INFO REGULATOR SA STRAT PLAN

Part C

7. Key Risks and Mitigation

Table 12: Key risks and mitigation No Risk Description

Mitigation Plan

Due date for mitigation plan 31 March 2026

Responsible person

1.

Inability to provide timeous feedback on matters (including enquiries).

1.1.

To draft the requirements and specifications of the proposed Information Technology (IT) system.

Chief Information Officer and Executive: POPIA

1.2. 1.3.

To confirm budget for the system. 31 October 2025

Chief Financial Officer

To submit a memorandum to approve the project. To digitalise systems that will enable documentation, tracking and management of enquiries. To assess whether there are Frequently Asked Questions (FAQ’s) on PAIA and POPIA enquiries, updated, approved and submitted for publication. To provide training on enquiries to include skills development. Enquiry process to be developed. Create a customer care division. To conduct an assessment of the enquiry points to the regulator. To present the assessment to POPIA. To devise a management plan of enquiries. To update and further develop online security compromise notification system. To conduct a human resource needs analysis for the Security Compromise subdivision and produce a memorandum to that effect. To confirm the budget for the resources.

31 November 2025 Executive: POPIA

1.4.

31 March 2026

Chief Information Officer

1.5.

30 September 2025 Executive: POPIA and Executive: PAIA

1.6.

31 December 2025 Senior Manager: Human Resource Management & Administration (HRM&A)

1.7. 1.8. 1.9.

1 April 2025 1 April 2025 1 April 2025

Senior Manager: HRM&A Senior Manager: HRM&A Senior Manager: HRM&A

1.10.

30 June 2025

Senior Manager: HRM&A

1.11.

30 June 2025

Senior Manager: HRM&A

2.

Inability to finalise matters in terms of the provisions of POPIA and PAIA within the prescribed timelines.

2.1.

31 December 2025​

Chief Information Officer

2.2.

30 May 2025

Executive: POPIA

2.3.

30 June 2025

Chief Financial Officer

Information Regulator SA

40