PAIA & POPIA Compliance in 2025: What Every South African Organisation Must Know

PAIA and POPIA Compliance: The Penalty for Getting It Wrong Is Up to R10 Million

Non-compliance with the Protection of Personal Information Act (POPIA) exposes your organisation to administrative fines of up to R10 million and criminal prosecution carrying prison sentences of up to 10 years. Yet thousands of South African businesses and public bodies are still operating without a designated Information Officer, without a published PAIA manual, and without a POPIA privacy notice in sight. The Information Regulator has made clear it is actively enforcing both Acts — and ignorance of your obligations is not a defence.

The Eastern Cape Department of Education's recently updated PAIA and POPIA compliance page, with its Section 14 Manual signed by the Head of Department on 25 June 2026, serves as a practical benchmark for what full statutory compliance looks like. Whether you run a private company, a school, or a government entity, the same framework applies to you.

What PAIA and POPIA Actually Require — Explained Plainly

South African organisations are bound by two overlapping access-to-information and privacy laws that together form the country's core data governance framework.

PAIA — Promotion of Access to Information Act, 2000 (Act No. 2 of 2000) gives effect to section 32 of the Constitution, which guarantees every person the right to access information held by the State, or held by a private party where that information is needed to exercise or protect a right. The Act sets out exactly how requests must be made, the limited grounds on which access can be refused, the prescribed forms, the applicable fees, and the avenues for internal appeal and external review by the Information Regulator and the courts.

POPIA — Protection of Personal Information Act, 2013 (Act No. 4 of 2013) has been fully in force since 1 July 2021. It regulates the manner in which personal information must be processed by both public and private bodies across South Africa. The Act establishes eight conditions for lawful processing — including accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation.

These are not aspirational guidelines. They are legal obligations with enforcement teeth.

Who Is Affected by PAIA and POPIA Compliance Requirements

Both Acts apply broadly. PAIA covers all public bodies — national, provincial, and local government departments, state-owned entities, and municipalities — as well as private bodies of a certain size. POPIA applies to any person or organisation that processes personal information in South Africa, which in practice means virtually every employer, school, medical practice, retailer, financial services provider, and technology company operating in the country.

If your organisation collects names, ID numbers, contact details, financial records, health information, or any other data relating to identifiable individuals, POPIA applies to you. There is no meaningful size threshold that exempts small businesses from the Act's core obligations.

Under PAIA, private companies with assets above a prescribed threshold must publish a Section 51 manual. Public bodies must publish a Section 14 manual. Both must designate an Information Officer and register that officer with the Information Regulator.

The Specific Documents Every Compliant Organisation Must Have

The ECDoE's compliance structure provides a clear checklist that mirrors what the Information Regulator expects from any compliant body. You need the following in place:

  • A PAIA Manual (Section 14 for public bodies, Section 51 for private bodies) — This document must describe your organisation's structure, functions, contact details, the categories of records you hold, the procedure for requesting access, the prescribed fee schedule, and available remedies. It must be signed by your designated Information Officer and kept current.
  • A Section 15 Notice (public bodies) or equivalent voluntary disclosure (private bodies) — This lists all categories of records that are automatically available without a formal PAIA request. Publishing this proactively reduces the burden on your Information Officer and demonstrates good-faith compliance.
  • A POPIA Privacy Notice — This tells data subjects who you are, why you collect their personal information, how you use it, how long you retain it, and what their rights are. It must be made available at or before the point of collection.
  • A designated and registered Information Officer — Every organisation must have a named Information Officer registered with the Information Regulator. Deputy Information Officers may also be appointed. This is not optional.
  • PAIA Annual Reports — Public bodies must submit an annual report to the Information Regulator within three months after the end of each financial year, covering all requests received, granted, refused, and still outstanding.

PAIA Timelines and Fees: The Numbers You Cannot Ignore

If your organisation receives a PAIA request, the statutory clock starts ticking immediately. Your Information Officer must respond within 30 days of receiving the request. That period can be extended once by a further 30 days, but only where the request is voluminous or requires consultation that cannot reasonably be completed in the original period. Any extension must be communicated to the requester before the original 30-day period expires.

If the requester is unhappy with your decision, they have 60 days to lodge an internal appeal using the prescribed Form 4. After exhausting internal remedies, they can escalate to the Information Regulator or approach a court.

Prescribed fees apply to both the act of lodging a request and accessing the records themselves. The current fee schedule must appear in your published PAIA manual. Failing to follow the fee and timeline rules correctly can render your refusal of access invalid — and expose you to a compliance notice from the Regulator.

What Happens When You Don't Comply: Penalties in Rands

The Information Regulator has enforcement powers under both Acts. Under POPIA, the Regulator can issue enforcement notices, conduct investigations, and impose administrative fines. The maximum administrative fine under POPIA is R10 million. Beyond fines, POPIA provides for criminal sanctions: responsible parties who knowingly or recklessly process personal information in breach of the Act face prosecution, with convictions carrying fines or imprisonment of up to 10 years, depending on the offence.

Under PAIA, failure to comply with the Act's requirements can result in the Regulator issuing a compliance notice. Failure to comply with a compliance notice is itself a criminal offence. Courts can also order the disclosure of records and award costs against a non-compliant body.

Beyond the direct legal penalties, a data breach resulting from inadequate POPIA safeguards triggers a mandatory notification obligation. You must notify the Information Regulator and affected data subjects as soon as reasonably possible after becoming aware of the breach. Failing to notify compounds your liability significantly.

POPIA's Eight Conditions: A Framework You Must Embed

POPIA does not simply prohibit bad behaviour — it requires active, documented compliance with eight conditions for lawful processing. Every system that touches personal data in your organisation must be assessed against these conditions. Accountability requires that you take responsibility for ensuring compliance. Processing limitation means you may only collect personal information that is adequate, relevant, and not excessive for your stated purpose. Purpose specification requires that you define a specific, explicit, and lawful reason before you collect. Further processing limitation means that using data for a purpose incompatible with the original collection is prohibited without fresh consent or another lawful basis.

Information quality obliges you to keep personal data accurate, complete, and up to date. Openness requires that you make your processing activities transparent — which is why the privacy notice is non-negotiable. Security safeguards mean you must implement appropriate technical and organisational measures to protect personal information. Finally, data subject participation gives individuals the right to access, correct, and in certain circumstances delete their personal information that you hold.

Each of these conditions requires documented policies, staff training, and operational procedures — not just a privacy notice on a website.

What to Do Right Now: Five Concrete Steps

Do not wait for an enforcement notice or a data breach to force your hand. Take these five steps immediately.

Step 1: Designate and register your Information Officer. If you have not already registered your Information Officer with the Information Regulator at inforegulator.org.za, do it today. This is a prerequisite for everything else.

Step 2: Draft or update your PAIA manual. Your manual must reflect your current organisational structure, the records you hold, and the correct fee schedule. If yours is more than 12 months old and your organisation has changed, it needs updating. Sign it, date it, and publish it.

Step 3: Publish a POPIA privacy notice. Every touchpoint where you collect personal information — your website, employment application forms, customer onboarding processes — must have a compliant privacy notice. The notice must be written in plain language and must cover all eight conditions.

Step 4: Map your data flows. You cannot protect what you do not know you hold. Conduct a basic personal information audit: what data do you collect, where is it stored, who has access, how long do you keep it, and how do you dispose of it?

Step 5: Train your staff. Most data breaches are caused by human error. Staff who handle personal information must understand what POPIA requires of them. Training records should be kept as evidence of your accountability.

Check Your Compliance Status Before the Regulator Does It for You

The Information Regulator has made compliance enforcement a stated priority. Public bodies and private companies that have delayed acting on PAIA and POPIA obligations are running out of time. The ECDoE's published framework — Information Officer designated, Section 14 manual signed and published in three languages, POPIA privacy notice live, annual reports submitted — represents the standard every organisation should be working towards.

Not sure where your business stands? Run a free compliance check at ClearComply to see exactly which PAIA and POPIA obligations apply to your organisation and what gaps you need to close. It takes less than five minutes and gives you a clear picture of your exposure before the Regulator does.

Got questions?

Pick a question or type your own below.

PAIA & POPIA Compliance in 2025: What Every South African Organisation Must Know | ClearComply