The very real hazards of mishandling data in South Africa | RSM South Africa

Two pieces of legislation – the Protection of Personal Information Act (POPIA) and the Promotion of Access to Information Act (PAIA) – have ramped up risks for organisations. The Regulator is moving from warnings to financial penalties.

Organisations in South Africa are discovering the very real risks of mishandling data.

Take, for example, the R5 million fine imposed against the Department of Justice and Constitutional Development in 2023 following a security compromise of its electronic systems, resulting in a loss of more than 1,200 files containing personal information. This attack was in 2021.

Things got worse from there. In April 2023, the Department was subject to another attack where cyber criminals made off with R18 million. It was reported a few days later to the Regulator.

Quite apart from the institutional embarrassment and the R5 million fine, the Department was ordered by the Information Regulator to renew its antivirus software licences, launch disciplinary proceedings against those responsible for the breach, provide POPIA training to staff and implement measures to identify internal and external risks to personal information. 

The laxity that resulted in the data compromise at the Department of Justice and Constitutional Development is by no means an outlier, though the fine imposed was severe.

Between April 2024 and March 2025, the South African Information Regulator received 2,374 security compromise notifications, averaging around 284 a month.

The Regulator anticipates about 2,500 breaches for the 2025/26 financial year. Despite the increase in reported incidents, most go unreported. There is a growing body of research showing South African companies face thousands of cyber attacks each week. Check Point Research, which tracks cyber-attack attempts, reported in January 2026 that South African organisations face an average of 2,145 attacks each week, though this, too, is likely an undercount.

These numbers are climbing, partly due to new mandatory e-portal requirements managed by the Regulator, making reporting more structured and visible.

Here are a few more instances of data breaches:

• Lancet Laboratories was fined R100,000 after ignoring official warnings by the Regulator and for failing to inform affected parties promptly of multiple security breaches.
• FT Rams Consulting was likewise fined R100,000 for sending out unsolicited marketing messages, having ignored previous warnings to halt this practice.
• Blouberg Municipality in the Western Cape was fined R500,000 for unlawfully posting personal information of a former staff member on its website. The fine was later reduced by the court to R250,000.

POPIA requires organisations to detect and respond to data breaches promptly and to notify the Regulator via the e-portal. Many larger organisations often implement their own customer portals or self-service tools for convenience and efficiency – though this is a best practice, not a POPIA requirement.

“The Information Regulator is showing a greater interest in enforcing compliance with POPIA and related data protection obligations. Recent fines and enforcement actions serve as a clear wake-up call for organisations across all sectors. Companies can no longer treat data protection as a secondary compliance issue – proactive measures are now essential to mitigate regulatory, financial, and reputational risks.”— Phillip Kruger, Director - Legal, RSM South Africa

At the heart of POPIA are eight conditions for the lawful processing of data:

• Accountability: The responsible party must ensure compliance with all conditions.
• Processing limitation: Data must be processed lawfully, minimally, and only with adequate justification.
• Purpose specification: Collection must be for a specific, explicit purpose.
• Further processing limitation: Subsequent use must align with the original purpose.
• Information quality: Data must be accurate, complete, and up-to-date.
• Openness: Data subjects must be informed about collection and processing.
• Data subject participation: Rights to access, correction, and deletion.
• Security safeguards: Appropriate technical and organisational measures against loss, damage, or unauthorised access.

There are numerous ways organisations can fall foul of the above.

For example, under “Processing limitation”, a retail company signing up customers for a loyalty programme may not ask for unnecessary information such as passport details, income level or medical history. This is completely beyond the data scope of a loyalty programme.

Under “Processing specification”, a bank collecting customer data for a loan or savings account may not use the same data for selling third party investment products without getting the customer’s permission (or without getting the customer’s permission anew).
Incorrect or out-of-date information can have serious consequences such as denied services, flawed customer profiling or refused loan applications. These may be harder to detect but customers who feel snubbed by companies are prone to litigate their grievances online – with the risk of reputational harm, not to mention the potential of being reported to the Regulator.
Under “Security safeguards”, organisations are expected to secure the integrity and confidentiality of personal information to prevent loss or destruction of data, and to prevent unauthorised access. There are numerous examples in South Africa of organisations failing to renew their security software licenses, or choosing weak software not fit for purpose.

Difference between POPIA and EU legislation

The POPIA conditions are broadly in line with legislation in other jurisdictions, such as Europe’s General Data Protection Regulation (GDPR). Both require the appointment of an Information Officer, but in Europe a Data Protection Officer is mandatory only in specific cases – many organisations do not need one. Another crucial difference is that GDPR is only applicable to natural persons, whereas POPIA applies to juristic persons, including companies, trusts and partnerships, for example. While POPIA provides for criminal sanctions, GDPR relies primarily on administrative penalties. Another difference is that POPIA is more restrictive when it comes to direct marketing opt-in. Here GDPR is more severe in terms of penalties: €20 million or 4% of global annual turnover — potentially far higher for large multinationals.

Risks of non-compliance

Non-compliance with POPIA carries potentially severe risks, from official warnings to administrative fines of R10 million, with the potential of a criminal sanction carrying up to 10 years for offences such as obstructing the Regulator, failure to report breaches and mishandling of special personal information.

Judging from recent events, the Regulator has moved from official warnings to financial penalties.

Organisation risks include inefficient or improper data management, retaining data longer than required, or inadequate vendor contracts exposing the company to processor liabilities. 

For multinational operations, the extraterritorial reach of the Act means foreign companies processing South African data must comply, adding layers of complexity to global compliance programmes.

What about the Promotion of Access to Information Act (PAIA)?

The PAIA is another crucial piece of legislation that requires far more attention than it receives.

It imposes several obligations on organisations, both public and private, regardless of size. These include (but are not limited to):

• Maintain a PAIA manual: This must detail the structure and functions for the organisation, the types of categories of records held and how members of the public can request access to records (including the contact details of the Information Officer).
• An Information Officer must be appointed: Unless delegated, this would be the CEO, MD or equivalent.
• Handle access requests: Members of the public are entitled to request organisational records for the exercise or protection of their rights. These must be made using the prescribed form, and the organisation is required by law to respond within 30 days of the request. Access can be refused on certain specific grounds such as protection of personal privacy or commercial information.
• Annual reporting: Private bodies must submit an annual PAIA report to the Information Regulator detailing information such as the number and nature of requests and how they were processed. This is mandatory.

Failure to have a PAIA manual, submit annual reports, or improperly handle requests can lead to regulatory action, reputational harm, and in some cases, court applications by requesters.

“Non-compliance with PAIA carries real and escalating risks for organisations. Failure to maintain an up-to-date PAIA Manual, properly register an Information Officer, or respond to access requests within the required 30 days can result in enforcement notices from the Information Regulator, costly court applications by requesters, and reputational damage. In serious or repeated cases, organisations also face the possibility of administrative fines and regulatory scrutiny that often spills over into broader POPIA investigations. 

“At RSM South Africa, we help clients mitigate these risks by drafting comprehensive, tailored PAIA Manuals, implementing efficient request-handling procedures, ensuring timely annual reporting through the Regulator’s portal, and integrating PAIA obligations with their overall POPIA compliance framework. Our proactive approach transforms what is often seen as an administrative burden into a well-managed, defensible process.” — Alessia Maxwell, Legal Adviser, RSM South Africa

Conclusion

In an environment where South African organisations face thousands of cyber attacks weekly and the Information Regulator received thousands of breach notifications in 2025, the risks of non-compliance are significant, and the penalties potentially severe. 

These include administrative fines of up to R10 million, criminal penalties with imprisonment, civil claims, and serious reputational damage. Recent enforcement actions against both public bodies and private companies, such as Lancet Laboratories and FT Rams Consulting, demonstrate that the Regulator is moving beyond education toward active accountability.

Organisations that treat POPIA and PAIA as strategic priorities rather than administrative burdens will be better positioned to protect stakeholders, reduce risk, and build long-term trust. 

How RSM South Africa can assist you

RSM South Africa stands ready to support your organisation with practical, tailored solutions - from drafting PAIA manuals and conducting gap analyses to implementing comprehensive POPIA programmes and breach response readiness. Proactive compliance is no longer optional; it is essential for sustainable business success in South Africa’s evolving regulatory landscape. Contact RSM South Africa today to safeguard your data, your reputation, and your future

Alessia Maxwell

Legal Adviser - Legal Department