Global Data and Cyber Handbook Lite

South Africa

Select a Topic
Start Comparison
Key Data and Cybersecurity Laws
Jump to
Key Data and Cybersecurity Laws Start Comparison
What are the key data privacy laws and regulations?

Last review date: 31 December 2025

The Protection of Personal Information Act (POPIA) was signed into law in 2013 and came into force on 1 July 2021.

POPIA promotes the protection of personal information processed by public and private bodies, introduces minimum requirements for the processing of personal information, outlines the rights of data subjects, regulates the cross-border flow of personal information, introduces mandatory obligations to report and notify data breach incidents, and imposes statutory penalties for violations of the law.

POPIA sets out the essential parameters for the lawful processing of personal information, including:

  • eight "core-information-protection principles"
  • a number of substantive issues concerning, inter alia, the processing, collection and transfer of personal information, including that:
    • personal information may only be processed in a fair and lawful manner
    • personal information be processed for specific, explicitly defined, and legitimate reasons
    • the steps required to make affected data subjects aware of the processing and the purposes of the processing of personal information
    • personal information may only be kept for as long as it is required to fulfil the purpose for which it was collected; and
    • personal information may only be transferred cross-border, subject to certain requirements
  • responsible parties (i.e., data controllers) being required to:
    • appoint an Information Officer and Deputy Information Officer to ensure compliance with the lawful processing conditions set out in POPIA and deal with data subject rights requests in terms of POPIA and the Promotion of Access to Information Act. 2000 (PAIA), as well as complaints from data subjects who seek to enforce POPIA
    • develop, implement, monitor and maintain a data protection and privacy compliance framework
    • undertake a personal information impact assessment
    • assist with and respond to data subject requests made in terms of POPIA and access to information requests made by requesters in terms of PAIA
    • maintain documentation of all processing
    • encourage and ensure compliance with PAIA
    • develop, monitor and maintain a manual in terms of Sections 14 (public bodies) and 51 (private bodies) in terms of PAIA
    • evaluate and approve requests for access to information received regarding the grounds set out in PAIA within the time constraint or any extended period
    • respond to data subject requests and requests made by the Information Regulator pursuant to POPIA
    • conduct internal training sessions on the requirements of POPIA
    • work with the Information Regulator in relation to any investigations undertaken by the Information Regulator in respect of the responsible party
    • secure the integrity and confidentiality of personal information in its possession or under its control and ensure that it is appropriately safeguarded against loss, destruction or unlawful access;
  • exemptions from the information protection principles
  • the rights of data subjects regarding unsolicited electronic communications and automated decision making
  • the establishment of the Information Regulator to exercise certain powers and to perform certain duties and functions in terms of POPIA and PAIA
  • enforcement mechanisms.
What are the key cybersecurity laws and regulations?

Last review date: 31 December 2025

The Cybercrimes Act 19 of 2020 ("Cybercrimes Act") was signed into law in June 2021 and came into force on 1 December 2021. It aligns the country's cybersecurity legislation with international standards.

The Cybercrimes Act requires electronic communications service providers and financial institutions to take action when they become aware that their computer systems have been involved in a cybersecurity breach that constitutes an offense under the Cybercrimes Act. They must report such breaches to the South African Police Service within 72 hours of becoming aware of the breach and preserve any information that may assist in the investigation. Non-compliance with this provision constitutes a criminal offense and may result in monetary fines. This reporting obligation, however, is not yet in force and will come into effect on a date still to be proclaimed.

The Cybercrimes Act further criminalizes harmful data messages, including those that incite or threaten violence, damage to property, or contain intimate images. "Data" is broadly defined in the Cybercrimes Act as "electronic representations of information in any form."

The Cybercrimes Act also criminalizes cyber fraud, extortion, forgery, and the theft of incorporeal property. It further criminalizes the unlawful access of a computer system, data storage medium, or personal data. Individuals found guilty of cybercrime offenses face significant fines and prison sentences of up to 15 years.

What are the key laws and regulations relating to non-personal data?

Last review date: 31 December 2025

The Electronic Communications and Transactions Act, 2002 contains provisions governing electronic communications and the obligations of service providers that affect how non-personal electronic data is transmitted, stored, retained and relied upon.

The Cybercrimes Act criminalizes the unlawful access, interception, and interference with data and computer systems, as well as the unlawful acquisition and disclosure of data messages. Importantly, these offenses apply to all types of data, not only personal data.

The South African Reserve Bank and National Payment System Directives and Guidance Documents set out the rules governing the storage, processing, and transfer of financial data and payment system data. These instruments apply broadly to all relevant data within the financial system and are not limited to personal data.

{{ $store.state.loadingScreen.message }} ...