In August 2025, the South African Information Regulator issued a notice highlighting widespread non-compliance with the Promotion of Access to Information Act (PAIA). Many organisations were still using outdated request forms, prompting regulators to intervene and mandate the use of the updated Form 2. This development underscores that Data Subject Rights Requests (DSRRs) are not just a European concern but a global compliance priority. Regulators across multiple jurisdictions increasingly expect organisations to respond to access, correction and deletion requests promptly, transparently and in line with statutory requirements. In this blog, we discuss the recent enforcement notice in South Africa and highlight key priorities for privacy teams across jurisdictions. 

Enforcement landscape: South Africa and global trends 

Under PAIA, both public and private organisations in South Africa must maintain a PAIA manual, publish it on their website and premises, and submit it to the Regulator. They must also respond to access requests within 30 days, with one possible 30-day extension in limited circumstances. The August 2025 notice specifically targeted the use of outdated PAIA Form A, which breaches the express provision of the Regulations. Failure to use the updated Form 2 constitutes non-compliance,and the Regulator has statutory powers to investigate related complaints and conduct a compliance assessment. 

South Africa is not alone in tightening scrutiny of DSRR compliance. In the UK, the ICO has also stressed that organisations must respond to Data Subject Access Requests (DSARs) under the UK GDPR and Data Protection Act 2018 without unnecessary delay. It has warned against ignoring requests, failing to explain exemptions clearly, or making individuals navigate complex processes to obtain their data. 

In the US, state privacy laws such as the California Consumer Privacy Act (CCPA) andCalifornia Privacy Rights Act (CPRA)require responses to deletion and access requests within 45 days. Enforcement materials also highlight the role of opt-out preference signals such as the Global Privacy Control (GPC), which covered businesses are expected to honour. 

What privacy teams should do 

Privacy teams should treat DSRR compliance as a structured and auditable process, not an ad hoc exercise. Key actions include: 

  • Replacing outdated request forms and ensuring all materials (manuals, portals, privacy notices) reflect the current legal standard. 

  • Maintaining a tested end-to-end workflow for receiving, verifying and responding to requests within statutory timelines. 

  • Updating internal and external materials, including privacy notices, portals and manuals, to ensure consistency with legal requirements. 

  • Training staffacross functions, particularly Information Officers, customer service teams and IT personnel, making sure that all requests are recognised and handled correctly. 

  • Keeping records of how requests are received, processed and closed, to demonstrate accountability if audited. 

  • For organisations operating in multiple jurisdictions, centralising DSRR processes around the strictest requirements (such as GDPR’s one-month timeline) to minimise the risk of fragmented compliance.  

The DPO or Information Officer should oversee this process by reviewing request logs, ensuring forms and manuals remain up to date, and reporting to senior management on compliance performance. Regular engagement with legal teams and regulators will help anticipate changes and maintain credibility; embedding these practices into the organisation’s culture is what will ultimately reduce enforcement risk. 

Looking ahead 

As the South African experience shows, regulators are paying close attention, not only to whether organisations respond to DSRRs, but also to the practical details of how they do so. Outdated forms, confusing processes or missed deadlines can all trigger enforcement. Businesses that proactively strengthen their DSRR processes will avoid penalties and, importantly, also build trust with individualsexercising their rights 

HewardMillsis here to support organisations navigating these developments and looking to reduce enforcement riskby helping design and test DSRR processes, aligning cross-jurisdictional requirements, ensuring robust, documented procedures, and engaging with regulators where necessary.