[31 May 2025]
As of April 1, 2025, all security compromises must be reported through the Information Regulator’s (IR) eServices portal. This new requirement, mandated by section 22(1) of the Protection of Personal Information Act, makes it compulsory to use the online system for all such reports. The IR has published a detailed, step-by-step guide on their portal to assist Information Officers (IOs) with registration and the submission process.
[25 April 2025]
Amendments to the Protection of Personal Information Act Regulations took effect on 17 April 2025, as announced by the Information Regulator.
Protection of Personal Information Amendment Regulations 21 January 2025
Direct marketers face tougher regulations under the recent amendments.
“Request for a data subject’s consent to process personal information for direct marketing through unsolicited electronic communication.
6.1.A responsible party who wishes to process the personal information of a data subject for the purposes of direct marketing through unsolicited electronic communication must in terms of section 69(2) of the Act obtain written consent from a data subject on a form substantially similar to Form 4 or in any manner that may be expedient, free of charge and reasonably accessible to a data subject, including-
6.1.1. email;
6.1.2. telephonically;
6.1.3. SMS or WhatsApp;
6.1.4. facsimile;
6.1.5. automated calling machine.
6.2. A request for a data subject’s consent to the processing of his, her, or its personal information as referred to in sub-regulation 6.1 above by telephonic means must be electronically recorded by a responsible party and such recording must, upon request, be made available to a data subject in any manner, including the transcription thereof which must be free of charge.
6.3. A request for a data subject’s consent to the processing of his, her, or its personal information as referred to in sub regulation 6.1 by an automated calling machine must be electronically recorded by the responsible party and such recording must, upon request, must be made available to a data subject in any manner, including the transcription thereof which must be free of charge.
6.4. For the purposes of direct marketing through unsolicited electronic communications, opt-out shall not constitute consent as referred to in section 69 (2) of the Act.”
[6 December 2024]
The Information Regulator has issued a guidance note on processing personal information for direct marketing. This includes unsolicited non-electronic communications under Section 11 and unsolicited electronic communications under Section 69 of POPIA.
Guidance Note on Direct Marketing in terms of the Protection of Personal Information Act 4 of 2013
[16 October 2023]
Information Regulator Presentation on its Annual Report 2022-23
[5 July 2023]
The public has a chance to weigh in on how personal information is used in direct marketing! The Direct Marketing Association of South Africa (DMASA) proposed a code of conduct, and the Information Regulator is accepting written comments until July 14th, 2023. You can submit your thoughts to POPIACompliance@inforegulator.org.za.
DMASA Code of Conduct
[20 February 2023]
The Information Regulator is seeking public input on its proposed guidelines for how enforcement cases are brought before the Enforcement Committee. These guidelines, called the “Rules of Procedure,” explain the process for submitting matters related to the Protection of Personal Information Act (POPIA).
The deadline to submit comments is March 24, 2023. You can send your feedback to the Chief Legal Officer, Mr. Jaco Jansen, at JJJansen@infoRegulator.org.za.
POPIA Enforcement Committee Rules of Procedure
[11 November 2022]
Information Regulator’s (IR) annual report for 2021/22 is out.
Information Regulator – Annual Report
[22 August 2022]
The Information Regulator (IR) offers instructions on filling out the Security Compromise Notification Form, which is required by Section 22 of POPIA.
Guidelines on section 22 notification of security compromises
Form SCN1 – Notification of a security compromise in terms of section 22 of the POPI Act
[11 May 2022]
On 11 May 2022, the Information Regulator (IR) submitted its Annual Performance Plan for the 2022/44 government financial year to Parliament.
Information Regulator Annual Performance Plan 2022/23
Information Regulator Annual Performance Plan 2022/23 Presentation
[2 January 2022]
On October 21, 2021, the Information Regulator and the Competition Commission signed a cooperation agreement outlining how they will work together on issues where their responsibilities overlap.
[5 July 2021]
For your reference, a presentation on the Information Regulator’s preparedness is available below
[21 June 2021]
The deadline for complying with section 58(2) of the Protection of Personal Information Act, 2013 in relation to section 57 of the Act has been extended by the Information Regulator. The new deadline is February 1, 2022 (previously it was July 1, 2021).
Information Regulator: Amendment of Notice
[5 May 2021]
The South African Information Regulator is proposing new rules to make sure information access laws (PAIA) are in line with privacy laws (POPI).
People responsible for handling information requests (information officers) will have new duties under PAIA.
The deadline to comment on these proposed changes is May 17th, 2021. You can send your comments to Ms. A Van der Walt at alvanderwalt@justice.gov.za.
Draft PAIA Regulations April 2021
[10 April 2021]
The Information Regulator released a guide explaining the roles and responsibilities of Information Officers and Deputy Information Officers. They are also working on an online system to make registration easier.
Guidance Note on Information Officers and Deputy Information Officers (1 April 2021)
[3 March 2021]
The Information Regulator took action on data privacy on February 22nd, 2021 with a two-pronged approach:
- Guideline for Codes of Conduct: They released a guide to help organizations create their own codes of conduct that comply with the Protection of Personal Information Act (POPI). This guideline includes the application process and the required format.
- Phased Implementation of POPI Regulations: The Information Regulator announced a staggered rollout of the POPI regulations:
- March 1st, 2021: Applications for codes of conduct can be submitted (as per Regulation 5).
- May 1st, 2021: Information officers gain specific responsibilities (outlined in Regulation 4), though guidelines for registration are still being finalized. Their duties include creating a compliance plan, information access procedures, and internal training.
- July 1st, 2021: All remaining POPI regulations come into effect.
[22 October 2020]
Information Regulator Presentation Quarterly Performance 8 October 2020
[22 July 2020]
The Information Regulator is seeking public feedback on draft guidelines for registering information officers. Submit comments by August 16th, 4:00 PM to NNemasisi@justice.gov.za.
Draft Guidelines on the Registration of Information Officers
[18 July 2020]
Since the Protection of Personal Information Act (POPI) came into effect, the Information Regulator has reported to Parliament on its preparedness to enforce it.
Readiness Plan for the Implementation of the Protection of Personal Information Act 30 June 2020
Readiness Plan for the Implementation of the Promotion of Access to Information Plan 30 June 2020
[1 July 2020]
The Protection of Personal Information Act (POPI), Act 4 of 2013, became law today. However, some sections regarding access to information will only be enforceable from July 1st, 2021.
The law gives businesses one year to comply with its regulations on how they handle personal information. This deadline can be extended by the government for up to three additional years, given the potential challenges of implementation and economic conditions. With the complexity of compliance, it’s likely these extensions will be granted.
Protection of Personal Information Act 4 of 2013
Presidency on commencement of certain sections of the Protection of Personal Information Act
[16 May 2020]
The Information Regulator’s plan for the 2020/2021 financial year, covering the period from April 1st, 2020 to March 31st, 2021, was submitted to Parliament on May 12th, 2020.
Information Regulator Annual Performance Plan for the financial year 2020/21
[2 November 2019]
The Information Regulator has released instructions to help organizations create their own Codes of Conduct for handling personal information. These guidelines align with Chapter 7 of POPI (Protection of Personal Information Act). There will also be a consultation for industry representatives on November 6th, 2019, at the Midrand Conference Centre.
These guidelines are required by POPI, section 65, and aim to assist both public and private entities. By following them, organizations can develop their own codes and apply for formal recognition from the Information Regulator.
The final guidelines will be published officially in the Government Gazette.
Agenda for consultation on Draft Guidelines
Draft Guidelines to Develop Codes of Conduct
Invitation Consultation on Codes of Conduct Guidelines
RSVP Consultation
[15 October 2019]
We might not see the Information Regulator fully established by the end of the year.
Information Regulator Annual Report 2019_20 Presentation to Parliament (10 October 2019)
[9 July 2019]
On July 5th, 2019, the Information Regulator outlined its goals for the year to the Portfolio Committee for Justice and Correctional Services.
Information Regulator APP Presentation 5 July 2019
The Information Regulator (IR) is gearing up for the full implementation of the Protection of Personal Information Act (POPIA). Here’s what they’ve achieved so far:
- Secured an office space for the next three years.
- Appointed a CEO and a CFO.
- Hired a legal, research, and technology analyst starting in August 2019. (They still need to fill positions for POPIA implementation, access to information (PAIA) oversight, and corporate services.)
- Developed a draft organizational structure for government approval.
The IR also requested additional funding on top of the R28.9 million allocated for the current year.
[14 December 2018]
The last set of regulations for handling personal information under POPI were released in a government publication on December 14th, 2018.
Regulations relating to the Protection of Personal Information, 2018
Regulations relating to the Protection of Personal Information, 2018 (Afrikaans)
[4 May 2018]
In a recent presentation to Parliament, the Information Regulator, created under the Protection of Personal Information Act (POPI), detailed its activities since its last report in October 2017.
Information Regulator Status Report 24 April 2018
POPI Regulations Update:
- Draft regulations for the Protection of Personal Information Act (POPI) are awaiting final approval after public feedback and legal review.
- Parliament will receive the regulations soon, as required by law.
Information Regulator Budget:
- The Information Regulator’s (IR) budget has been steadily increasing over the past few years.
- The Budget for the IR for the medium-term is:
- 2017/18: R23 402 000
- 2018/19: R24 712 000
- 2019/20: R25 095 000
- 2020/21: R27 531 000
IR Structure and Staffing:
- Finalizing the IR’s organizational structure is taking longer than expected due to legal complexities.
- The IR can’t hire key staff until the structure is finalized and approved.
IR Activities:
- The IR is actively training stakeholders on POPI compliance.
- They are also proactively addressing complaints even though enforcement powers aren’t active yet.
Political Party Marketing and POPI:
- Legal experts are reviewing whether unsolicited political marketing falls under POPI’s direct marketing regulations.
[21 October 2017]
On October 10th, 2017, the Information Regulator briefed the Portfolio Committee on Justice and Correctional Services on its progress.
Information Regulator Status Report 10 October 2017
[9 September 2017]
The public is invited to comment on draft regulations proposed by the Information Regulator under the Protection of Personal Information Act. Deadline for submissions is November 7th, 2017 via inforeg@justice.gov.za
Draft POPI Regulations August 2017
[23 June 2017]
The website of the Information Regulator
[15 April 2016]
The selection committee for the information regulator has made progress. They have narrowed down the nominations to a shortlist of ten candidates for the five positions mandated by the Protection of Personal Information Act (POPIA).
Shortlist for the Portfolio Committee on Justice and Correctional Services:
- Pansy Tlakula
- Johannes Weapond
- David Taylor
- Advocate Lebogang Stroom
- Lindelo Snail
- Siyakhula Simelane
- Thav Reddy
- Francois Cronje
- Shamila Singh
- Tana Pistorius
[19 September 2015]
While many agreements reference the Protection of Personal Information Act (POPI), it’s important to understand the situation. Here’s why you might not need to scramble just yet:
- The Regulator Isn’t Ready: A key piece, the Information Regulator, hasn’t been appointed. This means creating the rules to follow (regulations) can’t even begin.
- Regulations Are Key: These regulations will explain exactly what businesses need to do to comply. Until they’re finalized, compliance specifics are unclear.
- Action Without a Roadmap? It’s difficult to design a compliance plan without knowing the specific requirements.
- Time is on Our Side (a Bit): POPI’s enforcement likely won’t start until mid-2017, with an additional 18-month grace period for implementation.
In short, while POPI is coming, there’s time to prepare effectively once the regulations are established.
[22 May 2015]
There were positive signs in the Deputy Minister of Justice and Constitutional Development’s speech on May 19, 2015, that the slow-moving Protection of Personal Information Act might be seeing some progress soon.
I am pleased to announce that with regards to the appointment of an Information Regulator in terms of the Protection of Personal Information Act, that agreement has been reached with treasury on the grading of the Regulator and a letter will soon be sent to the Speaker, requesting her to initiate the nomination process envisaged in section 41 of the Act. This section requires a multi-party committee of the National Assembly to assist with the nomination of persons who are eligible for appointment as members of the Regulator. The appointment of the members of the Regulator will, in turn, facilitate the commencement of the remainder of the Act.
Since our last update, we’ve identified the salary range for Information Regulator members. Now, the department will begin the process of nominating and selecting these members.
Implementation Timeline
While some legal professionals raise concerns about immediate implementation, we believe it will take several years before the legislation is fully operational.
[14 April 2014]
Starting April 11th, 2014, several parts of the Protection of Personal Information Act will be in effect. These include:
- The definitions used throughout the Act (section 1).
- The creation and procedures of the Information Regulator (Part A of Chapter 5).
- The ability for the Minister and the Regulator to create additional rules (section 112).
- The process for creating these additional rules (section 113).
POPI Commencement of certain sections 7 April 2014
[28 November 2013]
South Africa’s Protection of Personal Information Act (POPI), signed into law in November 2013, provides a framework for data privacy. However, the act’s implementation details and enforcement date are yet to be determined. This means there’s both progress and a wait-and-see approach. While POPI offers a clear direction, organizations will likely have a significant lead time to comply.
[1 March 2013]
South Africa’s National Council of Provinces discussed the Protection of Personal Information Act on February 13th, 2013. The committee received input from experts and government departments.
Several changes were proposed, mostly technical. However, key issues requiring attention included:
- Consent, justification, and objection: The committee focused on how these concepts were defined in the bill’s clause 11(3)(a).
- Data retention and correction: Lawmakers debated time limits for storing personal information and how individuals could get it corrected.
- Exemptions: The discussion covered who could be exempt from the law and whether companies profiting from future information use should be included (clause 32(1)).
- EU compliance: The committee wanted to ensure the bill aligned with updated European Union regulations.
Unresolved issues remained with the Financial Services Board (FSB) regarding specific sections. The committee requested a more thorough explanation of the entire bill.
[15 September 2012]
Final Draft of Protection of Personal Information Bill (5 September 2012)
The Portfolio Committee for Justice and Constitutional Development has finalized discussions on the POPI Bill. This means the Bill will now go through the rest of Parliament’s approval process. It’s expected to become law by early 2013.
The Committee voted in favor of a stricter definition of consent, rejecting a proposal for an opt-out system. This is positive news for those who want to limit spam. Here’s a closer look at the relevant parts of the Bill:
“consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;
CHAPTER 8
RIGHTS OF DATA SUBJECTS REGARDING DIRECT MARKETING BY MEANS OF UNSOLICITED ELECTRONIC COMMUNICATIONS, DIRECTORIES AND AUTOMATED DECISION MAKING
Direct marketing by means of unsolicited electronic communications
69. (1) The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject—
(a) has given his, her or its consent to the processing; or
(b) is, subject to subsection (3), a customer of the responsible party.
(2) (a) A responsible party may approach a data subject—
(i) whose consent is required in terms of subsection (1)(a); and
(ii) who has not previously withheld such consent,
only once in order to request the consent of that data subject .
(b) The data subject’s consent must be requested in the prescribed manner and form.
(3) A responsible party may only process the personal information of a data subject who is a customer of the responsible party in terms of subsection (1)(b)—
(a) if the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service;
(b) for the purpose of direct marketing of the responsible party’s own similar products or services; and
(c) if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details—
(i) at the time when the information was collected; and
(ii) on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.
(4) Any communication for the purpose of direct marketing must contain—
(a) details of the identity of the sender or the person on whose behalf the communication has been sent; and
(b) an address or other contact details to which the recipient may send a request that such communications cease.
(5) “Automatic calling machine”, for purposes of subsection (1), means a machine that is able to do automated calls without human intervention.
The draft law protecting your personal information (the Protection of Personal Information Bill) is close to being finalized!
A committee reviewed specific parts of the bill in detail, and their recommendations are in. The bill is expected to be finished by the government committee on Justice this year. Then, it needs approval from several levels of government before becoming law.
Unfortunately, there’s likely no more chance for public comments on the bill.