The Regulator Is Watching — and the Stakes Just Got Higher
On 5 May 2026, the Information Regulator presented its Annual Performance Plan to Parliament's Portfolio Committee on Justice, and the message was unmistakable: POPIA enforcement is entering a new, more aggressive phase. For South African business owners who have treated compliance as a box-ticking exercise — or worse, ignored it altogether — the ground is shifting beneath their feet.
The Protection of Personal Information Act has been in full effect since July 2021, but many small and medium businesses have operated under the assumption that the Regulator lacks the capacity or appetite to pursue them. That assumption is now dangerous. The Regulator is expanding its compliance toolkit with own-initiative inspections, follow-up monitoring, and proposed legislative amendments that will strengthen its enforcement powers across both POPIA and PAIA.
What's Changing in 2026
According to legal analysts at Werksmans Attorneys, the Regulator's 2025/26 programme has "immediate implications for governance, breach reporting, direct marketing, access-to-information workflows, and cross-border transfers." Here is what business owners need to understand:
Own-Initiative Inspections Are Coming
The Regulator no longer intends to wait for complaints before investigating. It will proactively audit organisations — including private businesses — for POPIA compliance. If your business processes customer data, employee records, or supplier information, you could be inspected without warning.
Stronger Enforcement of Breach Reporting
POPIA requires businesses to report data breaches to the Regulator and affected individuals. In 2026, the Regulator is signalling that non-reporting will attract serious consequences. If your business suffers a breach and you fail to notify the Regulator, you are compounding your legal exposure.
PAIA Compliance Is Now a Priority
The Promotion of Access to Information Act (PAIA) has long been the neglected sibling of POPIA, but that is changing. The Regulator is pushing for legislative amendments to modernise PAIA for the digital environment and strengthen enforcement. Only 33% of public bodies submitted their PAIA annual reports for 2023/24, and private-sector compliance is even lower. If your business has not published a PAIA manual — or updated it for the digital age — this should be on your radar.
What This Means for Small and Medium Businesses
There is a persistent myth that POPIA only applies to large corporates. It does not. POPIA applies to every organisation in South Africa that processes personal information, regardless of size. A sole proprietor with a customer database on a spreadsheet has the same legal obligations as a listed company.
The eight conditions for lawful processing — accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation — are not optional guidelines. They are legal requirements, and the Regulator is now equipped to enforce them.
Four Practical Steps to Protect Your Business
1. Appoint and Register Your Information Officer
Every business must have a registered Information Officer. For most SMBs, this is the owner or managing director. If you have not registered yours with the Regulator, do it this week. It is a straightforward online process, and it is the most visible signal of your intent to comply.
2. Conduct a Data Audit — Honestly
Map every place personal information lives in your business: customer databases, email lists, employee files, accounting software, website analytics, CCTV footage, and third-party platforms. Identify what you collect, why you collect it, how long you keep it, and who has access. Delete anything you do not need.
3. Lock Down Your IT Security
POPIA's security safeguards condition requires you to take "appropriate, reasonable technical and organisational measures" to protect personal information. At minimum, this means: up-to-date antivirus and endpoint protection, firewalls, encrypted backups, multi-factor authentication on all business accounts, regular software patching, and access controls that limit data to employees who genuinely need it. A breach caused by neglected security is not just a technical failure — it is a compliance failure.
4. Prepare Your Breach Response Plan
Do not wait for a breach to figure out what to do. Have a documented plan that covers: who to notify internally, how to assess the scope, when and how to report to the Regulator (within 72 hours in serious cases), and how to communicate with affected individuals. Practice it. A rehearsed response is the difference between controlled recovery and reputational chaos.
How CT Bedfordview Can Help
POPIA compliance sits at the intersection of legal obligation and IT reality. You can have the best privacy policy in the world, but if your network is unsecured, your backups are untested, and your staff share passwords, you are not compliant. That is where we come in.
We help Bedfordview and Johannesburg businesses with managed IT security, secure backups, endpoint protection, access control, and the technical foundations that make POPIA compliance achievable — not just on paper, but in practice.
The Regulator is not waiting. Neither should you.
Need help securing your business for POPIA compliance? Contact CT Bedfordview for a free consultation.