The Information Regulator is signalling a firmer compliance and enforcement posture under both the Promotion of Access to Information Act (PAIA) and the Protection of Personal Information Act (POPIA), according to Ahmore Burger-Smidt, director and head of regulatory at Werksmans Attorneys.
In a commentary analysing the Regulator’s 2025/26 Annual Performance Plan (APP), Burger-Smidt says the programme has “immediate implications for governance, breach reporting, direct marketing, access-to-information workflows, and cross-border transfers”.
The APP was presented to Parliament’s Portfolio Committee on Justice and Constitutional Development on 5 May 2026. According to Burger-Smidt, the programme points not only to tighter enforcement of existing obligations, but also to a broader effort to strengthen the Regulator’s oversight powers and compliance toolkit through legislative reform, guidance notes, codes of conduct, own-initiative inspections, and follow-up monitoring.
PAIA: proposed amendments to expand the Regulator’s powers
PAIA – often treated by organisations as secondary to POPIA – is increasingly becoming an enforcement priority.
Burger-Smidt says the Regulator intends initiating legislative amendments to PAIA during the 2025/26 financial year to empower it to issue PAIA regulations directly, modernise the legislation for a digital environment, and strengthen enforcement powers.
The proposed amendments are intended to address persistently weak compliance with PAIA reporting and procedural obligations.
The APP records that only 278 of 853 public bodies submitted PAIA annual reports during the 2023/24 reporting cycle – a compliance rate of about 33% – while private-body reporting compliance was even lower. Burger-Smidt says this has contributed to an “enforcement asymmetry” between PAIA and POPIA, because POPIA already has a more developed sanctions regime and an expanding track record of infringement notices, enforcement notices, and litigation.
Any legislative reform process will have to move through the Department of Justice and Constitutional Development, Cabinet processes, and Parliament, meaning implementation timelines will depend on broader government scheduling and legislative capacity.
The APP nevertheless points to increased regulatory activity under the existing framework. Burger-Smidt says organisations should expect more own-initiative PAIA assessments, inspections, and follow-up monitoring, focusing on PAIA manuals, request registers, annual reporting discipline, request-processing procedures, and the application of refusal grounds.
Much of this scrutiny is shifting towards “process hygiene” – whether organisations are following the correct procedures, maintaining current documentation, and retaining proper records.
The Regulator has already cautioned that the repealed PAIA “Form A” is no longer compliant, and requests should instead be made using a form substantially corresponding to “Form 2” under the 2021 PAIA Regulations. Inspectors have been testing websites and internal repositories for outdated forms, incomplete section 17 registers, and outdated manuals, with findings leading to remedial action.
Burger-Smidt also says the Regulator expects organisations to maintain a clear internal process for POPIA data-subject access requests and to align those operational processes with PAIA request handling so that requests are managed consistently and records are available for audit and complaint purposes. Although PAIA and POPIA are distinct statutory frameworks, organisations need coherent internal procedures spanning both regimes.
Breach reporting: portal submission and expectations on readiness
Security compromise reporting is another area where the APP points to tighter operational oversight.
Since 1 April 2025, all breach notifications have had to be submitted through the Regulator’s eServices portal rather than by email. Burger-Smidt says the Regulator also plans to consolidate technical and legal expertise dealing with breach matters, signalling more intensive scrutiny of incident management, notification quality, and organisational readiness.
The APP states that 2 374 security compromises were reported during 2024/25 and notes a 40% year-on-year increase in monthly notifications during early 2025/26. According to the commentary, this has prompted the Regulator to push organisations to improve technical and organisational safeguards and ensure timely, accurate notifications both to the Regulator and affected data subjects.
Burger-Smidt warns that failure to use the portal correctly, incomplete submissions, or delays in notification could expose organisations to procedural non-compliance and potential enforcement action.
Direct marketing: stricter compliance
Direct marketing is identified as another area where compliance expectations have changed materially following amendments to the POPIA Regulations that took effect on 17 April 2025.
Read: Direct marketers on notice as CPA spam rules become law
According to the commentary, the amended regulations clarify objection and correction or deletion procedures, formalise complaint-handling timeframes, strengthen consent requirements for direct marketing, and require telemarketing interactions to be recorded and retained, with records to be provided to data subjects on request.
Burger-Smidt says the amendments significantly raise expectations around complaint-readiness, direct marketing governance, and evidence-keeping. She also notes that the Regulator appears interested in obtaining judicial clarity on whether live telemarketing calls fall within POPIA’s “electronic communications” provisions under section 69, suggesting that strategic litigation may continue to shape interpretation of the law.
Cross-border transfers: Guidance Note expected
The APP also points to increased regulatory attention on cross-border information transfers.
Burger-Smidt says the Regulator plans issuing a Guidance Note on transfers of personal information outside South Africa, influenced by frameworks such as the African Continental Free Trade Area’s Digital Trade Protocol and the African Union’s Digital Transformation Strategy. According to the commentary, the guidance will be advisory rather than legislative but is expected to set out expected diligence around transfer-impact assessments, contractual safeguards, and oversight of foreign processors.
The commentary suggests the likely direction of travel will resemble international practice under instruments such as Chapter V of the EU’s GDPR, UK Information Commissioner’s Office guidance and Canada’s accountability model under the Personal Information Protection and Electronic Documents Act.
Burger-Smidt says multinational organisations should therefore begin mapping cross-border data flows, identifying transfer mechanisms already in use and preparing for increased emphasis on contractual safeguards, destination-risk assessment, and transparency regarding foreign processing and potential public-authority access.
‘Gated access’ code of conduct:
Another area singled out in the APP is processing at “gated accesses” such as estates, office parks, campuses, and retail centres.
The Regulator plans developing a Code of Conduct dealing with personal-information processing at controlled entry points in response to concerns about over-collection practices. The APP envisages a draft code being developed and approved during 2025/26, with finalisation expected during 2026/27.
Burger-Smidt says the proposed code is intended to standardise expectations around proportionality, data minimisation, retention and security, particularly in environments where visitors are routinely required to provide identity information.
She advises operators in sectors including property, retail, education, healthcare, and corporate campuses to undertake pre-emptive reviews of entry-point collection practices, including eliminating bulk Identity Document scanning, and open visitor logs, limiting collection to what is strictly necessary and shortening retention periods.
Signals of assertive enforcement
To support her view that the Regulator is already moving towards more assertive enforcement, Burger-Smidt reviews a series of recent matters involving infringement notices, litigation and recovery proceedings.
These include a R5-million infringement notice issued to the Department of Justice and Constitutional Development following non-compliance with an enforcement notice linked to a ransomware incident; litigation over the publication of matric results; a R500 000 fine imposed on Blouberg Municipality for unlawful online disclosure of an employee’s personal information; and R100 000 infringement notices involving FT Rams Consulting and Lancet Laboratories, with Lancet having paid its fine after failing to notify both the Regulator and affected data subjects of security compromises.
Burger-Smidt also points to the Regulator’s settlement with WhatsApp over its 2021 privacy-policy update as an example of what she describes as “negotiated compliance outcomes” in platform-related disputes. The settlement included commitments to improve information provided to South African users and was intended to be made an order of court.
Strengthen compliance frameworks
Burger-Smidt says organisations should not wait for legislative amendments or court rulings before strengthening their compliance frameworks.
Among other things, she advises businesses to integrate the eServices portal into breach-response playbooks; audit direct-marketing consent, objection and call-recording processes; ensure PAIA manuals, request forms and registers comply with the 2021 regulations; map cross-border information flows ahead of the forthcoming Guidance Note; and review data-collection practices at controlled entry points before the gated-access code is finalised.
Burger-Smidt says uncertainty over legislative timelines and unresolved legal disputes should not delay investing in compliance. Instead, organisations should adopt “conservative, well-documented practices that will survive audit and litigation” while engaging in future consultations on the proposed guidance note and code of conduct.
