The Numbers That Forced a Policy Rethink
For four years after POPIA's commencement in July 2020, South Africa's Information Regulator operated in a largely reactive posture: wait for complaints, investigate, resolve. That approach is now visibly changing.
When the Regulator presented its 2025/26 Annual Performance Plan to Parliament's Portfolio Committee on May 5, 2026, the headline figure was arresting: 2,374 security-compromise notifications received in the 2024/25 financial year — a 40% year-on-year increase. POPIA complaints also rose 30%, from 1,044 in 2023/24 to 1,355 in 2024/25. Alongside these numbers, the Regulator announced a deliberate strategic pivot: rather than waiting for victims or complaints to surface breaches, it would pursue proactive, sector-targeted enforcement in education, health, local government, retail, and direct marketing.
This matters because the enforcement pattern of the first four POPIA years was notably thin. By the Regulator's own account, only 13 organisations were assessed for compliance in 2023/24, and just 10 enforcement notices were prepared — against a compliance landscape of millions of data operators. With complaints now arriving at over 100 per month, the reactive model was becoming untenable.
The Case for Proactivity — and Its Limits
The strongest argument for the Regulator's shift is structural. Complaint-driven enforcement systematically under-discovers harm: breaches only surface when affected individuals or whistleblowers bring them forward. The numbers make this concrete. South African companies face roughly 2,113 cyber-attack attempts per week according to Check Point Research, yet only 2,374 breach notifications reached the Regulator in an entire financial year. If even a small fraction of successful attacks produce notifiable security compromises, actual under-reporting is dramatic. A proactive, sector-targeted approach at least corrects for the selection bias of complaint-only enforcement.
The priority sectors also reflect genuine risk concentration. Education institutions hold sensitive student and employee data with chronically under-resourced IT infrastructure. Health records attract POPIA's special-category protections. Local government processes identity documents, social grants, and property records. Retail and direct marketing are the sectors with the most intensive consumer data collection. Selecting these for heightened scrutiny is defensible on risk grounds, not just political optics.
That said, proportionality remains the right benchmark. Proactive enforcement that deploys prescriptive sector audits rather than evidence-based risk signals can impose compliance costs on organisations that already maintain genuine security programmes. The Regulator's resource constraints are real — Parliament was told explicitly that the office operates under "extremely limited resources." That means sector sweeps will necessarily be selective. The criteria for selection need to be transparent enough to guide compliance investment rather than generate uncertainty.
The TVET College Case: A Misdirected Email, Four Years Later
On May 20, 2026, the Regulator issued its first enforcement notice of the year — against Central Johannesburg TVET College. The underlying incident was a September 2022 misdirected email: an employee's credential verification report was accidentally sent to unauthorised staff. Small in isolation, it cascaded into four separate POPIA violations: failure to register an Information Officer (Section 8), incompatible further processing of employee data (Section 15), failure to implement adequate security safeguards (Section 19), and failure to notify the Regulator and affected data subjects of the compromise (Section 22).
The enforcement notice requires the College to register an Information Officer within 31 days, notify affected employees of the breach, issue a written apology, take disciplinary action against the responsible employee, develop a POPIA Compliance Framework, and complete staff training within 120 days. Non-compliance carries penalties of up to R10 million, up to 10 years' imprisonment, or both under POPIA Section 107.
The case is instructive in several ways. First, a single accidental data event — a misdirected email — can expose an organisation to multi-dimensional POPIA liability if basic compliance architecture is absent. Second, the Regulator is willing to pursue historical breaches: the 2022 incident produced a 2026 enforcement action. Third, by targeting an educational institution as its first 2026 notice, the Regulator has given operational weight to its declared sector priorities. It is not merely listing sectors; it is enforcing against them.
Under-Reporting Remains the Dominant Gap
The 40% surge in breach notifications is partly good news: more organisations are becoming aware of their Section 22 obligations. The Regulator's April 2025 introduction of a mandatory eServices Portal for reporting has likely contributed. But the figure also exposes a structural compliance failure. If weekly cyber-attack attempts number in the thousands, and annual reported compromises number in the low thousands, under-reporting is still the dominant reality.
POPIA's Section 22 requires notification "as soon as reasonably possible" after a responsible party becomes aware of a compromise — not after completing a full forensic investigation. The Regulator's own fact sheet on security compromise handling makes this explicit: investigation completion is not a prerequisite for notification. Many organisations appear to be treating it as one, delaying or suppressing reports while internal reviews proceed. That is precisely the behaviour proactive sector enforcement is designed to surface and deter.
What Priority-Sector Organisations Should Do Now
For organisations in the five named sectors, the trajectory is clear. Three steps warrant immediate attention.
- Register an Information Officer. The TVET College's failure to register — a step required under Section 55 since POPIA's commencement — was a central finding. This is not a sophisticated compliance task; it is a basic administrative requirement that remains unfulfilled across large parts of South Africa's public sector.
- Fix incident response timelines. Notify the Regulator and affected data subjects promptly on becoming aware of a compromise — without waiting for investigation completion.
- Build a documented compliance framework. Sector-targeted audits will look for evidence of proactive compliance posture, not merely absence of complaints.
South Africa's data protection enforcement is maturing. The gap between the scale of cyber threats and the volume of reported breaches cannot persist. The Regulator's pivot to proactive sector targeting is overdue — and if executed transparently against demonstrable risk signals, it is the proportionate approach for closing it.