DATA PROTECTION- WHAT 2024 TAUGHT US AND WHAT SOUTH AFRICAN BUSINESSES SHOULD FOCUS ON FOR 2025 AND BEYOND

Jashmine Desai | Compliance Assistant

As we move further into 2025, organizations must reflect on these developments, adapt to emerging challenges and refine their data protection strategies to stay ahead in an evolving regulatory environment.

Strengthening Cybersecurity in the Financial Domain

Cyber threats targeting financial institutions have grown more sophisticated, demanding stronger defences. Regulators have responded with new frameworks aimed at improving cybersecurity resilience across the sector.

The Financial Sector Conduct Authority and the Prudential Authority introduced a joint cybersecurity and resilience standard for financial institutions. Among its key provisions, the standard mandates that firms report significant cyber incidents to regulators. The standard will come into effect on 1 June 2025, with a 12-month transition period for compliance with the standard.

These initiatives emphasize the growing need for financial institutions to make cybersecurity a core element of their risk management and regulatory compliance strategies.

Evolving Data Protection Enforcement

Regulatory changes may set compliance frameworks; however, enforcement actions provide real-world lessons for businesses.

In 2024, the Information Regulator issued multiple enforcement notices against organizations that failed to comply with data protection laws. A few key takeaways from these actions include:

With regulators demonstrating their commitment to strict enforcement, businesses must take a proactive approach to data protection compliance.

AI Regulation and Data Protection Considerations

The increasing role of artificial intelligence (AI) in data processing has sparked regulatory discussions. In August 2024, the Department of Communications and Digital Development released a draft National AI Policy Framework, laying the groundwork for future AI governance in South Africa.

From a data protection perspective, the framework emphasizes the need to safeguard personal information and strengthen existing privacy regulations. As AI policies evolve, businesses using AI-driven data processing must align their operations with emerging compliance requirements.

Safeguarding Health Information

Under POPIA, certain organizations are permitted to process health-related data provided they adhere to its legal requirements. For instance, medical professionals and healthcare facilities may process such data when necessary for patient treatment, while insurers and medical schemes handle health information for their specific operational needs.

However, the legal framework surrounding the processing of health information remains unclear, highlighting the need for more detailed regulatory guidance.

In response, the Information Regulator has introduced draft regulations outlining how health data should be handled and these proposed rules apply to various entities. The draft regulations impose stringent requirements, such as mandating explicit consent for insurers and medical aids to process health information. Additionally, they address key areas like legitimate interest, record retention and the destruction of health records.

Once finalized, these regulations will carry legal weight. However, the current draft has faced criticism from industry stakeholders, making it likely that revisions will be made before the final version is enacted.

As the data protection landscape evolves, increasingly intersecting with industry-specific regulations and enforcement actions, businesses must navigate the balance between general POPIA compliance and sector-specific requirements, all while staying ahead of emerging trends like AI governance and cybersecurity resilience.

With regulators actively enforcing compliance, the best strategy for businesses is to take a proactive approach, mitigating risks and building consumer trust in an increasingly data-driven economy.