The POPIA Information Officer: Duties, Registration, and What to Expect

The POPIA Information Officer: Duties, Registration, and What to Expect

If your business operates in South Africa and processes personal information — which almost every business does — the Protection of Personal Information Act (POPIA) requires you to designate an Information Officer. This role sits at the centre of your organisation's compliance effort, and the Information Regulator has made registration a formal, enforceable requirement.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation, consult a qualified attorney.

---

Who is the Information Officer?

Under POPIA, the Information Officer is, by default, the head of the organisation — in a company, that is the CEO or equivalent. The Act does not allow this responsibility to simply be ignored or informally delegated. However, the head of the organisation *can* formally designate one or more Deputy Information Officers to assist in carrying out the duties.

For most SMEs, the practical reality is that the owner or managing director is the default Information Officer, and they may choose to designate a trusted manager or external compliance practitioner as a Deputy to handle the day-to-day work.

---

What does POPIA section 55 say?

Section 55 of POPIA sets out the duties of the Information Officer. These include:

• Encouraging compliance with the conditions for lawful processing set out in POPIA (the eight conditions described in section 8).
• Dealing with requests made to the organisation in terms of POPIA — for example, data subject access requests under section 23 and requests to correct personal information under section 24.
• Working with the Information Regulator in relation to investigations or other matters the Regulator raises with the organisation.
• Developing, implementing, and maintaining a personal information impact assessment, to ensure the organisation identifies and addresses risks to personal information it processes.
• Developing internal measures and a manual that describe how the organisation manages personal information, and making that manual available to data subjects who request it.
• Developing and implementing a personal information breach response plan, aligned with the breach notification requirements in section 22.
• Raising awareness of POPIA within the organisation and ensuring staff understand their obligations.

This list reflects the published guidance of the Information Regulator and the text of section 55 itself. The duties are substantive — this is not a paper role.

---

Deputy Information Officers

A Deputy Information Officer can be designated to assist the Information Officer, particularly in larger organisations or where the head of organisation does not have capacity to manage compliance day-to-day. Deputies must also be registered with the Information Regulator.

Key points about Deputies:

• There is no fixed limit on how many Deputies an organisation may designate.
• A Deputy acts under the authority of the Information Officer.
• Registration of each Deputy is a separate step from registering the Information Officer.
• An external service provider or consultant *can* be designated as a Deputy, subject to appropriate contractual arrangements — though your organisation remains responsible for compliance.

---

POPIA registration: the practical steps

The Information Regulator has published an online registration process. As of the date of this article, registration is done through the Regulator's online portal at https://www.inforegulator.org.za.

Here is what the process generally involves:

1. Gather your information. You will need the organisation's registration details (company name, registration number, physical address), and the personal details of the person being designated as Information Officer.
2. Complete the registration form. The Regulator's portal provides the relevant form. You will confirm the designation and provide contact details for the Information Officer.
3. Register Deputy Information Officers separately. If you are designating Deputies, each must be registered in their own right.
4. Keep your registration current. If your Information Officer changes — for example, because of a staff change — you are expected to update the registration accordingly.

The Information Regulator has indicated that failure to register is a compliance risk. While the Regulator has not routinely prosecuted SMEs for non-registration alone, it is a visible and easily checked indicator of compliance posture that may be examined during an investigation.

---

What should an Information Officer actually do day-to-day?

Beyond the formal list in section 55, effective Information Officers typically:

• Maintain a record of processing activities — a log of what personal information the organisation collects, why, how it is stored, and how long it is retained (relevant to sections 13, 14, and 17).
• Review supplier and operator agreements to ensure that third parties who process personal information on the organisation's behalf do so lawfully.
• Handle data subject requests promptly — POPIA sets time frames for responding to access and correction requests.
• Manage breach incidents — if a security compromise occurs, section 22 requires notification to both the Information Regulator and affected data subjects in prescribed circumstances.
• Train staff on basic POPIA obligations, particularly around how personal information is collected, stored, and shared.

For small businesses, this does not have to be a full-time role — but it does need to be a *real* one, assigned to someone with enough authority to make things happen.

---

A note on the PAIA manual

The Information Officer is also the person responsible for the organisation's Promotion of Access to Information Act (PAIA) manual — the document that explains how members of the public can request information from your organisation. While PAIA and POPIA are separate statutes, they intersect in this role. The Information Regulator provides guidance and template manuals on its website.

---

Common questions

Can a sole trader be an Information Officer? Yes. If you operate as a sole proprietor, you are the Information Officer by default. Registration still applies.

Is there a registration fee? The Information Regulator has not charged a fee for Information Officer registration as of the date of this article, but check the Regulator's portal for current requirements.

What if our Information Officer leaves the business? You should update your registration with the Regulator and designate a replacement as soon as reasonably practicable.

---

Where to go next

• Information Regulator portal: https://www.inforegulator.org.za — for registration, guidance notes, and published enforcement decisions.
• POPIA full text: Available via the Government Gazette through https://www.gov.za.
• PAIA manual templates: Published by the South African Human Rights Commission at https://www.sahrc.org.za.

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation — including whether your organisation's current designation and registration is sufficient — consult a qualified attorney.