top of page
Search

POPIA & PAIA -Navigating the Enforcement Landscape | 30 June 2026 Deadline

  • Writer: Sue Singh
    Sue Singh
  • 1 day ago
  • 3 min read

No Extensions

The Information Regulator has opened the 2025/2026 PAIA Annual Report submission window. All public and private bodies are required to submit via the Regulator’s eServices Portal by 30 June 2026. No extensions will be granted. Failure to submit may trigger regulatory scrutiny, including broader assessments of your organisation’s PAIA and POPIA compliance framework.


Submission Requirements

Reporting Period

1 April 2025 – 31 March 2026

Submission Window

1 April 2026 – 30 June 2026

Portal

Information Regulator eServices Portal

Extensions

None

 

Registration is mandatory. Your Information Officer, Head of Private Body, and Deputy Information Officers must be registered on the eServices Portal before the report can be submitted.


Nil returns are required. The obligation applies even if no access to information requests were received during the reporting period.


PAIA and POPIA are assessed together. Non-compliance with PAIA is increasingly treated as indicative of broader POPIA deficiencies.


Regulatory Environment

This deadline arises in the context of materially strengthened enforcement. In March 2026, the Information Regulator confirmed that compliance monitoring will intensify across both public and private sectors, moving from reactive complaint-handling to proactive, targeted oversight.


Recent enforcement actions:

  • Department of Justice — R5 million administrative fine;

  • Blouberg Municipality — R500 000 for exposing personal information;

  • Lancet Laboratories — R100 000 for failure to notify data subjects of a breach;

  • WhatsApp LLC — Settlement for inadequate transparency measures for SA users.


Data breach notifications have increased by 40%, averaging 284 per month. POPIA provides for fines of up to R10 million per contravention and criminal sanctions of up to 10 years’ imprisonment for serious offences.


Common Compliance Deficiencies

  • Outdated compliance frameworks — policies implemented at POPIA commencement and never revisited;

  • No data subject request procedures — leaving organisations unable to respond within prescribed timeframes;

  • Unreported security compromises — section 22 of POPIA mandates notification to both the Regulator and affected data subjects;

  • Absent or outdated Section 51 Manuals — every private body must maintain a current Manual, published on its website and filed with the Regulator;

  • Non-compliant data processing agreements — operator agreements lacking POPIA-compliant provisions remain a material exposure.


Action Required Before 30 June 2026

  1. Confirm IO/DIO registration on the eServices Portal.

  2. Review and update your Section 51 PAIA Manual — ensure it is current, published, and filed.

  3. Prepare and submit your PAIA Annual Report, including nil returns where applicable.

  4. Conduct a POPIA compliance review across all conditions for lawful processing.

  5. Review data breach notification and incident response procedures.

  6. Audit all data processing agreements with third-party operators.

  7. Confirm that relevant employees have completed POPIA and PAIA training within the past 12 months.



This article is for informational purposes only and does not constitute legal advice. For specific legal guidance on protected disclosures, employment practices, or compliance obligations, consult a qualified labour law practitioner.


© 2026 Global Business Solutions (GBS). All rights reserved.


Stay informed, stay compliant and stay ahead of workplace change by joining the Mid-Year Labour Law Update 2026 (#MLLU2026), presented by Jonathan Goldberg and the expert GBS team. This practical and highly relevant labour law event will unpack the most important Labour Court, Labour Appeal Court, Constitutional Court and CCMA decisions from the first half of 2026, together with key statutory developments, NEDLAC proposals and emerging workplace risks. With live sessions in five cities, online attendance options, 100+ updated case summaries, 6 CPD points and valuable take-home resources, MLLU2026 is designed to help employers, HR, ER, IR and legal professionals prepare confidently for the second half of the year. With more than 610 delegates attending #MLLU2025, the Mid-Year Labour Law Update has established itself as one of the biggest and most relevant labour law updates in South Africa. Register now to secure your place.



View our upcoming events: Upcoming Events and Qualifications, like B-BBEE Session 4: Building Black Business Ecosystems (Enterprise & Supplier Development), Code of Good Practice on Dismissal, AI Compass Intake 2, Higher Occupational Certificate: HRM Administrator NQF5, Advanced Occupational Certificate: HRM Officer (NQF 6) and Employment Equity Committee Capacitation.


*All workshops are offered as customised in-house training that can be presented virtually or on-site.

Comments

bottom of page