POPIA Amendments Now in Force

by | May 30, 2025 | Articles

The Information Regulator (South Africa) has officially amended the Regulations under the Protection of Personal Information Act (POPIA), with immediate effect from 17 April 2025. These changes aren’t just technical—they carry real implications for your compliance responsibilities, especially if you’re an Information Officer.

Organisations that collect or process personal information—whether of individuals or juristic persons—must pay close attention.The amended Regulations strengthen accountability and aim to streamline how data subject rights are managed. But they also increase the compliance burden if your internal processes haven’t kept up.

Amendments to the Regulations relating to the Protection of Personal Information Act, 2018. How will they impact Organisations and their Information Officers?

The Information Regulator (South Africa), an independent body established under the Protection of Personal Information Act 4 of 2013 (“POPIA”), has a mandate to monitor and enforce compliance with both POPIA and the Promotion of Access to Information Act, 2000 (“PAIA”). As part of this role, the Regulator is empowered to make regulations.

It is important to highlight the purpose of Regulations. Regulations play a crucial role in implementing and enforcing Acts, promoting consistency, predictability, protection, and accountability. As such, the Chairperson of the Information Regulator, Adv. F.D.P. Tlakula, signed amendments to the Regulations relating to the Protection of Personal Information Act, 2018. These amendments came into effect on the 17th of April 2025 for implementation with immediate effect.

These amendments introduce several changes that will directly impact organisations (also known as “responsible parties”) that hold personal information of data subjects (i.e., the natural or juristic persons to whom the personal information relates to), and the responsible parties’ designated Information Officers. The Information Officer (“IO”) of a responsible party has statutorily defined duties under Section 55 of POPIA, which include encouraging compliance with the conditions for lawful processing, dealing with requests made to the body pursuant to this Act, working with the Regulator, and otherwise ensuring compliance with POPIA.

The Amended Regulations introduce revised definitions, updated procedures for matters like objections, correction requests, and complaints, and provisions for administrative fines, along with associated form changes, which are discussed in more detail below.

  1. Amendment of Regulation 1

The amendment of Regulation 1 introduces several key definitions to establish the precise meaning of key terms within the amended Regulations, and thereby preventing ambiguity and ensuring consistent application of the Regulations, including:

  • Complainant”: means any person who lodges a complaint with the Information Regulator;
  • Complaint: means-
  • a matter reported to the Information Regulator by any person regarding the alleged interference with the protection of the personal information of a data subject or a matter submitted by a responsible party or data subject if he, she or it is aggrieved by the determination of an adjudicator under an approved code of conduct.
  • a complaint which was referred by the Information Regulator:
  • on receipt of it; or
  • after the completion of the investigation of the complaint or other matter in terms of POPIA for:
    • consideration;
    • a finding in respect of the complaint or other matter; and
    • a recommendation in respect of the proposed action to be taken by the Regulator against a responsible party in terms of POPIA, or an information officer or head of a private body, as the case may be, in terms of PAIA.

to the Enforcement Committee; and

  • a matter reported or referred to the Information Regulator in terms of other legislation (i.e., Promotion of Access to Information Act, Act No. 2 of 2000(“PAIA”)) that regulates the mandate of the Information Regulator.
  • Day”: means a calendar day, unless the last day of a specified period happens to fall on a Sunday or on any public holiday, in which case the time shall be calculated exclusive of that Sunday or public holiday
  • “Office hours” means in respect of:
  • offices of the Information Regulator – the hours between 08:00 and 16:00 on Monday to Friday, excluding public holidays; and
  • offices designated by the Information Regulator – the hours during which these offices are operating.
  • “Relevant bodies”: refers to any specified body or class of bodies, or any specified industry, profession, or vocation or class of industries, professions, or vocations that in the opinion of the Regulator which has sufficient representation.
  • Implemented to facilitate industry-specific codes of conduct, enabling sectoral self-regulation under regulatory oversight. For instance, the Independent Communications Authority of South Africa (“ICASA”) which fulfils the role of enforcing POPIA compliance within the telecommunication industry. And it is also mandated to regulate electronic communications.
  • “Writing”: means that a document or information is in the form of a data message and accessible in a manner usable for subsequent reference. Thus, the definition recognises the legal equivalence of electronic documents to traditional written documents and supports also digital documentation and accessibility.

Commentary: The above-mentioned definitions are included to provide the precise meaning of key terms within the amended Regulations as well as providing clarification, interpretation and compliance. They enhance legal certainty and advance administrative efficiency.

 

  1. Substitution of Regulation 2 – Objection to the processing of personal information

The revised Regulation 2 now requires that:

  • A data subject who wishes to object to the processing of personal information, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing, must submit the objection to a responsible party at any time during office hours of such responsible party. This must be done on a form substantially similar to Form 1, free of charge and reasonably accessible to a data subject by hand, fax, post, email, SMS, or WhatsApp and or in any manner expedient to a data subject if the data subject wants to object to the processing of personal information, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing if such processing:
    • does not protect a legitimate interest of the data subject;
    • is not necessary for the proper performance of a public law duty by a public body; or
    • is not necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied, or
    • is done for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications.
  • A data subject who wishes to object to the processing of personal information for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications, must submit the objection to a responsible party at any time during office hours of a responsible party and free of charge.
  • Responsible parties must when they collect personal information take reasonable steps to ensure that they inform data subjects about their right to, at any time, object to the processing of personal information in the prescribed manner, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing if the processing:
    • does not protect a legitimate interest of the data subject;
    • is not necessary for the proper performance of a public law duty by a public body; or
    • is not necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied, or
    • is done for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications.
  • If an objection to the processing of personal information of a data subject is made telephonically, such an objection shall be electronically recorded by the party responsible and upon request, be made available to the data subject in any manner, including the transcription thereof.

In summary, the revised Regulation 2 substitutes the previous version, expanding the ways a data subject may object to the processing of personal information by allowing them to use a form substantially similar to Form 1 and submit it via various methods including hand, fax, post, email, SMS, or WhatsApp, or telephonically (which must be electronically recorded), and it reinforces the requirement for responsible parties to notify data subjects of their right to object when collecting personal information.

Impact: This rethinking of procedural access greatly minimises tension for data subjects and requires responsible parties to actively facilitate rights.

Some of the steps that a responsible party can consider to ensuring compliance with the new Regulation 2:

  • Making the office hours of the responsible party available to data subjects, e.g., on its website or on office doors, as a message on an answering machine, etc.
  • Having the ability to accept objections free of charge during office hours. This requires the responsible party to have a system in place to receive such objections during their operating hours without imposing a fee.
  • Making a form (similar to Form 1 in the Regulations) available free of charge and reasonably accessible to the data subject, i.e., on the website of the responsible party or a QR code which can be scanned to complete the form.
  • Accepting objections via multiple channels. The responsible party must therefore be equipped to receive and process objections received through these various communication methods and this must be communicated to the data subjects.
  • Always notifying data subjects of their right to object upon collection of their personal information
  • If objections can be made telephonically, such objections shall be electronically recorded by a responsible party, This necessitates implementing a system for recording and managing telephonic objections (calls or automatic answering machines) as well as the ability to transcribe these conversations, taking into account different accents in South Africa, as upon request, this recording must be made available to the data subject in any manner, including the transcription thereof, free of charge.

The new Regulation 2 directly impacts the IO’s duties by specifying how a particular type of objection by a data subject must be handled. Therefore:

  • The IO will likely be responsible for overseeing the establishment and implementation of internal measures and systems to ensure compliance with these procedures.
  • The IO (or staff under their direction) will need to manage the availability of Form 1 and the operational readiness to receive objections via multiple channels (hand, fax, post, email, SMS, WhatsApp, or any expedient manner).
  • The IO, responsible for encouraging and ensuring overall compliance and conducting internal awareness sessions, will likely be tasked with ensuring that the responsible party’s data collection processes are updated to include the requirement to notify data subjects of their right to object during data collection.
  • The duty to electronically record telephonic objections and provide recordings/transcriptions upon request adds a specific technical and administrative task. The IO would likely be responsible for ensuring the necessary systems are in place and that staff are trained on this procedure.
  • The new regulation provides clear standards for handling objections. The IO’s general duty to ensure compliance by the body with the provisions of POPIA will require them to monitor adherence to these new, detailed procedural requirements for objections.

 

  1. Substitution of Regulation 3 – Request for correction or deletion of personal information or destruction or deletion of record of personal information

The revised Regulation 3 states that:

  • A data subject has the right to request from a responsible party, where necessary:
    • the correction or deletion of his, her or its personal information, which is in the responsible party’s possession or under its control, if such personal information is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
    • the destruction or deletion of a record of personal information about the data subject that the responsible party is no longer authorised to retain any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless the retention is required or authorised by law, needed for the responsible party’s lawful purposes or a contract, or the data subject consents.
  • A data subject, who wishes to request the destruction or deletion of a record of his, her, or its personal information, that the responsible party is no longer authorised to retain any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless the retention is required or authorised by law, needed for the responsible party’s lawful purposes or a contract, or the data subject consent, has the right to request the destruction or deletion of such record at any time and free of charge.
  • A request for a correction or deletion of personal information, or a request for the destruction or deletion of a record of personal information as set out above, must be submitted to a responsible party on a form which is substantially similar to Form 2 free of charge and reasonably accessible to a data subject by hand, fax, post, email, SMS, WhatsApp message or in any manner expedient to a data subject;
  • A request for a correction or deletion of personal information by telephonic means shall be recorded by a responsible party and such recording must, upon request, be made available to a data subject in any manner, including the transcription thereof which shall be free of charge.
  • A responsible party must, within thirty (30) days of receipt of the outcome of the request as set out above, notify a data subject, in writing, of the action taken as a result of the request.

In summary, some of the notable improvements include:

  • Numerous contemporary channels allow for the free submission of Form 2.
  • telephone requests are now accepted as long as they are recorded.
  • The request must be answered within 30 days.

Impact: This guarantees that compliance deadlines are enforceable and encourages responsiveness and accountability from responsible parties.

Some of the steps that a responsible party can consider to ensuring compliance with the new Regulation 3:

  • Ensuring that a request for correction or deletion of personal information or destruction or deletion of a record of personal information is facilitated at any time and free of charge, for instance, through the responsible party’s website.
  • Enable a data subject to exercise the rights to request the destruction or deletion of a record or personal information at any time and free of charge. Developing policies and/or schedules for the retention of records or personal information.
  • Accepting requests through various channels. Thus, the responsible party needs to be prepared to accept and handle requests received through various communication methods, and this must be informed and accessible to the data subjects.
  • If a request is made telephonically, it must be electronically recorded by a responsible party. This means that a system for recording and managing telephonic requests (calls or automated answering machines) must be put in place, as well as the ability to transcribe these conversations, considering the various accents in South Africa. The data subject must be able to access the recording in any manner, including transcription, at no cost upon request.
  • Developing Standard Operating Procedures (SOPs) such as Notification of Outcome of Request or systems to notify a data subject, in writing, within thirty (30) days of receipt of the outcome of the request, of the action taken as a result of the request.

The new Regulation 3 directly impacts the IO’s duties by outlining how requests for correction or deletion of personal information or destruction or deletion of record of personal information must be handled. Thus:

  • The IO will probably be in charge of supervising the development and deployment of internal policies and processes to ensure compliance with the above procedures, including dealing with requests made to the body pursuant to POPIA.
  • The IO will also be responsible for ensuring requests are timeously attended as well as developing policies/schedules for the retention of records or personal information.
  • Oversee Form 2 accessibility and operational readiness to accept requests through various channels (by hand, fax, mail, email, SMS, WhatsApp, or any expedient manner).
  • The requirement to electronically record telephonic requests and provide recordings/transcriptions on request adds procedural and administrative responsibility. The IO would most likely be in charge of ensuring that the required processes are in place and that personnel are properly trained in this procedure.
  • The duty to develop SOPs or systems to ensure that requests are answered within the prescribed period.
  • Clear guidelines for processing requests are provided under the new regulation. The IO’s overall responsibility to guarantee the body’s compliance to POPIA’s provisions will need monitoring compliance with these new, comprehensive procedural procedures for handling requests.

 

  1. Amendment of Regulation 4

The heading of Regulation 4 is amended to include additional duties of Information Officers and will read now as follows: “Additional duties and responsibilities of Information Officer”. The duties and responsibilities of Information Officers were amended as follows:

  • The responsibilities of an Information Officer will no longer include the requirement to ensure the development, monitoring, maintenance and making available of a PAIA manual as prescribed by the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000).
  • An Information Officer must, in addition to the responsibility to ensure that a compliance framework is developed, implemented, monitored and maintained, also now ensure that such compliance framework is continually improved.
  • The information officer is no longer required to, upon request by any person, provide copies of the manual to that person upon the payment of a fee to be determined by the Regulator from time to time.

The amended Regulation 4 impacts the Information Officer by adding the requirement to ensure the compliance framework is “continually improved”, and removes the explicit duties previously listed in the 2018 regulations regarding ensuring the manual under sections 14 and 51 of POPIA/PAIA is developed and made available, and ensuring internal measures for processing records are developed and implemented.

Impact: This illustrates a developing governance framework in which compliance is dynamic and ever-changing, reflecting international best practices. The deletion of 4(1)(c) and 4(2) of the 2018 regulations implies changes to the requirements regarding the manual and providing copies, though the exact effect needs careful review of the full amended text alongside PAIA’s requirements for manuals.

Amendment of Regulation 5: Application for issuing code of conduct

The purpose of a code of conduct is primarily to clarify how the general conditions for the lawful processing of personal information set out in the Protection of Personal Information Act (POPIA) are to be applied or complied with specifically within a particular sector or sectors of society. A code of conduct must incorporate all the conditions for lawful processing or functional equivalents and must be applied for using Form 3. Additionally, a code of conduct must specify appropriate measures for things like information matching programmes or automated decision making relevant to the sector and include provisions for its review and expiry. Failure to comply with an approved code of conduct is treated as a breach of the conditions for lawful processing.

In terms of the 2018 regulations: “A private or public body which is sufficiently representative of any class of bodies, or of any industry, profession, or vocation that wishes to apply for the issuing of a code of conduct in terms of section 61(1)(b) of the Act, must submit an application to the Regulator on Form 3.” The new Regulation 5 is updated to substitute the words “private or public body” for “relevant body/bodies”, which is defined under the amended definitions. Therefore, the amended regulation now requires that any group or collection of organisations or individuals (referred to as a “relevant body/bodies”), such as a specific type of business, profession, or industry, that the Information Regulator believes represents a significant portion of that particular group or sector, and that wants the Regulator to create and approve a specific set of rules (a “code of conduct”) specifically for their sector, must send their request for this code to the Information Regulator using the required official document, which is Form 3.

Form 3 of the Regulations was also amended.

A relevant body must use the new Form 3 when applying to the Information Regulator for the issuing of code of conduct.

Commentary: The change in terminology in the regulation and on the form itself signifies a formal update to the application procedure.

 

  1. Substitution of Regulation 6 – Request for a data subject’s consent to process personal information for direct marketing through unsolicited electronic communication.

Regulation 6, which covers requests for data subject consent for direct marketing via electronic communication, has been entirely substituted. The new Regulation 6 provides explicit requirements for responsible parties seeking consent for direct marketing through unsolicited electronic communication under section 69(2) of the Act.

Section 69 of POPIA deals with using unsolicited electronic communications for direct marketing. Electronic communication includes any text, voice, sound, or image message sent over an electronic network, covering things like email, SMS, fax machines, and even automatic calling machines.

Therefore, it sets the basic rule that a responsible party (a public or private body or person processing personal information) is generally not allowed to use any type of unsolicited electronic message (meaning you didn’t ask for it) for the purpose of directly marketing goods or services to any data subject. However, there are two exceptions to this general prohibition:

  1. The data subject has given his, her or its permission (consent) for them to send him, her or it these electronic marketing messages,
  2. The data subject is already a customer of the responsible party, but this is subject to additional specific conditions, which include obtaining the data subject’s contact details in the context of a sale, marketing only their own similar products/services, and giving the data subject an opportunity to object at the time of collection and with every communication.

A responsible party allowed to approach the data subject only once to make a request for consent. This request for consent must follow specific rules regarding how it’s done and what form is used.

Consent must be written and obtained using a form substantially similar to Form 4, or via any expedient, free, and reasonably accessible method, including email or telephonically.

Crucially, the amended regulation unequivocally states that opt-out shall NOT constitute consent for this type of direct marketing.

If consent is obtained telephonically using an automated calling machine, the responsible party must electronically record the interaction and make the recording (or a transcription) available to the data subject free of charge upon request.

This shifts the burden firmly onto responsible parties to demonstrate explicit, positive consent, moving away from implied consent models like opt-out.

The revised new Regulation 6 states that:

  • If a responsible party wants to process a data subject’s personal information for direct marketing using unsolicited electronic communications, and they need the data subject’s consent to do this (because the data subject isn’t an existing customer), and the data subject hasn’t already said “no” to receiving such marketing, then the responsible party has a specific, limited way they can ask for this consent.
  • The written request must be made using a form substantially similar to Form 4 or in any other manner that is expedient, free of charge and reasonably accessible to a data subject.
  • The regulations list several acceptable methods for requesting this consent, including email, telephonically, SMS or WhatsApp, facsimile, and automated calling machines.
  • If the request for consent is made telephonically or by an automated calling machine, the responsible party must electronically record that request. Upon the data subject’s request, this recording (including a transcription) must be made available to them free of charge.
  • Importantly, the regulations also clarify that simply having an “opt-out” mechanism available does not count as obtaining consent for this purpose under Section 69(2) of POPIA. True consent must be actively obtained.

In summary, some of the key changes are:

  • Consent needs to be clear and recorded, particularly when using automated or telephonic methods.
  • Opt-out is not equivalent to consent under Section 69(2).
  • Forms of consent expanded to include fax, WhatsApp, email, SMS, and automated calling machines.

Commentary: This eliminates loopholes/gaps in unsolicited marketing and increases the permission burden on responsible parties. It offers a clear foundation for addressing unlawful marketing practices.

Some of the steps that a responsible party can consider to ensuring compliance with the new Regulation 6:

  • A responsible party who processes the personal information of a data subject for the purposes of direct marketing through unsolicited electronic communication, must ensure that written consent is obtained from a data subject through a form substantially similar to Form 4 or facilitated through various communication methods at no cost. These can be achieved by implementing the necessary policies and procedures.
  • If a data subject’s consent is obtained by means of telephonic or automated calling machine, such telephonic or automated calling machine recordings must be electronically recorded by the responsible party and such recordings including the transcription thereof must be made available to a data subject upon request, in any manner at no cost. This necessitates implementing a system for recording and managing telephonic or automated calling machine recordings along with the ability to transcribe these recordings.
  • A responsible party must ensure that internal awareness sessions are conducted to educate staff on how to distinguish an opt-out from consent for the purposes of direct marketing through unsolicited electronic communications.

The new Regulation 6 directly impacts on organisations (e.g., telemarketing businesses) by stipulating how requests for a data subject’s consent to process personal information for direct marketing through unsolicited electronic communication must be approached. Thus:

  • Organisations will probably need to develop and/or amend existing policies, establish and implement internal measures or systems to ensure compliance with POPIA and the intricacies of direct marketing through unsolicited electronic communication.
  • Organisations will also need to implement systems on how to lawfully obtain consent from data subjects for purposes of direct marketing through unsolicited electronic communication as well as developing mechanisms for recording and managing telephonic or automated calling machine recordings and transcription thereof.
  • Organisations will have to conduct internal awareness sessions to ensure that staff are properly trained on the importance of obtaining written consent, impact of direct marketing, opt-outs versus consent, etc.
  • The new regulation provides clear standards on how to undertake requests for a data subject’s consent to process personal information for direct marketing through unsolicited electronic communication. Thus, organisations must ensure compliance with the provisions of POPIA as set out in section 69. Encourage and foster (top to bottom) compliance to same and monitor adherence to these new regulations along with thorough procedural requirements for direct marketing through unsolicited electronic communication.

 

  1. Amendment of Regulation 7 – Submission of complaint

The revised – Regulation 7 incorporates:

  • the categories of persons who may lodge a complaint to the Information Regulator, i.e., data subjects or those acting on their behalf regarding interference with personal information (as defined in Section 73), any person with a sufficient personal interest in such interference (Section 73), a responsible party or data subject aggrieved by an adjudicator’s determination (under Section 63(3)), or any person acting in the public interest;
  • the forms to be used when lodging a complaint and the information to be included;
  • the manner in which a complaint must be submitted;
  • acknowledgement of receipt of the complaint;
  • assistance provided by the Information Regulator to a complainant,
  • the maximum of 14 days to transfer a complaint from an office designated by the Regulator to the Regulator,
  • protection of certain personal information, which is included in the complaint and the identity of the complainant, etc.

Key takeaways regarding the new Regulation 7 include:

  • Complaints by interested third parties and public interest actors.
  • Assistance to complainants in languages other than English.
  • Online and physical access to Form 5.
  • A 14-day timeline for designated offices to transmit complaints to the Regulator.
  • Detailed requirements for the content and evidence of complaints.
  • Confidentiality protections aligned with the Protected Disclosures Act.

Impact: This increases confidence in the Regulator’s procedures and fosters an environment that supports the assertion of rights.

 

  1. Forms Update for Enforcement Process (Regulation 12: Informing the parties of developments regarding investigation):

Regulation 12 (2)(e) – (g) is amended by the deletion of Forms 17, 18, and 19. These forms were previously referenced in the 2018 regulations for notifying parties about investigation developments and outcomes, including matters like appeals against enforcement notices.

While the deletion of these specific forms indicates changes to the prescribed documentation used in the enforcement and appeal communication process, the fundamental right to appeal enforcement or information notices to the High Court, as provided for in section 97 of POPIA, remains.

 

  1. Insertion of new Regulation 13 – Administrative Fines

The newly inserted Regulation states that:

  • Where the responsible party is served with an infringement notice, section 109(1) of POPIA outlines the process for the Information Regulator to impose administrative fines on responsible parties for offenses under the Act. This section empowers the Regulator to issue infringement notices, specify the alleged offense, the responsible party’s name and address, and the amount of the fine (which cannot exceed R10 million). The responsible party then has options, including paying the fine, arranging for instalment payments, or opting for a court trial.

(Section 109 details the process for issuing administrative fines, including criteria considered when determining the fine amount, such as the nature and duration of the contravention, the number of data subjects affected, potential damage, whether risk assessments or good policies were in place, and previous offences. The new regulation provides a specific mechanism for managing the financial burden of administrative fines.)

  • When determining an appropriate payment period, the Regulator must consider the following factors:
    • The financial circumstances of the responsible party; and
    • Any other relevant compelling reasons that may directly or indirectly impact on the responsible party’s affordability.”

In summary, the new Regulation 13 provides that responsible parties who have been fined can make arrangements to pay the fine in instalments. The Regulator can make these arrangements on a case-by-case basis. As such, the Regulator must consider the following factors:

  • The financial circumstances of the responsible party; and
  • Other compelling circumstances, that may directly or indirectly impact on the responsible party’s affordability.

Commentary: This makes enforcement more balanced. It promotes regulatory equity and the sustainability of smaller organisations without undermining deterrence.

 

The amendments to the Regulations relating to the Protection of Personal Information Act, mark a significant step towards enhancing data protection in South Africa. As the digital landscape continues to evolve, it is crucial for organisations and information officers to stay informed and adapt to these changes.

Staying compliant is not just a legal obligation, but a fundamental aspect of building trust with your data subjects and protecting your organisation from potential enforcement action, including administrative fines.

These amendments are not merely administrative tweaks; they introduce substantive changes and clarifications that require responsible parties to re-evaluate and potentially revise their current data protection practices. Key areas demanding immediate attention include:

  • Ensure the processes for handling objections align with the new Form 1 requirement and methods. Implement procedures to proactively notify data subjects of their objection rights during data collection.
  • Support the Information Officer in moving beyond monitoring to actively ensure the “continual improvement” of the organisation’s compliance framework. Review manual development and availability procedures based on the current regulatory requirements.
  • If applicable, ensure that the correct terminology is used and the amended Form 3 for any future code of conduct applications.
  • The organisation’s electronic direct marketing efforts must now be based on clear, verifiable opt-in consent. Review the current consent mechanisms and implement new ones that comply with the strict requirements of the substituted Regulation 6. Ensure recordings are made and kept for automated telephonic consent.
  • Educate relevant staff on the updated complaint procedures, including who can complain, the required form (Form 5), and the Regulator’s assistance and identity protection provisions.
  • Be aware of the factors influencing administrative fines and the new option for payment arrangements if an infringement notice is received.

 

Take Action Now

The Amended POPIA Regulations are in effect, and responsible parties must ensure their practices align with the updated requirements. Don’t wait for a complaint or Regulator investigation to discover gaps in your compliance framework.

Contact us today to discuss how our expert GRC services can help you understand and implement the necessary changes, ensuring your organisation remains compliant and resilient in the evolving data protection landscape.

Disclaimer: This article provides general information based on the provided source excerpts and should not be construed as legal advice. Organisations should consult with qualified legal professionals for advice specific to their circumstances. 

For more information, please contact info@inlexso.co.za.

Subscribe


No, thank you. I do not want.
100% secure your website.