The Compliance Gap That Costs More Than a Fine
Your UK business processes data from a South African subsidiary, a Cape Town supplier, or a Johannesburg reseller. The Information Regulator of South Africa (Regulator) has already issued its first enforcement notices under the Protection of Personal Information Act (POPIA). UK companies that shrugged off POPIA as a "local compliance issue" are now discovering that the Regulator can, and will, issue fines of up to ZAR 10 million (approx. £425,000) plus imprisonment for directors. The deadline for compliance isn't looming — it's here. Pyralink Innovation Ltd has seen the enforcement pattern: the Regulator is not targeting South African firms alone. It is targeting any entity that processes personal data connected to South Africa.
Most UK firms assume GDPR covers them globally. It does not. POPIA operates as a standalone data protection framework with its own enforcement machinery, its own mandatory manual requirements, and its own regulator that does not coordinate with the ICO or the EU's EDPB. If your supply chain, customer base, or HR system touches a South African data subject, you are in scope. The June 2026 deadline for certain compliance filings is the point at which the Regulator will expect full compliance — not a plan, not a roadmap, but live operational adherence.
We have identified three specific compliance gaps that UK firms consistently miss. These are not theoretical risks. They are the exact areas where the Information Regulator SA has already issued notices, and where our fractional vCISO engagements have uncovered vulnerabilities in UK-headquartered organisations.
Gap 1: The Missing PAIA Manual That Triggers Immediate Penalties
What Your UK Privacy Policy Does Not Cover
The Promotion of Access to Information Act 2000 (PAIA) is often treated as a South African-only requirement that does not apply to foreign entities. That assumption is wrong. PAIA requires every public and private body — including foreign companies that process personal data in South Africa — to publish a manual that explains how data subjects can request access to their personal information. The manual must be submitted to the Information Regulator SA, and it must be updated annually.
UK firms typically have a standard privacy policy written under UK GDPR. That policy is not a PAIA manual. The Regulator has confirmed in its enforcement guidance that the PAIA manual is a separate, statutory document with specific content requirements under Section 51 of PAIA. It must include: the description of the information held, the categories of data subjects, the purposes for processing, the access request procedure, the relevant contact details, and the availability of the manual in all official languages where applicable.
The gap is straightforward: your UK GDPR privacy policy does not meet PAIA requirements. Most UK firms do not even know PAIA exists, let alone that they need a separate manual filed with a different regulator. The Information Regulator SA has already imposed administrative fines on companies that failed to submit or update their PAIA manuals, and the penalty structure under PAIA allows for criminal prosecution of responsible officers — including directors based outside South Africa.
Gap 2: Untrained Data Processors and Cross-Border Transfer Agreements
Why Your Intra-Group DPA Is Not Enough
POPIA Section 72 requires that any transfer of personal data out of South Africa is subject to either: (a) an adequacy determination by the Regulator (none has been made for the UK or EU), (b) a binding corporate rule that the Regulator has approved, or (c) a contract that includes the standard contractual clauses prescribed by the Regulator. The Regulator published its own standard contractual clauses in 2021 — they are not identical to the EU's standard contractual clauses or the UK's International Data Transfer Agreement.
We routinely find that UK firms with South African operations rely on their existing GDPR-compliant intra-group data processing agreements. These agreements do not satisfy POPIA Section 72. The Regulator's prescribed clauses include specific obligations around onward transfer, breach notification to the Regulator (not the ICO), and data subject access mechanisms that mirror PAIA requirements. Using the wrong contractual framework is a direct violation of POPIA, exposing the firm to the full ZAR 10 million fine and potential criminal liability.
The enforcement trend is clear: the Information Regulator SA has signalled that cross-border transfer compliance is a priority for 2025-2026. The Regulator has already issued enforcement notices against companies that failed to implement the correct transfer mechanism, and it has publicly stated that ignorance of the separate legal framework is not a defence.
Gap 3: No Designated Information Officer (and Deputy) Registered with the Regulator
The Director-Level Registration You Cannot Delegate
POPIA Section 55 requires every responsible party (the entity that determines the purpose and means of processing) to designate an Information Officer. The Information Officer must be the head of the organisation or a senior executive formally delegated by the head. That person must be registered with the Information Regulator SA. There is no exemption for foreign entities. The Information Officer is personally liable for POPIA compliance, and the Regulator can hold that individual criminally accountable — even if they are based in London, Manchester, or Edinburgh.
The registration process itself is not complex, but the Regulator has publicly stated that thousands of responsible parties have not registered. UK firms often assume that their Data Protection Officer (DPO) under UK GDPR suffices. It does not. The POPIA Information Officer has different duties, a different reporting line (the Regulator, not the ICO), and different liability exposure. A UK DPO operating under a standard GDPR framework is not equipped to handle POPIA obligations without specific training and registration.
We have seen cases where UK-headquartered firms discovered the registration gap only after a data subject complaint triggered a Regulator investigation. At that point, the Regulator's enforcement notice requires immediate registration and a compliance plan — with a ticking clock for full remediation. The penalty for non-registration is not a fine alone; it can include a directive to stop processing entirely until the Information Officer is registered.
How Pyralink Innovation Ltd Fixes These Gaps — Without Sending a Team to Johannesburg
Pyralink Innovation Ltd is a UK-based cybersecurity firm led by Michael Adedeji (CISM, CISA, CC, MSc Data Science). We have built a pragmatic, remote-first compliance programme that addresses POPIA enforcement head-on. Our approach does not require a South African legal team; it requires structured, documented processes that satisfy the Information Regulator SA's specific requirements.
Our ISO 27001 certification framework integrates with POPIA compliance, creating a single management system that satisfies both UK GDPR and South African obligations. We do not treat POPIA as a separate silo; we layer its requirements onto your existing controls. Our CloudAuditX platform maps data flows to the Regulator's transfer requirements, identifying exactly which processing activities fall under POPIA jurisdiction. This is not a theoretical risk assessment — it is a live, auditable inventory.
Our fractional vCISO service assigns a qualified executive to your firm who handles Information Officer registration, PAIA manual drafting, and cross-border transfer agreement remediation. This is not a tick-box exercise. We submit the PAIA manual to the Regulator, we register the Information Officer, and we maintain the annual update cycle. Our vCISO programme starts from £497 per month, and we hold £5 million professional indemnity insurance — the same coverage we require of our own suppliers.
Your June 2026 Action Plan
The Information Regulator SA has signalled that the window for voluntary compliance is closing. By June 2026, the expectation is that every responsible party — including foreign entities — has filed PAIA manuals, registered Information Officers, and executed the correct cross-border transfer agreements. The firms that act now will face a structured compliance process. The firms that wait will face enforcement notices, fines, and potential director liability.
Start with a compliance audit. Use our free compliance scanner to identify your South Africa-related data processing activities. If the scanner flags South African data subjects, you are in scope for POPIA. Do not ignore the result — the Regulator will not ignore you.
Next, draft and submit your PAIA manual. This is a statutory requirement, not a best-practice recommendation. Our team can complete this within two weeks for most UK firms with existing data inventories.
Finally, register your Information Officer. If you do not have a senior executive who can assume that liability, our fractional vCISO can serve as the delegated Information Officer — registered with the Regulator, insured, and accountable. This is the fastest way to compliance without hiring a full-time South African legal counsel.
The cost of non-compliance is ZAR 10 million plus criminal liability. The cost of compliance is measured in weeks and hundreds of pounds, not millions. The choice is straightforward — but the deadline is not negotiable.