← All insights
POPIA COMPLIANCE

POPIA Information Officer responsibilities in 2026.

The Protection of Personal Information Act came into full force in July 2021. Public entities had a 12-month implementation grace period that ran out in 2022. Four years later, AGSA continues to find POPIA compliance gaps in most public-sector entities it audits. Five gaps account for the majority of findings, all are fixable in under three months, and most can be remediated for less than R150,000 in external advisory cost. The piece below names the gaps and the remediation work.

1. Information Officer not actually registered with the Regulator

POPIA Section 55 requires every responsible party (every business and public entity) to have an Information Officer. For a public entity, the Information Officer is the head of the entity by default. The Information Officer must register with the Information Regulator and the registration must be kept current.

What AGSA and the Regulator find: many entities have named an Information Officer internally but never completed the formal registration with the Regulator. The registration form is available at inforegulator.org.za; the registration is free; the process takes around two hours. Yet the registration step is missed at perhaps half of public entities, including some with otherwise sophisticated compliance functions.

The audit-defence test is simple: produce a printout of the Information Regulator's confirmation of registration, dated within the audit period. Entities that cannot produce it fail this control regardless of how detailed their internal documentation is.

2. PAIA Manual not updated to current Section 51 format

The Promotion of Access to Information Act requires every public entity to maintain a Section 51 manual describing what records the entity holds and how the public can request them. The manual format was updated in 2021 to align with POPIA. Many entities still publish the pre-2021 version.

The current manual includes references to POPIA's records of processing activity, the Information Officer's contact details, the entity's lawful bases for processing personal information, and the data subjects' rights under POPIA. Old manuals don't have these sections.

The remediation is a one-week rewrite by someone who knows what the current format requires. The new manual is published on the entity's website and a copy is lodged with the Information Regulator. Cost: around R30,000 if outsourced; less if done internally.

3. No documented data-flow inventory

POPIA's accountability principle requires the responsible party to know what personal information it processes, where it stores that information, and which third parties receive it. The mechanism that demonstrates this knowledge is the data-flow inventory or records of processing activity.

What auditors find: a list of systems that hold personal information but no map of which categories of data subject's information sits where, no record of which operators (third-party processors) receive what data, and no defined retention period per category. The entity knows it has personal data but cannot demonstrate that it knows the shape of what it has.

The remediation is a workshop-based exercise. Four to six half-day sessions with the heads of HR, finance, the systems that hold client or beneficiary data, and any external processors. Output: a single spreadsheet listing 20 to 40 data flows with the data subject category, data category, lawful basis, storage location, retention period, and recipient list for each.

4. No 72-hour breach notification protocol

POPIA Section 22 requires the responsible party to notify the Regulator and affected data subjects of a security compromise as soon as reasonably possible. The Regulator's interpretation is that ‘as soon as reasonably possible’ means within 72 hours in most circumstances. The entity needs a documented protocol that achieves this.

What auditors find: no protocol at all, or a protocol that names a workflow but has never been tested. In the event of a real compromise, the entity discovers it 18 hours in, the legal review takes 36 hours, the Regulator notification doesn't go out for five days. The substantive breach response may be sound, but the 72-hour clock is not met.

The remediation is a written protocol naming the parties, the decision-tree, the standby legal counsel, and the templates for Regulator and data-subject notification. The protocol is tested annually with a tabletop exercise. Cost: under R80,000 to develop and test.

POPIA's compliance gaps at most public entities are not strategic failures. They are six items on a checklist that nobody has been formally assigned to close.

5. No operator and sub-processor register

Many public entities outsource part of their data processing to third parties: payroll providers, cloud-hosted financial systems, debt collection agencies, archives. Each third party is an operator under POPIA Section 21 and the responsible party retains accountability for the operator's processing.

The Regulator expects the responsible party to maintain a register of operators, the operator agreements that govern each engagement, the categories of data each operator processes, and the operator's own POPIA compliance status. What auditors find: no register, or a register that lists three operators when the actual count is closer to forty.

The remediation is the same workshop output as the data-flow inventory, with an additional column for the third party receiving each data flow. The operator agreements are then sourced from each operator and reviewed for the standard POPIA-compliant clauses.

What the Regulator looks for during an audit visit

The Information Regulator's Compliance Monitoring Unit visits responsible parties periodically. During a visit, the Regulator typically asks for six documents in this order: the Information Officer's appointment letter and registration confirmation, the most recent PAIA Manual, the records of processing activity, the operator register and a sample of operator agreements, the breach notification protocol with evidence of testing, and the most recent staff awareness training records.

An entity that produces all six within an hour passes the visit comfortably. An entity that produces three of the six and promises to send the other three later acquires a compliance notice and a follow-up timeline. The cost gap between the two outcomes is a few weeks of focused remediation work.

This piece reflects practice patterns from POPIA reviews Sgananda Group has conducted. Specific entities should test the framework against their facts and against current guidance from the Information Regulator at inforegulator.org.za.

POPIA REVIEW

Close the POPIA gaps before the Regulator visits.

Sgananda Group provides POPIA compliance reviews for public entities. Six-to-eight week engagement, principal-led workshops with your heads of function, written output that closes the gaps named above, and a tested breach notification protocol.

Request a meeting →