Rowan Terry

The Protection of Personal Information (PoPI) Act has changed since its inception four years ago. As of 2024, the Information Regulator had intensified enforcement, issuing at least seven enforcement notices for non-compliance. The notices were issued to the Department of Justice and Constitutional Development for failing to implement adequate security measures as required by the Act; the South African Police Services for failing to implement technical safeguards; Dis-Chem Pharmacies for breaching multiple PoPI Act sections with regards to data security and third-party management; FT Rams Consulting for breaching direct marketing rules; Lancet Laboratories for failing to notify data subjects of security compromises; the Electoral Commission for the inadequate protection of personal information; and TransUnion for failing to secure personal information.

The Act itself has undergone several permutations since the start, particularly with amendments in 2025, which have been designed to modernise and strengthen data protection. The definitions themselves have been clarified – words such as “complainant”, “complaint” and “relevant bodies”, for example, have been introduced to simplify understanding and interpretation of the Act. Data subjects, meanwhile, now have more ways of objecting to their information being processed, and can request corrections, and changes have been made to the roles and responsibilities of information officers. Ongoing amendments are expected over the coming years, including a Security Compromise Reporting Portal and new guidance around cross-border data transfers.