POPIA Five Years Later: Why Is Nobody Being Held Accountable?
This article has been supplied and will be available for a limited time only on this website.
Five years after the Protection of Personal Information Act (POPIA) became fully enforceable, awareness and compliance efforts have increased, with organisations appointing Information Officers and the Information Regulator stepping up enforcement.
Yet reported data breaches continue to rise, raising questions about whether compliance is translating into meaningful accountability.
The Information Regulator received 2,374 security compromise notifications during the 2024/25 financial year, averaging almost 200 incidents every month. Between April and November 2025 alone, a further 1,947 notifications were reportedly received, representing an increase of 40% in reported security compromises.
At the same time, IBM's 2025 Cost of a Data Breach Report found that the average cost of a data breach in South Africa is R44.1 million, substantially higher than POPIA's maximum administrative fine of R10 million.
According to Muhammad Ali, Managing Director of South African ISO standardisation specialist World Wide Industrial & Engineering Systems (WWISE), the issue is no longer simply one of compliance, but accountability.
"Most organisations understand what POPIA requires. The real question is whether their controls and governance frameworks are actually effective," he says.
POPIA was introduced to strengthen privacy rights and ensure organisations take responsibility for the personal information they collect, process and store. However, Ali believes many organisations continue to treat compliance as an administrative exercise rather than an ongoing governance responsibility.
"Many businesses have privacy policies, compliance documentation and Information Officers in place, but that does not necessarily mean personal information is properly protected," he explains. "Policies alone do not prevent data breaches. Accountability, ownership, monitoring and continual improvement do."
The risk environment is also intensifying. Organisations are processing increasing volumes of personal data while cyber threats become more sophisticated. At the same time, customers, regulators, investors and business partners are demanding greater transparency and stronger governance.
"While the financial impact of a breach is significant, the reputational damage is often more severe," says Ali. "Once trust is lost, it is extremely difficult to rebuild."
Organisations that fail to adequately protect personal information face legal action, operational disruption, regulatory scrutiny, higher insurance costs and reputational damage. Public breaches can also erode customer confidence and investor sentiment.
Ali raises another important question: are POPIA's current enforcement mechanisms sufficient to drive meaningful behavioural change?
POPIA provides for fines of up to R10 million and criminal penalties of up to 10 years' imprisonment for serious offences, including failure to comply with enforcement notices or obstructing the Information Regulator.
However, Ali says enforcement alone cannot solve the problem.
"A regulator cannot monitor every organisation every day," he says. "Accountability must sit inside the organisation, with boards, executives, Information Officers and operational leaders responsible for protecting personal data."
Ali adds that many organisations still treat information governance as an IT or compliance function rather than a core business priority.
"Privacy and security must be embedded in leadership, performance and risk management. Without accountability at that level, compliance becomes reactive rather than proactive."
This is where internationally recognised standards such as ISO 27001 and ISO 27701 are becoming increasingly relevant.
While POPIA sets the legal requirements, these standards provide structured frameworks to implement, monitor and continually improve information security and privacy controls, supported by clear accountability, risk-based decision-making and independent verification.
Ali notes that POPIA-aligned governance programmes and ISO 27001 and ISO 27701 certification can take one to three years from gap assessment to certification, with costs ranging from around R100,000 to more than R250 million, depending on organisational size and complexity.
"Organisations should view this as an investment," he says. "The financial, operational and reputational impact of a major cyber breach can far exceed the investment required."
"These standards provide organisations with a practical roadmap for managing information security and privacy risks," says Ali. "They move organisations beyond compliance checklists towards measurable governance and accountability."
Several South African organisations have already moved beyond basic compliance. Discovery has publicly highlighted its privacy governance framework and customer privacy controls, while technology company Sybrin has achieved ISO 27001 certification. Both illustrate the value of structured, accountable approaches to information governance.
Certification also provides independent third-party assurance that controls are not only documented, but operating effectively.
Ali says organisations are increasingly judged not by the policies they publish, but by their ability to demonstrate that controls are working in practice.
"Stakeholders want evidence that risks are understood, controls are in place, and those controls are effective," he says.
As cyber threats and regulatory scrutiny intensify, Ali believes organisations with strong governance, leadership accountability and recognised standards will be best positioned to protect personal information and strengthen trust.
"Five years on, the challenge is no longer understanding POPIA, but proving accountability," he concludes. "Those that can demonstrate they protect personal information will be better positioned to manage risk, protect their reputation and secure stakeholder confidence."
Article Enquiry
Email Article
Save Article
Feedback
To advertise email advertising@creamermedia.co.za or click here
Press Office
Announcements
What's On
Subscribe to improve your user experience...
Option 1 (equivalent of R125 a month):
Receive a weekly copy of Creamer Media's Engineering News & Mining Weekly magazine
(print copy for those in South Africa and e-magazine for those outside of South Africa)
Receive daily email newsletters
Access to full search results
Access archive of magazine back copies
Access to Projects in Progress
Access to ONE Research Report of your choice in PDF format
Option 2 (equivalent of R375 a month):
All benefits from Option 1
PLUS
Access to Creamer Media's Research Channel Africa for ALL Research Reports, in PDF format, on various industrial and mining sectors
including Electricity; Water; Energy Transition; Hydrogen; Roads, Rail and Ports; Coal; Gold; Platinum; Battery Metals; etc.
Already a subscriber?
Forgotten your password?
Receive weekly copy of Creamer Media's Engineering News & Mining Weekly magazine (print copy for those in South Africa and e-magazine for those outside of South Africa)
➕
Recieve daily email newsletters
➕
Access to full search results
➕
Access archive of magazine back copies
➕
Access to Projects in Progress
➕
Access to ONE Research Report of your choice in PDF format
RESEARCH CHANNEL AFRICA
R4500 (equivalent of R375 a month)
SUBSCRIBEAll benefits from Option 1
➕
Access to Creamer Media's Research Channel Africa for ALL Research Reports on various industrial and mining sectors, in PDF format, including on:
Electricity
➕
Water
➕
Energy Transition
➕
Hydrogen
➕
Roads, Rail and Ports
➕
Coal
➕
Gold
➕
Platinum
➕
Battery Metals
➕
etc.
Receive all benefits from Option 1 or Option 2 delivered to numerous people at your company
➕
Multiple User names and Passwords for simultaneous log-ins
➕
Intranet integration access to all in your organisation















