The Protection of Personal Information Act (POPIA) Regulations have just received a facelift, with the Information Regulator publishing amendments to the Regulations on 17 April 2025.
The amendments, which came into effect immediately upon publication, aim to enhance data subject rights while ensuring that organisations adhere to stricter compliance requirements and remain accountable.
So, what do you need to know about the amended Regulations?
Additional definitions
The amended Regulations introduce several new definitions to provide further clarity and certainty as regards the application of the Regulations.
These include, for example:
• ‘Complainant’ and ‘Complaint’ – which, respectively, recognises that any person may lodge a complaint with the Information Regulator and aligns the term to specific provisions of POPIA;
• ‘Day’ – which has been clarified to mean any calendar day, unless the last day of a prescribed period falls on a Sunday or a public holiday, in which case the time shall be calculated by excluding that Sunday or public holiday. This aligns with the Interpretation Act;
• ‘Relevant bodies’ – which has been introduced for purposes of industry-specific codes of conduct and acknowledges that any specified industry or profession, or class of industries or professions, that has sufficient representation, may apply for the issuing of a code of conduct; and
• ‘Writing’ – which is defined as encompassing any electronic documents or information that are in writing and subsequently accessible, in line with the definition in the Electronic Communications and Transactions Act.
Multi-channel access for data subjects
The amended Regulations allow data subjects to exercise their rights to object to the processing of personal information or to request the correction or deletion of personal information free of charge through various channels, including by hand, fax, post, email, SMS, WhatsApp or in any other manner expedient to the data subject.
In addition, a data subject may exercise their rights telephonically and, in such a case, an organisation is required to electronically record the communication and make the recording, or a transcription thereof, available to the data subject upon request.
Further, when collecting personal information, organisations are required to inform data subjects of their right to object and, in respect of requests for the correction or deletion of personal information, to advise the data subject of the action taken in response to the request within 30 days of receipt of the request.
Consent for direct marketing
An organisation that wishes to send direct marketing communications to a data subject that is not an existing customer must obtain the consent of a data subject in a manner that is expedient, free of charge and reasonably accessible to the data subject, including by email, telephone, SMS, WhatsApp or automated calling machine.
If a request for consent is made telephonically or by automated calling machine, an organisation is required to keep an electronic recording of the consent, and make the recording, or a transcription thereof, available to the data subject upon request. This requirement aligns with the Guidance Note on Direct Marketing released by the Information Regulator late last year.
Whilst under the previous Regulations, organisations were required to obtain a data subject’s consent using Form 4 annexed to the Regulations, the amended Regulations allow for consent to be obtained in a form ’substantially similar to’ Form 4.
In short, organisations must specify the goods or services to be marketed and obtain the data subject’s consent to receive marketing communications in respect of such goods or services, including the specific method of preferred communication.
Importantly, when obtaining consent from a data subject to receive direct marketing communications, the amended Regulations expressly provide that an ‘opt-out shall not constitute consent’.
Simply providing a data subject with the means to opt out of receiving marketing communications and, in the absence of the data subject exercising the right to opt out, does not mean that the data subject has provided their consent to be contacted or have their personal information processed. Consent in this context requires a positive action.
Information officers
While the amended Regulations have removed the duty placed on information officers to develop and maintain a manual in terms of the Promotion of Access to Information Act (PAIA) (which obligation nevertheless remains in place under PAIA for organisations in South Africa), the duty to develop and implement a POPIA compliance framework has been expanded upon to provide that such compliance framework must be ‘continuously improved’.
This acknowledges the need to revisit and improve upon an organisation’s compliance framework with reference to ongoing operational and legal developments.
Enhanced complaint process
The amended Regulations allow for complaints to be submitted to the Information Regulator by any person with a sufficient personal interest in the subject matter of a complaint, or any person acting in the public interest.
A complaint must be made in writing using the prescribed complaint form and can be submitted to the Information Regulator via email, fax, post, courier or by hand. Assistance will now be made available to complainants when reducing the complaint to writing or who make a complaint in a language other than English.
The amended Regulations set out detailed requirements for the content of complaints and allow for complainants to request that their identity not be disclosed (with the Information Regulator considering the reasons for such request before making a decision in this regard).
Administrative fines
Where an organisation is issued with an administrative fine and is unable to pay the fine in a lump sum, the amended Regulations allow for an organisation to make arrangements with the Information Regulator to pay the fine in instalments.
When determining an appropriate payment period, the Information Regulator will consider the financial circumstances of the organisation and any other relevant reasons that may directly or indirectly impact the organisation’s affordability.
The amended Regulations mark a bold move toward greater accountability and stronger protection for the rights of data subjects. It’s time for organisations to dust off their data protection compliance frameworks and ensure that their processes align with the new requirements – because when it comes to privacy, the rules just received a serious upgrade.
Nadine Mather is a partner and Pascale Towers is a senior associate at Bowmans.
