POPIA enforcement is shifting from complaints to proactive checks.

In full

For most of POPIA's life, enforcement has worked one way: somebody complains, the Information Regulator investigates, and a notice may follow months later. That gave firms a quiet incentive to do the minimum and hope no one noticed. In March 2026, at a stakeholder engagement on its priorities for the 2026/27 financial year, the Regulator signalled that the quiet period is ending. It intends to monitor compliance proactively across both public and private sectors, rather than waiting for a complaint to arrive.

From reactive to proactive

The shift is small in wording and large in consequence. A reactive regulator only ever learns about the firms unlucky or careless enough to get reported. A proactive one picks its own targets. The Regulator has indicated it will run sector-specific work, with insurance, banking, telecommunications, retail, higher education and government among the areas it has flagged. That means a business can now come under scrutiny without a single data subject ever lodging a complaint against it.

A reactive regulator sees the firms that get reported. A proactive one decides where to look.

It is worth being precise about the powers involved, because the headline number gets misquoted. The Regulator can conduct assessments and investigations, issue an enforcement notice requiring compliance within a set period, and, if that notice is ignored, issue an infringement notice carrying an administrative fine of up to R10 million. It can also refer matters for criminal prosecution. The fine is the end of a process, not the opening move, which is exactly why the early steps matter so much.

The numbers in context

South Africa's penalties remain modest next to European regulators, and it would be dishonest to pretend otherwise. The Regulator's first administrative fine, R5 million against the Department of Justice and Constitutional Development in July 2023, was issued for failing to comply with an enforcement notice rather than for the underlying breach itself. The lesson there is the one that travels: the expensive failure was not the incident, it was the inability to respond to the Regulator's instruction afterwards.

• The ceiling is R10 million per infringement notice.
• The trigger is usually a failure to comply with an enforcement notice, not the breach in isolation.
• The direction of travel is more activity, earlier, and chosen by the Regulator rather than prompted by a complaint.

Why a policy review will not save you

The instinct when a regulator gets louder is to refresh the paperwork: a new privacy notice, an updated policy, a fresh consent banner. None of that is wrong, and none of it is the thing being tested. A proactive assessment asks whether your systems can actually do what your policy promises. Can you produce a record of who accessed a given person's data? Can you honour a deletion request without an engineer spending a week chasing copies through logs and backups? Can you show, rather than assert, that access to personal information is scoped to a lawful purpose? Those are properties of the architecture, not the policy.

What we would do before the Regulator calls

The work that holds up under a proactive assessment is unglamorous and structural. Know where personal data physically lives, down to the table. Scope access to it by role and by purpose, enforced at the data layer rather than trusted to application code. Keep an append-only record of how personal information is accessed, so accountability is a query you can run rather than a story you have to tell. Build a real deletion path, and test it. A firm that can do these four things has very little to fear from a regulator that has decided to come and look.