Robert Boswel | PKF Durban

2025 has seen data protection and privacy take centre stage. After April’s updates to South Africa’s POPIA legislation, the Information Regulator has tightened rules around consent, incident reporting, and the handling of personal data.

What’s the biggest change? Businesses’ compliance status is now made public. Through a partnership with the CIPC, the Regulator has integrated PAIA and POPIA compliance checks into the Bizportal platform, which means anyone can now check a company’s POPIA compliance.

PAIA Manual - Who Needs It and What Should It Include

Every public and private entity must have a PAIA manual.

• Public bodies: Government departments, state administrators.
• Private bodies: All juristic entities - including sole proprietors, companies, close corporations, and trading trusts. No exceptions.

A PAIA manual must:

1. Explain the purpose for processing personal data.
2. Describe categories of data subjects and the information collected.
3. List who may receive the data (including cross-border transfers).
4. Outline security measures protecting data confidentiality and integrity.

PAIA Annual Returns - Deadlines and Penalties

Under Section 32 of PAIA, Information Officers (IOs) or the Deputies of public bodies must submit annual reports on access-to-information requests.

Key details:

• Reporting portal: IOs and Deputy IOs must register on the Regulator’s platform.
• Reporting window: 1 April – 30 June 2025.
• Consequences for non-compliance: Failure to submit can lead to an enforcement notice, fines (up to R10 million), or even imprisonment.

No one is exempt – not even government departments. The Department of Justice & Constitutional Development was recently fined R5 million after its IO failed to comply with an enforcement notice.