POPIA rules and regulations: Your full guide to the frameworks, notices, guidelines, and forms that give POPIA its force
The Protection of Personal Information Act, 2013 (POPIA) sets out South Africa’s core privacy rights and responsibilities. But the real operational detail— the “how”—comes from a second layer: the official rules, regulations, notices, and guidelines issued by the Information Regulator.
This page gives you the complete picture, including the critical 2025 amendments.
1. Regulations
The Regulations Relating to the Protection of Personal Information (GNR.1383 of 14 December 2018) flesh out how POPIA must be applied in practice. They came into full force between March and July 2021.
Key areas governed include:
- Objections to processing: Data subjects can object to processing by completing Form 1.
- Requests for correction or deletion: Data subjects can request changes or deletions via Form 2.
- Information Officer duties: Information Officers must build a compliance framework, conduct personal information impact assessments, maintain a PAIA manual, and run internal awareness sessions.
- Applications for codes of conduct: Industry groups can request formal codes (Form 3).
- Consent for direct marketing: Responsible parties must use Form 4 to request written consent before sending marketing emails or SMS.
- Complaints: Individuals can submit complaints on Form 5 if their privacy rights are infringed.
- Investigations and enforcement: The Regulator can investigate complaints, act as conciliator, issue enforcement notices, and escalate unresolved matters.
The Regulations include 19 mandatory forms, governing every step from objections to appeals.
2. Notices
The Regulator issues notices to formally approve sector-specific frameworks or announce critical updates. Examples include:
- BASA Code of Conduct (2022): Regulates how banks process personal information in alignment with POPIA and the Banks Act.
- CBA Code of Conduct (2022): Applies to credit bureaus, setting rules for fair, transparent, and lawful credit data processing.
These Codes of Conduct are legally binding on members of the relevant industries and reflect how POPIA adapts to sector-specific realities.
3. Guidelines
The Regulator has issued guidelines to support compliance:
Guidelines for Developing Codes of Conduct (2021)
These provide a roadmap for industry bodies or professional groups to design, submit, and maintain sector-specific codes.
They stress alignment with POPIA’s conditions, transparent consultation processes, governance mechanisms, and clear complaints procedures.
These guidelines are essential if your industry is thinking of formalising sector-specific privacy standards.
4. Rules and Regulations by section of the Act
To help you link the Act to the Regulations, here’s a quick mapping:
| POPIA section | Topic | Regulation |
|---|---|---|
| Section 11 | Objection to processing | Regulation 2 (Form 1) |
| Section 24 | Correction or deletion of information | Regulation 3 (Form 2) |
| Section 55 | Information Officer duties | Regulation 4 |
| Section 61 | Application for Code of Conduct | Regulation 5 (Form 3) |
| Section 69 | Consent for direct marketing | Regulation 6 (Form 4) |
| Section 74 | Submission of complaints | Regulation 7 (Form 5) |
| Section 76 | Conciliation procedures | Regulation 8 |
| Section 79 | Investigations | Regulation 9 |
| Section 89 | Assessments by Regulator | Regulation 11 (Form 11) |
| Section 94–98 | Enforcement and appeals | Regulations 12 and relevant forms (Forms 13–19) |
5. Draft Rules and Regulations
Currently, no draft regulations are open for public comment.
The latest significant update is the 2025 POPIA Regulations Amendments, which introduce more clarity around:
- Mandatory Data Protection Impact Assessments (DPIAs) for high-risk processing.
- Enhanced breach notification requirements.
- Greater accountability for Information Officers.
These amendments reflect a growing shift toward proactive, ongoing data governance rather than reactive compliance.
(You can read our full analysis here: 2025 POPIA Regulations Amendments).
Final word: Why it matters
POPIA isn’t static. It’s evolving with new codes, notices, and practical guidance shaping how South African organisations must treat personal data.
If you’re serious about compliance, governance, and building trusted relationships with customers, you can’t just read the Act.
You have to work with the full ecosystem: the Act + Regulations + Notices + Guidelines + evolving amendments.
We can help you decode and operationalise all of it faster and smarter.
👉 [Talk to us about POPIA compliance for your business]