Industry News
POPIA Compliance in 2026: What's Changed and What to Do
26 November 2025 · 0x1m3 · 5 min read
The Regulator Has Teeth — and Is Using Them
The Protection of Personal Information Act (POPIA) has been fully enforceable since July 2021. For the first two years, the Information Regulator focused on education and awareness. That phase is over.
By late 2025, the Regulator had issued enforcement notices, conducted on-site assessments, and made it clear that compliance is not optional. Fines of up to R10 million or imprisonment of up to 10 years are not theoretical — they are provisions the Regulator can and will invoke.
If your organisation has not moved beyond a paper-based compliance exercise, 2026 is the year that catches up with you.
Where Enforcement Stands
The Information Regulator has shifted from guidance to action. Key developments include:
- Enforcement notices issued to organisations that failed to respond to data breach reports - On-site assessments of both private and public sector entities - Public naming of non-compliant organisations as a deterrent - Increased complaint volumes from data subjects who now understand their rights
The Regulator is also building capacity. More investigators, more resources, and a growing backlog of complaints that will work through the system. Inaction is no longer a low-risk strategy.
Five Requirements Businesses Still Get Wrong
After working with organisations across sectors, these are the areas where compliance gaps persist most frequently.
1. Data Breach Notification
POPIA requires notification to both the Information Regulator and affected data subjects "as soon as reasonably possible." In practice, the benchmark is 72 hours. Most organisations do not have the detection infrastructure to identify a breach within that window, let alone report it.
2. Information Officer Appointment
Every responsible party must register an Information Officer with the Regulator. Many organisations appointed someone on paper but never gave them the tools, authority, or budget to fulfil the role.
3. Data Minimisation
You may only collect personal information that is adequate, relevant, and not excessive. Organisations that hoarded data for years now carry significant liability. Every unnecessary data field is an unnecessary risk.
4. Consent Management
Consent must be voluntary, specific, and informed. Pre-ticked boxes, buried terms, and blanket consent statements do not meet the standard. Organisations need auditable records of when and how consent was obtained.
5. Storage Limitation
Personal information must be destroyed or de-identified once the purpose for processing is complete — unless a legal obligation requires retention. Many organisations retain data indefinitely by default. That is a violation.
How OAS Solutions Support Continuous Compliance
POPIA compliance is not a one-time project. It requires infrastructure that protects data, detects breaches, and provides audit evidence continuously.
Recover: Cove Data Protection
Cove Data Protection secures your data with encrypted, immutable cloud backups stored in South African data centres. If a breach, ransomware event, or accidental deletion occurs, Cove ensures you can recover without data loss. This directly supports POPIA's requirement for security safeguards under Section 19.
Protect: SentinelOne Endpoint Protection
SentinelOne provides behavioural AI-driven endpoint detection and response (EDR). It identifies threats in real time — including zero-day attacks and ransomware — giving your organisation the detection capability required for 72-hour breach notification. You cannot report what you cannot detect.
Audit: Splunk Log Management
Splunk centralises log data across your entire environment. It provides compliance dashboards purpose-built for POPIA, enabling your Information Officer to demonstrate processing activities, access controls, and incident timelines to the Regulator on demand.
Secure Data Handling: ShareFile
ShareFile provides secure file sharing with on-premises storage zones. Personal information stays within your controlled environment — not in a third-party cloud you cannot audit. Every file access is logged, every share is tracked, and every download is recorded.
POPIA Compliance Checklist for 2026
Use this checklist to identify gaps in your current compliance posture.
| Requirement | Status | Action Needed |
|---|---|---|
| Information Officer registered with Regulator | ☐ | Confirm registration and active mandate |
| Data breach detection capability (72-hour window) | ☐ | Deploy EDR with real-time alerting |
| Breach notification procedure documented | ☐ | Create and test incident response plan |
| Data inventory and processing register | ☐ | Audit all personal information holdings |
| Consent records auditable and current | ☐ | Review consent mechanisms across channels |
| Data minimisation review completed | ☐ | Remove unnecessary data fields and holdings |
| Retention schedules defined and enforced | ☐ | Implement automated retention policies |
| Security safeguards (Section 19) in place | ☐ | Deploy endpoint protection and backup |
| Third-party processing agreements signed | ☐ | Review all operator contracts |
| Audit logging active across systems | ☐ | Centralise logs with SIEM capability |
The Cost of Non-Compliance
Beyond the R10 million maximum fine, non-compliance carries reputational damage that no marketing budget can repair. Clients, partners, and regulators are watching. In sectors like financial services and healthcare, a POPIA failure can trigger secondary regulatory action from the FSCA or Health Professions Council.
The organisations that treat compliance as a continuous operational requirement — not a once-off checklist — are the ones that avoid enforcement action entirely.
Next Steps
POPIA compliance is not a one-time project. OAS builds the infrastructure that keeps you compliant — continuously.
OAS has supported South African organisations with enterprise-grade IT infrastructure for over 40 years. Our Protect, Detect, Recover methodology maps directly to POPIA's security requirements — because compliance and security are not separate problems.