Samantha Smith
Dr Samantha Smith is STBB’s chief Content Writer and Legal Editor. She graduated with a BSocSci, LLB, LLM, and PhD (Law) from the University of Cape Town. Skilled in socio-legal analysis, critical thinking, and creative and technical writing, she previously worked in investigative legal research, with a special focus on animal law and environmental policy. As of February 2024, Samantha handles all STBB content. This includes brainstorming and writing all social media, newsflashes, newsletters, digital and print advertisements, magazine articles, and all webinar and podcast write-ups. Additionally, she attends to tenders and proposals, legal updates and presentations, biographies, brochures, information sheets, content for special projects, and various other digital publications and communications.
Earlier this year, the Regulations to the Protection of Personal Information Act (‘the POPIA Regulations’) were amended. Designed to enhance data subject rights and tighten compliance requirements for organisations, the POPIA Regulations took effect on 17th April 2025. In light of the vital importance of compliance, this article offers a brief rundown of these regulatory amendments.
This article is republished with thanks, first published by STBB Pulse I May 2025
https://mailchi.mp/f2ba9ce6877f/stbb-pulse-2zotppfpc2-10267090?e=c091b1acde
Key changes to the POPIA Regulations include:
Data subjects are empowered to object to the processing of their personal information or request corrections/deletion via hand, post, SMS, email, WhatsApp, fax, phone, or any other expedient method. Notably, telephone objections must be recorded and made accessible to the data subject upon request.
When personal information is collected, organisations must inform data subjects of their right to object and respond to correction/deletion requests within 30 days.
New definitions, including ‘complainant’, ‘complaint’, ‘relevant bodies’, and ‘writing’, enhance clarity and are aligned with other key laws.
Stricter consent rules for direct marketing: Consent must be obtained from data subjects, who are not existing clients, in a reasonably accessible, convenient, and cost-free manner. Importantly, consent received telephonically or via automated calling machine must be recorded and made available to the data subject on request. Consent must be obtained using a form ‘substantially similar to [Form 4]’. The goods/services intended for marketing must be indicated and a preferred communication method obtained. Crucially, mere opt-outs no longer constitute consent.
Complaints may be submitted by anyone with sufficient interest or acting in the public interest.
Assistance must be provided to complainants, and anonymity can be requested. Crucially, complaints must be in writing – utilising the prescribed form – and must comply with detailed content requirements.
Although the requirement to maintain a Promotion of Access to Information (‘PAIA’) manual has been deleted from the Regulations (but still applies under PAIA), information officers must continuously enhance their POPIA compliance frameworks.
Administrative fines can now be paid in instalments, subject to affordability and approval by the Information Regulator.
Given these substantial regulatory amendments, organisations are urged to review and update their compliance policies and programmes to align with this updated POPIA framework.