regulator has reiterated its position that exam numbers constitute personal information and require parental or learner consent under POPIA prior to publication. The application for leave to appeal was heard on 12 March 2026, with the outcome still pending.

Update on the Code of Conduct for gated access

The Regulator confirmed that it is finalising its own-initiative Code of Conduct for Gated Access (Code). The Code aims to standardise access‑control practices across residential estates, complexes, security‑controlled residential areas, business or industry parks and other security‑controlled premises, ensuring that the collection of resident, office worker and visitor data complies with POPIA.

This includes the regulation of access control systems, biometric systems, visitor logs, CCTV and vehicle registration systems. The Regulator hosted a stakeholder engagement session on the Code on 5 March 2026 and is looking to finalise the Code by the end of March 2026.

According to the Regulator, this forms part of its shift towards more proactive compliance monitoring, with the Code expected to close longstanding gaps in how personal information is managed in these high‑volume access environments.

Publication of the final Regulations relating to the processing of data subjects’ health information by certain responsible parties

On 6 March 2026, the Regulator published the final Regulations relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties, following the release of the draft Regulations in September 2025.

The draft Regulations attracted a number of submissions and criticisms, many of which seem to have been taken into account.

Key takeaways

• Investigations, own‑initiative assessments and compliance monitoring by the Regulator will likely intensify across both the public and private sectors, particularly in abovementioned high‑risk sectors with large customer bases.
• The Regulator’s expedited complaint‑processing timeframes (ie 70% of simple complaints resolved within three months, and 50% of complex complaints to be resolved in at least three months) will significantly narrow the response window traditionally available to organisations, thereby heightening the probability of matters progressing more quickly to formal enforcement.
• The Regulator will continue with its robust approach to ‘name and shame’ non‑compliant entities, increasing reputational risk alongside possible sanctions.
• The Regulator has signalled a marked shift toward more frequent administrative fines and corrective measures, underscoring that the period of leniency and ‘education first’ engagement has come to an end.
• The proposed amendments to POPIA may strengthen the Regulator’s investigative and enforcement powers, creating a more stringent compliance environment for responsible parties.

Overall, these developments signal a more assertive, proactive and less tolerant regulatory environment, requiring that entities increasingly treat POPIA compliance as an ongoing operational and governance priority.

COVER IMAGE: Record of Law