2024 was a big year for data protection in South Africa. The Information Regulator issued various enforcement notices and published draft regulations and guidance notes. There were also sector-specific developments in the financial services, payments, and healthcare spaces. We also saw movement in relation to AI and direct marketing.

This article examines these key developments and asks: what lessons should SA businesses take going into 2025? We discuss the various regulatory developments and consider the Information Regulator’s 2024 enforcement notices, including our key take-aways for each.

Direct marketing: a spam-free 2025?

On the on hand, direct marketing is a vital business tool; on the other hand, unwanted electronic communications infringe on a person’s privacy and peace of mind. The Information Regulator (“IR“) has indicated that it has received an enormous amount of complaints relating to direct marketing.

This sets the scene for two developments in 2025:

POPIA: draft guidance note on direct marketing

The Protection of Personal Information Act No 4 of 2013 (“POPIA“) prohibits business from conducting direct marketing by ‘electronic communication’ unless the person who they are marketing to (i) is their customer; or (ii) has consented.

The generally accepted interpretation was that POPIA’s direct marketing provisions apply to electronic communications like email, text message, and telephone calls by automated machine, but that it does not apply to voice calls. The IR in 2024 firmly rejected this view, asserting that voice calls are also ‘electronic communication’.

The IR seeks to address direct marketing in a guidance note, and a draft was published for public comment on 3 December 2024. The document includes guidance on, amongst others, what constitutes electronic communication; and how to lawfully conduct direct marketing by (i) electronic communication; and (ii) other means, like post or in person.

CPA: draft regulations  

The Department of Trade Industry and Competition has proposed amendments to the regulations to the Consumer Protection Act No 68 of 2008 (“CPA“). The proposed amendments strengthen existing opt-out mechanisms, enhance consumers’ ability to block unwanted marketing communications, and tightens rules for direct marketers’ use of the opt-out registry. The mechanics of how some of the proposed amendments will work is not clear from the draft.

Public comment for the amendments closed on 15 January 2025.

It seems unlikely that we will see the amendments to the CPA regulations published this year. We’re hopeful that, although controversial, the IR’s guidance note is at least published in final form. This will give organisations and consumers a clearer understanding of their respective rights and obligations; as well as how the IR is going to enforce POPIA’s direct marketing provisions.

Health information: critical care required

POPIA permits specific types of organisations to process health or sex life (“health information“), subject to its requirements. For example, medical professionals and healthcare institutions may process health information where required for a patient’s treatment. Insurance companies and medical schemes may process health data relating to their specific purposes.  

Nevertheless, the lawful processing of health information under POPIA is less than clear and requires more detailed guidance.

Enter the IR, who published draft regulations on processing health information under POPIA. The draft regulations apply to, amongst others, employers, insurance companies, medical aid schemes, medical scheme administrators, and pension funds. The draft regulations are onerous, for example, requiring certain organisations like insurers and medical aids to obtain consent from data subjects to process health information. The draft also contains additional rules regarding legitimate interests, cross border transfers, record retention, and destruction of health information.

Once published, these regulations will be legally binding. The current draft has been subject to criticism from industry stakeholders, and it seems unlikely that we will see these regulations published in their current form.

Cybersecurity Takes Centre Stage in the Financial Sector

The last few years have seen an increase in the frequency, severity, and sophistication of cyberattacks that target financial institutions. Financial institutions need to remain adaptive to the risks posed by cyber-attacks to withstand them, so-called ‘cyber resilience’. Accordingly, it is no surprise that financial sector regulators have published rules on how institutions operating in the national payment system and the financial sector must bolster their cybersecurity and cyber-resilience.

National Payment System

The South African Reserve published a directive mandating comprehensive cybersecurity frameworks for payment institutions and operators. These frameworks must align with international best practices, integrate with operational risk management, and establish clear protocols for risk mitigation and information sharing. The directive became effective on 17 August 2024.

Financial institutions

The Financial Sector Conduct Authority and the Prudential Authority published a joint standard on cyber security and cyber resilience which applies to various categories of financial institutions. The standard, amongst others, requires financial institutions to notify the responsible authority upon the occurrence of a material cyber incident or information security compromise.

The standard will commence on 1 June 2025. Thereafter, financial institutions will be afforded a 12-month grace period within which to comply.

The directive and standard are a necessary and welcome step in the protection of financial and payments institutions and their data.

AI Regulation: Mapping Tomorrow’s Rules

In August 2024, the Department of Communications and Digital Development published a draft National AI Policy Framework for public consultation. The framework is intended to serve as the basis for the National AI Policy that will guide AI regulation. As it relates to data protection, the framework envisions the safeguarding of personal information through various means, including bolstering of existing data protection regulations.

The document is likely to undergo further amendment based on the comments received from the public.

IR enforcement decoded

While new regulations shape tomorrow’s compliance landscape, today’s lessons come from yesterday’s enforcement. The IR issued seven enforcement notices in 2024 relating to POPIA non-compliance, each revealing critical compliance insights. We discuss the enforcement notices in the following table:  

Conclusion: the way forward

The message for 2025 is clear: organisations face an increasingly layered compliance landscape where general POPIA principles intersect with sector-specific requirements. Success requires a dual focus: maintaining robust general compliance while adapting to emerging industry obligations. As enforcement actions demonstrate, regulators are ready to act – making proactive compliance more critical than ever.

Written by Armand Swart, Director & Hlonelwa Lutuli, Associate; Werksmans