Subscribe to Newsletter
Information Regulator launches POPIA monitoring exercise
19 Feb, 2026
Featured | Regulation & Compliance

 

Nadine Mather, Partner; and Savanna Stephens, Senior Associate; at Bowmans

 

As 2025 came to a close, the Information Regulator commenced a robust compliance monitoring exercise, with many organisations receiving formal notices requiring them to demonstrate compliance with the provisions of the Protection of Personal Information Act (POPIA).

 

A more structured approach to oversight

 

In terms of section 40(1)(b)(i) of POPIA, the Information Regulator is mandated to monitor and enforce compliance with the provisions of POPIA by both public and private bodies and is empowered to take necessary steps to perform this oversight function.

 

While the Information Regulator has conducted own-initiative assessments in recent years, this new compliance monitoring exercise reflects a more structured, proactive and documentation-driven approach to regulatory oversight.

 

What does the monitoring exercise require?

 

Organisations selected for monitoring will be formally notified and are required to submit a comprehensive POPIA compliance report, together with supporting documentation, within 14 business days.

 

The compliance report must demonstrate how the organisation complies with the provisions of POPIA, with a particular focus on (i) the conditions for lawful processing of personal information, (ii) direct marketing by means of unsolicited electronic communications, and (iii) cross-borders transfers of personal information.

 

Although the report must address the organisation’s overall compliance with POPIA, the Information Regulator specifically requires organisations to provide:

 

  • an overview of the organisation, including its processing activities and the approximate number of data subjects affected;
  • details of subsidiaries and branches (where applicable);
  • the total number of employees employed by the organisation;
  • confirmation of designated or delegated deputy information officer(s), together with proof of registration;
  • a copy of the organisation’s compliance framework, including its privacy policy/ statement, retention policy, and information security policy;
  • details of the POPIA training and awareness sessions conducted during the previous financial year;
  • a copy of the organisation’s risk register reflecting reasonably foreseeable internal and external risks to personal information (while not expressly required by POPIA, organisations must be able to demonstrate compliance with their security safeguard obligations);
  • any mitigation/ implementation plan addressing the identified risks;
  • a copy of the organisation’s incident response plan;
  • the organisation’s manual prepared in terms of the Promotion of Access to Information Act;
  • a personal information impact assessment conducted to ensure adequate measures and standards for the lawful processing of personal information;
  • copies of any legitimate interest assessments conducted where an organisation relies on legitimate interests to process personal information (noting that POPIA does not expressly require such assessments, and reference to a legitimate interest assessment has only been made in the Guidance Note on Direct Marketing issued by the Information Regulator);
  • a report on direct marketing activities (where applicable), including consent mechanisms;
  • the number of POPIA-related complaints received during the most recent financial year; and
  • the number of security compromises experiences during the most recent financial year.

 

The compliance report must be submitted electronically via email to the Information Regulator. Physical submissions or electronic storage devices will not be accepted. Importantly, the monitoring process may include physical inspections at the organisation’s premises, notwithstanding the submission of a report.

 

Monitoring vs enforcement

 

We understand that this monitoring exercise is a proactive measure adopted by the Information Regulator in terms of section 40(1)(b)(i) of POPIA. It is distinct and separate from the enforcement procedures regulated under Chapter 10 of POPIA.

 

Should the Information Regulator consider enforcement action necessary after reviewing a report, we understand that the provisions of Chapter 10 would then be invoked. In this regard, the consequences of non-compliance with POPIA are significant and may include enforcement proceedings which may, in turn, result in administrative fines of up to ZAR 10 million, civil liability or even imprisonment in certain circumstances.

 

Practical implications for organisations

 

With the Information Regulator ramping up its monitoring efforts, organisations should take proactive steps now to ensure that they are fully compliant with the provisions of POPIA.

 

Organisations should also keep detailed records and documentation of their steps and internal measures that have been implemented to comply with POPIA. Maintaining detailed and up-to-date records of compliance measures will enable organisations to respond promptly and effectively should they receive a notice requiring submission of a compliance report.

 

ENDS

Author

@Nadine Mather, Bowmans
+ posts
@Savanna Stephens, Bowmans
+ posts
Share on Your Socials

Share

Subscribe to the EBnet Daily Newsletter and WhatsApp Community for the latest retirement funding, financial planning, and investment news, along with market updates and special announcements.

Subscribe to

Thank You. You have been subscribed. Please check your emails for a confirmation mail.