If you’re still treating data protection like a dusty file in a cabinet, it’s time to wake up. South Africa’s Protection of Personal Information Act (POPIA) has just undergone its most significant transformation and it’s not just legalese and red tape. The 2025 amendments, published under Government Notice No. 6126, are bold, forward-thinking, and already in force.
So, what changed and why should you care?
The first big shift is language that matches the times. The amended regulations now include fresh, sharper definitions like “complainant,” “relevant bodies,” and a modernised take on “writing.” In other words, in practice, less confusion, more inclusion especially for those accessing services digitally or from marginalised communities.
Data Rights are now Just a Text Away
Forget the paperwork and postage stamps. Under the new rules, data subjects can object to data processing or request corrections via WhatsApp, SMS, phone call, email, or even in person all at zero cost. Even telephonic requests are valid, provided they are recorded and available if needed.
Information Officers, Time to Step Up
The updated regulations push Information Officers into the spotlight. No longer can compliance be treated as a checkbox exercise. Organisations must actively improve and adapt their data protection practices. Think of it as compliance with momentum always moving, always maturing.
Marketing Just Got Tougher (and Smarter)
Here’s a game-changer: “opt-out” is no longer good enough. The bar for consent is now higher and clearer. If you want to market to someone, you’ll need their recorded, explicit permission, whether it’s via email, SMS, WhatsApp, fax, or even robocalls. This shift slams the door on shady marketing tactics and opens the way to more respectful, trust-based engagement.
A New Era for Complaints
The complaints system has had a dramatic upgrade. Not only can individuals file complaints, but proxies, third parties, and public interest organisations can now do so too. The Information Regulator must provide assistance in languages other than English, making the system more inclusive and accessible than ever before. There are now firm deadlines too, with a 14 day rule for transferring complaints to the Regulator.
Fines That Fit the Pocket
Previously, administrative fines could cripple smaller organisations. But the new regulations bring in a more flexible approach: fines can now be paid in instalments, if an organisation’s financial situation justifies it. It’s not about going soft it’s about being smart and sustainable.
So, What Now?
The message is loud and clear: the days of passive compliance are over. Organisations need to update policies, train staff, refine marketing practices, and implement systems that support real-time, multi-channel communication with data subjects. This isn’t just about avoiding fines. It’s about building trust, strengthening reputations, and showing that your brand respects personal data. Because in 2025 and beyond, the businesses that get data protection right won’t just comply they’ll compete smarter, earn loyalty faster, and lead with confidence.
Will your organisation evolve or fall behind?
