Earlier this year, the Regulations to the Protection of Personal Information Act (‘the POPIA Regulations’) were amended. Designed to enhance data subject rights and tighten compliance requirements for organisations, the POPIA Regulations took effect on 17th April 2025. In light of the vital importance of compliance, this article offers a brief rundown of these regulatory amendments.
Key changes to the POPIA Regulations include:
- Data subjects are empowered to object to the processing of their personal information or request corrections/deletion via hand, post, SMS, email, WhatsApp, fax, phone, or any other expedient method. Notably, telephone objections must be recorded and made accessible to the data subject upon request.
- When personal information is collected, organisations must inform data subjects of their right to object and respond to correction/deletion requests within 30 days.
- New definitions, including ‘complainant’, ‘complaint’, ‘relevant bodies’, and ‘writing’, enhance clarity and are aligned with other key laws.
- Stricter consent rules for direct marketing: Consent must be obtained from data subjects, who are not existing clients, in a reasonably accessible, convenient, and cost-free manner. Importantly, consent received telephonically or via automated calling machine must be recorded and made available to the data subject on request. Consent must be obtained using a form ‘substantially similar to [Form 4]’. The goods/services intended for marketing must be indicated and a preferred communication method obtained. Crucially, mere opt-outs no longer constitute consent.
- Complaints may be submitted by anyone with sufficient interest or acting in the public interest. Assistance must be provided to complainants, and anonymity can be requested. Crucially, complaints must be in writing – utilising the prescribed form – and must comply with detailed content requirements.
- Although the requirement to maintain a Promotion of Access to Information (‘PAIA’) manual has been deleted from the Regulations (but still applies under PAIA), information officers must continuously enhance their POPIA compliance frameworks.
- Administrative fines can now be paid in instalments, subject to affordability and approval by the Information Regulator.
Given these substantial regulatory amendments, organisations are urged to review and update their compliance policies and programmes to align with this updated POPIA framework.
For sound legal guidance on POPIA compliance and related matters, contact our specialists at compliance@stbb.co.za.
This content is the property of STBB. We encourage the sharing of our content for informational purposes. However, if you wish to copy or reproduce our content on your own platform or website, please ensure that proper credit is given to STBB.
