The information regulator has presented its draft annual performance plan (regulator APP) for 1 April 2025 to 31 March 2026. It has presented them in different formats to different audiences. For example, the regulator held a stakeholder engagement on 5 March 2025. The regulator still needs to table the draft APP at Parliament before publishing it.   If you are planning what action your organisation needs to take for data protection and access to information in South Africa, it is really helpful to know what the regulator plans to do. In this article, we summarise the important plans and explain what they could mean for you.

From the beginning, the regulator aims to be a world-class institution.

Some key plans of the regulator

  1. The regulator currently has about 100 employees and plans to hire another 40 people over the next financial year. The regulator has an annual budget of R136 million (up from R111 million) for the year starting 1 April 2025. The regulator will have more resources to take action, although they say they still lack sufficient resources.
  2. The regulator will “very, very soon” publish the Rules for the Processing of Health Information or Sex Life.
  3. The regulator plans to publish a Gated Communities Code of Conduct.
  4. The regulator will launch a Security Compromise Reporting Portal through which responsible parties must report incidents. This will hopefully make it easier for organisations to report breaches. Between 1 April 2024 and about 1 March 2025, responsible parties reported 2023 security compromises to the information regulator.
  5. The regulator is developing a Complaints Management System to handle complaints promptly.
  6. The regulator will publish a guidance note on cross-border transfers to and from South Africa in terms of POPIA. They will not wait for the finalisation of the African Continental Free Trade Agreement. They have been consulting with other authorities, including the ICO and the EU. This will help organisations transfer data and use cloud computing.
  7. Direct marketing calls are a problem, and they plan to take action to enforce the law and the guidance note on direct marketing.
  8. The regulator encourages information officers to be registered on the portal. The regulator estimates that about 3 million information officers are not registered, which means they are acting unlawfully and their organisations are not compliant.
  9. The regulator will seek to have Parliament amend PAIA to give them teeth (issue fines). Currently, the only stick is to name and shame organisations.
  10. The regulator will seek to have Parliament amend POPIA to enable it to fine organisations without first having to issue an enforcement notice.
  11. The regulator acknowledges that it has a role to play in regulating AI Governance, especially when personal information is processed in an AI system.
  12. The POPIA executive plans to be more active in assisting with breach responses, investigating more complaints, and conducting more POPIA compliance assessments.
  13. The PAIA executive aims to facilitate and resolve complaints through settlements or conciliation.
  14. The PAIA executive aims to conduct at least 80 PAIA compliance assessments before 31 March 2026. The regulator will focus on the sectors or industries in which they receive the most complaints. They will inform us when they have identified who they plan to assess.
  15. The regulator will, going forward, publish annual compliance assessment reports in which they will report on how many assessments they have conducted and what the results were. So, if you are assessed be aware that the results will be made public which means you might suffer reputational damage.

Actions you can take regards this regulator annual performance plan (APP)

  • Comply with POPIA by asking for our assistance.
  • Comply with PAIA by asking us to answer your questions on Access to Information Law.
  • Be alerted to future developments by subscribing to the Michalsons newsletter or on LinkedIn.
  • Consider the existing guidance notes that the regulator has published by reading our articles.
  • Catch up on the regulator’s plans by watching the livestream recording. Please note that this recording is more than four hours long.