POPI and Data Protection

The protection of personal information, and privacy and data protection laws (including the GDPR and the POPI Act or POPIA) are key laws in today’s information society. Information compliance or information rights are central to so many disputes. Read our insights, regulatory updates, judgment summaries, enforcement action (including fines and notes), data breaches or authority guidance.

Lessons to learn from the Information Regulator priotities

Understanding the Information Regulator's priorities is no longer just good practice; it's essential to avoid enforcement action. Having attended the Regulator's recent stakeholder breakfast, we can distil the key lessons and confirmed changes that will shape the compliance landscape in […]

By |2025-12-03T14:00:47+02:00December 3rd, 2025|Categories: Access to Information, POPI and Data Protection|Tags: , , , |
Read More

Information Regulator stakeholder engagement in Cape Town

The Information Regulator stakeholder engagement revealed the regulator's thinking on how to comply with the Protection of Personal Information Act (POPIA) and the Promotion of Access to Information Act (PAIA). More importantly, the regulator confirmed expected amendments to the POPIA [...]

By |2025-12-03T14:07:58+02:00December 2nd, 2025|Categories: Access to Information, POPI and Data Protection|Tags: , , , , |
Read More

DORA compliance for vendors – a practical playbook

DORA compliance for vendors is now a live requirement, and selling technology to European financial firms is therefore like constructing a new building in a crowded city: you must meet the code, welcome inspections, and prove the structure can take [...]

By |2025-11-14T19:33:31+02:00November 14th, 2025|Categories: Cybersecurity Law, POPI and Data Protection|Tags: , , , , |
Read More

GDPR certified: How to obtain GDPR certification

For many, being GDPR certified or obtaining GDPR certification is the holy grail. It provides proof that you comply with the GDPR and other data protection laws. This is especially true for processors that process personal data on behalf [...]

By |2025-11-18T14:18:21+02:00October 25th, 2025|Categories: Data governance, Information Law, POPI and Data Protection|Tags: , , , , |
Read More

Department of Basic Education enforcement action | Consent

The Information Regulator issued an enforcement notice against the Department of Basic Education (DBE) on the issue of consent under POPIA on 6 November 2024. The DBE has a long-standing practice of publishing matric results in newspapers, but this practice […]

By |2025-10-30T11:45:49+02:00October 8th, 2025|Categories: POPI and Data Protection|Tags: , , , , , , |
Read More

Truecaller enforcement action | Caller ID & spam blocking

The Information Regulator (Regulator) is investigating Truecaller. Data subjects complained about how, among other things, Truecaller processes personal information. There is currently no enforcement notice against Truecaller, but the investigation signals a shift. Data subjects in South Africa are actively […]

By |2025-10-30T11:58:13+02:00September 28th, 2025|Categories: POPI and Data Protection|Tags: , |
Read More

Rules for the processing of health information or sex life

The information regulator may prescribe more detailed rules for the processing of health information or sex life (section 32(6)) by making Health and Sex Life Regulations (section 112(2)(c)). The rules apply to specific responsible parties who process personal information concerning […]

By |2025-10-30T11:59:51+02:00September 28th, 2025|Categories: POPI and Data Protection|Tags: , , , , , |
Read More

Justin Brewer v Otter AI | Consent for AI meeting assistants

In Brewer v Otter.ai, the U.S District Court for the Northern District of California, Justin Brewer filed a class-action lawsuit against Otter.ai. Brewer alleges that Otter.ai's "Otter Notetaker" and "OtterPilot" tool deceptively record private conversations without proper consent and use [...]

By |2025-09-29T11:08:53+02:00September 18th, 2025|Categories: Monitoring Law, POPI and Data Protection|Tags: , , , , |
Read More

Telco cybersecurity in South Africa – finding a signal in the noise

Let's talk telco cybersecurity in South Africa. Securing a telecommunications network is like trying to tune into a radio station amid heavy static: operators must carefully adjust both their security controls and their compliance processes to cut through the noise. [...]

By |2025-08-07T18:56:19+02:00August 7th, 2025|Categories: Cybersecurity Law, POPI and Data Protection|Tags: , , , , , |
Read More

Digital Law Company v Meta | Extraterritorial application of South African law

In Digital Law Company v Meta, the High Court in South Africa (Gauteng Local Division Johannesburg) sanctioned a joint consent order in which Meta agreed to take a number of steps, including removing accounts, disclosing the subscriber information behind [...]

By |2025-08-06T10:05:35+02:00August 5th, 2025|Categories: Cybercrime, POPI and Data Protection, Social Media Law|Tags: , , , |
Read More

Case study: Quickloan privacy violation in Uganda

The Quickloan privacy violation marks a significant milestone for data protection enforcement in Uganda, demonstrating that non-compliance carries real consequences. In July 2025, Uganda's Personal Data Protection Office (PDPO) secured its first-ever criminal conviction under the Data Protection and Privacy [...]

By |2025-08-06T07:58:19+02:00July 31st, 2025|Categories: POPI and Data Protection|Tags: , , , |
Read More

Personal Information Impact Assessment (PIIA) under POPIA

A Personal Information Impact Assessment (PIIA) under POPIA is a process that helps organisations understand and mitigate the data protection risks to data subjects associated with processing personal information. Under South Africa’s Protection of Personal Information Act, 4 of [...]

By |2025-07-29T08:30:20+02:00July 27th, 2025|Categories: POPI and Data Protection|Tags: , |
Read More