Next Article in Journal
Lean Accounting Tool Packages and Firm Typologies: Evidence from an Exploratory Factor Analysis in Manufacturing
Previous Article in Journal
Spatiotemporal Evolution and Driving Mechanisms of Coupling Coordination Between Green Innovation Efficiency and Urban Ecological Resilience: Evidence from Yangtze River Delta, China
Previous Article in Special Issue
Digital Finance, Financing Constraints, and Green Innovation in Chinese Firms: The Roles of Management Power and CSR
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Sustainability
Volume 17
Issue 19
10.3390/su17198529
sustainability-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Systematic Review

Protection of Personal Information Act in Practice: A Systematic Synthesis of Research Trends, Sectoral Applications, and Implementation Barriers in South Africa

by
Gugu G. Sema
1,*,
Pius A. Owolawi
2 and
Oludayo O. Olugbara
1
1
Faculty of Accounting and Informatics, Durban University of Technology, Ritson Campus, Durban 4001, South Africa
2
Department of Computer Systems Engineering, Faculty of Information and Communication Technology, Tshwane University of Technology, Pretoria 0001, South Africa
*
Author to whom correspondence should be addressed.
Sustainability 2025, 17(19), 8529; https://doi.org/10.3390/su17198529
Submission received: 1 July 2025 / Revised: 27 August 2025 / Accepted: 28 August 2025 / Published: 23 September 2025
(This article belongs to the Special Issue Advances in Economic Development and Business Management)
Browse Figures
Review Reports Versions Notes

Abstract

This study presents a systematic literature review of scholarly research on the implementation and compliance challenges associated with South Africa’s Protection of Personal Information Act (POPIA) between 2014 and 2024. In total, 41 of the 2069 initially retrieved studies that were found using the PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) framework in Scopus and Google Scholar satisfied the requirements for inclusion in the in-depth analysis. This review explores thematic trends, methodological approaches, and sectoral applications of POPIA-focused research. This study provides a thorough evidence foundation to guide policy, practice, and future research regarding POPIA compliance in South Africa. Results indicate a gradual transition from theoretical discourse to empirical and sector-specific research, with qualitative approaches (e.g., interviews and case studies) being the most dominant. Proposed implementation tactics in the literature include staff training, risk assessment tools, and compliance with international data protection requirements, including the GDPR. This study provides a thorough evidence foundation to guide policy, practice, and future research regarding POPIA compliance in South Africa.

1. Introduction

The growing dependence on data-driven technologies has heightened worldwide apprehensions regarding information privacy and the ethical utilization of personal data. In addressing these challenges, South Africa implemented the Protection of Personal Information Act (POPIA), which was signed into law on 26 November 2013 and became enforceable on 1 July 2021. POPIA constitutes a thorough data protection framework aimed at securing individuals’ personal information through the regulation of its collection, processing, storage, and dissemination. This framework is consistent with international data privacy standards, including the General Data Protection Regulation (GDPR), and establishes eight fundamental principles for lawful data processing, which encompass accountability, purpose specification, data quality, and security safeguards. Due to its extensive ramifications, POPIA has garnered considerable interest across several sectors, including healthcare, retail, education, banking, municipal services, and internet commerce. Nonetheless, despite its legislative purpose, obstacles in execution and adherence remain, especially in entities with limited regulatory preparedness or digital sophistication. These issues are exacerbated by organizational limitations, including restricted technological capability, inadequate consent protocols, and immature data governance. Because of these difficulties, it is important to carefully look at how academic research has looked at the implementation and compliance with POPIA since it started. This study does a systematic literature review (SLR) to combine research from 2014 to 2024. It gives important information about the theme trends, methodological patterns, and sectoral emphasis areas that define how scholars have worked with POPIA. Using the PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) technique, this review finds gaps, trends, and possible future paths for research on data protection in South Africa. This review is guided by the central research question: What thematic trends, methodological approaches, and sectoral focus areas characterize scholarly research on the implementation and compliance challenges of South Africa’s POPIA from 2014 to 2024?
Importantly, while POPIA is often benchmarked against instruments such as the GDPR, the South African context must also be situated within the broader challenges facing developing countries—namely, limited enforcement capacity, low digital literacy, and infrastructural constraints. Framing this study from a Global South perspective enhances its external validity and provides comparative insights for other developing nations undertaking similar data protection reforms.
This study is further guided by the following sub-questions to address the overarching question:
Q1. What are the prevailing thematic trends in academic literature regarding the implementation and compliance of POPIA?
Q2. What methodological approaches have been utilized in studies centered on POPIA?
Q3. Which sectors are predominantly examined, and what common implementation challenges are identified in the literature on POPIA compliance?
This review systematically examines these questions, mapping the research landscape of POPIA while informing policy-makers, researchers, and practitioners about existing implementation barriers and opportunities for targeted interventions within South Africa’s evolving data governance ecosystem. These three research questions were derived from identified gaps in existing reviews, such as the limited exploration of methodological diversity [1], sector-specific implementation challenges [2], and evolving thematic concerns post-enforcement [3]. They were validated through an initial scoping phase and guided by the need to inform policy design, institutional compliance strategies, and future academic inquiry into privacy legislation in the Global South. In addition to its role in data protection, POPIA holds strategic significance in shaping South Africa’s socio-economic development and digital transformation agenda. Mbonye et al. [4] analyze POPIA’s applicability in AI-driven environments, noting how the Act provides a legal foundation that balances innovation (e.g., AI and big data) with privacy safeguards, which is critical for responsible digital transformation. It underpins trust in digital systems, which is essential for expanding e-governance, health informatics, and financial inclusion initiatives. Moreover, POPIA’s alignment with global data protection standards positions South Africa as a reliable partner in international data cooperation and cross-border digital trade. Thus, understanding its long-term implications is vital not only for national governance but also for transnational data exchanges and an ethical innovation ecosystem.

2. Background

The safeguarding of personal data has become a global necessity, propelled by the rising digitization of services and heightened concerns regarding privacy infringements. In addressing these challenges, South Africa implemented the Protection of Personal Information Act (POPIA), which was signed into law on 26 November 2013 and became fully effective on 1 July 2021. POPIA establishes a detailed framework for the regulation of personal information processing by both public and private entities, in accordance with Section 14 of the Constitution of the Republic of South Africa, 1997 which guarantees the right to privacy. POPIA delineates eight fundamental principles that regulate lawful data processing: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. The principles align closely with international data protection standards, notably the General Data Protection Regulation (GDPR) of the European Union and various African data protection laws, including those in Ghana, Kenya and Mauritius, Botha, Grobler, and Eloff [5].
The Act establishes multiple compliance roles: the Responsible Party, who defines the purpose and methods of data processing; the Operator, who processes data for the Responsible Party; the Information Officer, who ensures compliance within an organization; and the Data Subject, whose personal information is subject to processing. The defined roles collectively establish a compliance ecosystem that necessitates clear responsibilities and oversight in the Department of Justice [6]. Since its enforcement, POPIA has presented considerable implementation challenges across multiple sectors, including healthcare, higher education, municipal governance, retail, and digital marketplaces. Research indicates ongoing challenges including limited staff awareness, inadequate consent procedures, weak data governance, and insufficient institutional preparedness [2,7,8]. Additional cross-cutting challenges include the complexity of the Act, resource constraints, and difficulties managing cross-border data transfers, especially in sectors reliant on cloud services or international research collaborations [9,10]. Sector-specific complexities have also been widely documented. In health research, ethical tensions between the protection of personal information and the facilitation of data-driven research are significant [11]. Compliance issues related to direct marketing requirements and third-party data sharing are prevalent in the retail and insurance sectors [12,13]. Small and medium enterprises (SMEs) face significant challenges in achieving full compliance due to constrained financial and technical resources [5].
Early academic research on POPIA primarily emphasized conceptual analysis and theoretical frameworks. However, recent years have witnessed a methodological transition towards empirical investigations, encompassing case studies, interviews, and experimental designs. Empirical methodologies in POPIA research are increasingly evident, as demonstrated in the studies by [3,10,14]. Despite this progress, a need persists for standardized compliance measurement tools, practical implementation guidelines, and sector-specific enforcement strategies to ensure that the objectives of the Act are achieved [15,16]. This systematic review addresses these needs by critically synthesizing research published from 2014 to 2024. Using the PRISMA framework, it identifies thematic, methodological, and sectoral trends in POPIA compliance research, with the aim of informing practice, guiding policy formulation, and advancing the scholarly understanding of data privacy governance in South Africa.

2.1. POPIA’s Eight Principles of Lawful Processing

The Protection of Personal Information Act (POPIA) establishes eight fundamental conditions for the lawful processing of personal information in South Africa. The principles align with international and African data protection standards, including the European Union’s General Data Protection Regulation (GDPR), and provide the legal foundation for privacy governance across sectors [5,17]. POPIA requires that all eight conditions be satisfied for processing activities to be deemed lawful. These principles are designed to promote transparency, accountability, and responsible data stewardship. An overview of the principles is provided in Table 1.
In addition to the principles, Section 40 of the POPIA (Department of Justice, [6]) establishes institutional mechanisms such as the Information Regulator, an independent authority mandated to oversee and enforce compliance. The Act places emphasis on promoting accountability and transparency within organizations that process personal data (Department of Justice [6]; De Bruyn [18]). These foundational principles form the basis upon which compliance frameworks are assessed and guide both sectoral implementation and enforcement strategies across South African institutions (Department of Justice [3]).

2.2. POPIA Principles in Comparison with International Data Protection Laws

South Africa’s Protection of Personal Information Act (POPIA) is conceptually aligned with global and continental data protection frameworks, particularly the General Data Protection Regulation (GDPR) of the European Union and various African data protection statutes. POPIA’s core conditions for lawful data processing, such as accountability, purpose limitation, and security safeguards, mirror foundational elements of data privacy legislation globally [17,19,20,21]. Across jurisdictions, data protection laws are often titled Data Protection Act (DPA), Personal Data Law (PDL), or Protection of Personal Data (PPD). For instance, Angola refers to the PDL, Ghana and Kenya use the DPA, Morocco adopts the Protection of Individuals in Relation to the Processing of Personal Data (PIRPPD) [5], and Spain refers to its law as the Ley Orgánica de Protección de Datos (LOPD) and United States (COPPA and CCPA); it is worth noting that the United States does not have a single comprehensive principal data protection legislation. Instead, what is obtainable is a plethora of laws enacted at both the federal and state levels to protect the personal data of US residents [22].
The comparison in Table 2 outlines how POPIA’s eight core principles correspond with those found in other data protection regimes. The regulations contain additional operational elements that put responsibility and obligations on companies; these elements are Data Protection Officers (DPOs), breach notification protocols, cross-border transfer limitations, and online privacy protections.
This table confirms that while POPIA aligns broadly with international standards particularly in its principles, it also includes key mechanisms such as mandatory breach notifications and cross-border data transfer restrictions, placing it among the more robust regulatory frameworks in Africa. These mechanisms are considered ‘key’, as they are fundamental operational requirements mandated by nearly all comprehensive data protection regimes (e.g., GDPR and PIPEDA), ensuring enforceability and organizational accountability [5,22]. While POPIA and the GDPR share a similar rights-based foundation, several contextual distinctions influence their practical implementation. The GDPR operates within the European Union’s supranational regulatory infrastructure, backed by strong institutional enforcement and a culture of privacy activism. In contrast, South Africa’s implementation landscape is characterized by fragmented institutional capacity, lower levels of digital literacy, and uneven enforcement resources (Jones) [23]. Culturally, public awareness and demand for data rights remain nascent in South Africa compared to the EU. These differences create a unique compliance ecosystem for POPIA, where institutional mandates must be tailored to navigate socio-economic disparities, infrastructural limitations, and the need for awareness-raising campaigns. Consequently, while the legislation aligns in principle, its operationalization presents distinct regulatory and cultural challenges.
Figure 1: Comparative heatmap visualizing how South Africa’s POPIA principles align with international data protection laws across various countries.
The heatmap presented offers a comparative visual analysis of the extent to which South Africa’s Protection of Personal Information Act (POPIA) aligns with international data protection laws across 19 jurisdictions. Each country is assessed against thirteen key regulatory principles, including core components such as accountability, processing limitation, purpose specification, security safeguards, and data subject participation, as well as operational and enforcement-oriented features like the requirement for a Data Protection Officer (DPO), breach notification protocols, and restrictions on cross-border data transfers. In this visualization, the presence of a regulatory feature is denoted by a value of “1” (depicted in dark blue), while its absence is represented by a value of “0” (shown in light yellow). The resulting pattern provides a clear illustration of compliance density across nations.
POPIA demonstrates robust alignment with international standards, fulfilling all thirteen evaluated principles and positioning South Africa among the jurisdictions with the most comprehensive data protection legislation. Similarly, the European Union’s General Data Protection Regulation (GDPR) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) also reflect extensive coverage, confirming their status as global benchmarks. In contrast, while several emerging economies such as Kenya, Ghana, and Mauritius exhibit strong adherence to foundational principles, they often lack certain advanced operational requirements. The most notable ones are those related to the appointment of DPOs, mandatory breach notification mechanisms, and specific provisions for electronic marketing and online privacy. Countries such as Morocco, Gabon, and Burkina Faso demonstrate more limited alignment, particularly in the area of enforcement and cross-border data regulation. This comparative analysis underscores POPIA’s substantive alignment with both global and continental privacy frameworks and affirms its maturity relative to peer legislation. However, it also highlights the disparities in regulatory completeness and institutional enforcement capacity between developed and developing nations. Such asymmetries have implications for data sovereignty, international data exchange, and the global harmonization of privacy standards.

3. Methodology

This study uses a systematic literature review (SLR) technique, which is a controlled and repeatable way to combine previous research to provide a whole, impartial picture of a certain issue. People know that systematic reviews are methodologically sound and can help with both academic discussions and real-world applications. The PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) framework guides this review. It has four steps: (1) finding the relevant literature, (2) screening the studies that were found, (3) checking the full-text articles to see if they are eligible, and (4) adding the chosen studies and then extracting data and checking its quality.

3.1. Identification

The first step was to find and obtain relevant peer-reviewed articles from two of the best academic databases: Scopus and Google Scholar. We picked these platforms because they provide a lot of high-impact scientific articles and conference proceedings. We used Boolean logic to combine important words on the subject, such as “Protection of Personal Information Act” OR “POPIA Compliance”.
We used search queries in Scopus to improve the accuracy of retrieval by searching the Title, Abstract, and Keywords fields. We used larger phrase-based searches on Google Scholar to make sure we found all the gray literature and open-access papers. The purpose was to find out how much empirical, theoretical, and methodological research there is on the problems with implementing and following POPIA in South Africa in different economic and organizational settings.

3.2. Screening

After the identifying phase, a screening technique was used to check for relevance and academic quality. Studies were included if they clearly spoke about how to apply or follow the rules of POPIA in South Africa. Studies that qualified used a variety of methods, including empirical (qualitative, quantitative, or mixed-method), theoretical, and case-based. Additionally, papers were required to demonstrate substantive analytical depth, either through the application of conceptual frameworks, policy evaluations, or implementation-focused discussions. Studies that only mentioned POPIA in passing, focused solely on cybersecurity, or lacked academic rigor (e.g., opinion pieces or non-peer-reviewed sources) were excluded.

3.2.1. Inclusion Criteria

  • Published in English.
  • Published between 2014 and 2025 (POPIA was signed into law in 2013 and became enforceable in 2021).
  • Explicitly focus on POPIA compliance or implementation within South African organizations or systems.
  • Include journal articles, conference papers, reviews, book chapters, and notes.
  • Are available in full-text and open-access formats.

3.2.2. Exclusion Criteria

  • Non-English publications.
  • Studies unrelated to POPIA or not addressing implementation/compliance.
  • Non-academic content (e.g., blog posts and editorials).
  • Duplicate entries.
  • Restricted-access or inaccessible full-text articles.

3.3. Eligibility and Study Selection

The study selection process began with an initial retrieval of 2069 records: 1970 from Google Scholar and 99 from Scopus. After removing 12 duplicates, the dataset was screened for relevance. In Google Scholar, 1936 records were excluded due to a lack of thematic relevance, leaving 27 eligible studies. In Scopus, 80 out of 99 were excluded, resulting in 14 relevant studies. The remaining pool of 41 studies constituted the final set used for the full-text analysis and synthesis presented in Table 3.
These articles were imported into an Excel spreadsheet for metadata coding and manual validation. Screening involved the evaluation of titles, abstracts, and full texts against the inclusion/exclusion criteria. This multi-phase process, aligned with PRISMA guidelines, ensured that only high-quality, thematically relevant research was included.
Figure 2 (PRISMA flow diagram) and Table 3 (search results summary) illustrate the detailed breakdown of study selection outcomes.

3.4. Inclusion Criteria and Data Extraction

The data extraction process in this systematic literature review was methodically designed to ensure alignment with the study’s research questions and objectives. Following the identification, screening, and eligibility assessment stages, 41 articles were selected for in-depth review. These articles were deemed relevant based on clearly defined eligibility criteria, which required them to be peer-reviewed original research papers, systematic reviews, or conference proceedings, all published between 2014 and 2024. Only studies written in English and explicitly focusing on POPIA implementation and compliance within South Africa were included. This ensured that all the selected literature was both accessible and directly pertinent to the scope of this study.
The data extraction phase was guided by established systematic review practices, which advocate for the structured collection of key study characteristics for comparative and thematic analyses. For each included publication, the following attributes were extracted: author(s), publication year, citation count, study type, sectoral focus, methodological approach, primary research focus, publisher, and journal ranking (using either the Scimago Journal Rank (SJR) or H-index, depending on the publication venue). This metadata provided a comprehensive foundation for evaluating patterns, trends, and gaps across the POPIA-related literature landscape.
To visualize the scholarly distribution of the selected studies, Figure 3 presents the sources from which the publications were derived. The majority of the literature originated from peer-reviewed journals, followed by conference proceedings and book chapters.
Figure 3, titled “Distribution of Publication Sources in POPIA Research (2014–2024)”, presents a visual summary of the scholarly sources contributing to the literature on the Protection of Personal Information Act (POPIA) during the specified timeframe.
The chart indicates that most research outputs (n = 50) were disseminated as journal articles, underscoring the significance of peer-reviewed academic journals in sharing knowledge regarding POPIA compliance and implementation. Subsequently, there are conference papers (n = 27), indicating that the topic has garnered considerable attention in academic and professional settings where emerging research is commonly presented and examined. Other publication formats are less prevalent: book chapters (n = 8) and review papers (n = 7) represent a moderate segment of the literature, whereas conference reviews (n = 3), notes (n = 2), and letters (n = 2) constitute a minor portion of the overall research output. The graph demonstrates that research on POPIA has primarily been disseminated through formal peer-reviewed channels, with journals as the main medium of scholarly communication. The variety of source types, despite being uneven, indicates an increasing and multi-format scholarly focus on data privacy legislation and its implementation in South Africa.
Figure 4 presents a temporal analysis of publication activity, illustrating the annual distribution of the 41 studies from 2014 to 2024.
Figure 4 reflects a notable increase in academic interest in POPIA, particularly following the enforcement of the Act in 2021. A peak was observed in 2024, during which seven papers were published. Annual publication outputs ranged from three to four papers between 2015 and 2020, with a gradual rise to six in 2021 and sustained interest through 2022 and 2023, each producing four studies. This trend underscores the dynamic and expanding nature of scholarly engagement with data protection and regulatory compliance in the South African context.
In terms of geographical representation, Figure 5 shows that 94% of the selected literature originated from South African institutions, reflecting the local relevance and applicability of the topic.
The remaining contributions were distributed evenly between the United Kingdom and Tanzania, each accounting for approximately 3% of the total sample. The extracted data provided a robust basis for analyzing sectoral coverage, methodological rigor, and thematic orientations of the studies, thereby enabling the synthesis of implementation trends and compliance challenges addressed in the broader body of POPIA research.

3.5. Data Extraction Table and Characteristics of Included Studies

The data extraction process involved a detailed and systematic collection of key characteristics from each of the 41 studies included in the review. For every selected publication, specific information was carefully gathered to ensure consistency and depth of analysis. This included the name of the author(s), the type of study conducted, the number of citations received, the sectoral focus of the research, the methodological approach employed, and the primary research objective or thematic emphasis as indicated in Table 4. In addition, the publisher of each article was noted, along with either the Scimago Journal Rank (SJR) or the H-index, depending on the nature of the publication outlet. For studies published in conference proceedings, the evaluation was based on the H-index of the conference series, whereas those published in academic journals were assessed using the SJR metric. This dual-ranking approach provided a robust means of evaluating both the scholarly impact and the dissemination quality of the reviewed literature.
Figure 6 presents a VOSviewer (version 1.6.20) illustrating the most frequently co-occurring and prominent terms found in the literature related to POPIA compliance and implementation. The visualization highlights key concepts, with the size of each word corresponding to its frequency in the analyzed text. Central terms such as “POPIA”, “POPI”, “Protection of personal information”, “compliance”, and “data privacy” appear prominently, underscoring their foundational role in the discourse. Other notable terms include “data breach”, “information security”, “privacy governance”, “governance”, and “data”. This VOSviewer offers a snapshot of the thematic breadth of the reviewed literature, showcasing the importance of POPIA implementation and compliance. It highlights the evolving research focus on addressing challenges and leveraging opportunities in this emerging field.

3.5.1. Annual Research Output Trends (2015–2024)

Figure 4 illustrates the annual research output trends related to POPIA from 2015 to 2024. The bar chart reveals a gradual increase in scholarly productivity over the years, with significant peaks observed in 2021 and 2024, each registering five publications. This rise in output appears to align with the enforcement of the POPIA in 2021, suggesting that the legal activation of the legislation served as a catalyst for both academic and applied interest in data privacy compliance. The continued output in 2022 and 2023, marked by three publications each year, indicates ongoing engagement with the topic. In contrast, the earlier years from 2015 to 2018 reflect a phase of foundational inquiry, likely focused on conceptual clarification, early compliance readiness, and the interpretation of the Act prior to its official implementation.
The surge in research output from 2021 to 2024 can be attributed to multiple converging factors beyond the Act’s enforcement. These include heightened public awareness following data breaches and cyber incidents, increased institutional demand for compliance frameworks, and the integration of privacy-by-design principles into South Africa’s broader digital economy policies. Furthermore, the growth of interdisciplinary research in law, ICT, and ethics, as well as funding incentives by regulatory bodies and universities, likely contributed to the scholarly interest. The COVID-19 pandemic also accelerated digitization, prompting more attention to digital privacy risks and legal safeguards”.

3.5.2. Citation Distribution by Study Type

Figure 7: Citation distribution by study type. This boxplot illustrates citation frequency across qualitative, theoretical, empirical, and methodological study types, highlighting outliers and distribution patterns. Notably,
  • Literature reviews and theoretical studies tend to have higher median citation counts, reflecting their broad utility and reference value.
  • Empirical and qualitative studies show variable citation performance, suggesting sector-specific or context-sensitive relevance.
  • Case studies and scoping reviews have moderate but consistent citation values.
This suggests that while all study types contribute to the body of knowledge, methodological and theoretical frameworks tend to shape future discourse more substantially.

3.5.3. Sectoral Quality (Average SJR/H-Index)

The third graph illustrates the average Scimago Journal Rank (SJR) or H-index scores across sectors, revealing substantial variation in the quality and visibility of publication outlets for POPIA research. The finance and small and medium enterprise (SME) sectors dominate, both achieving the highest average scores of approximately 7. This suggests that studies in these domains are frequently published in globally recognized, high-impact venues such as IEEE or well-ranked business and information systems journals. The high rankings likely stem from the global regulatory salience of financial data protection, the technical sophistication of SME-focused compliance frameworks, and the direct relevance of these studies to international audiences concerned with cybersecurity, fintech, and e-commerce trust.
Cross-sectoral studies occupy the third position with an average score of around 3.5, indicating moderate scholarly visibility. This can be attributed to their broader applicability across industries, making them suitable for multidisciplinary journals and conferences. These studies often contribute conceptual models or compliance toolkits that transcend sectoral boundaries, thereby appealing to a wider academic readership. In contrast, retail, IT, municipal governance, health, organizational compliance, universities, insurance, digital marketplaces, and energy sectors cluster at significantly lower SJR/H-index levels (below 1). Several factors likely contribute to this trend:
(i)
Local or niche dissemination—Many of these studies are published in South African or regional journals with lower international citation indices.
(ii)
Applied rather than theoretical focus—Sector-specific implementation research may be tailored for practitioner audiences, limiting publication in high-impact academic outlets.
(iii)
Lower global resonance—Certain domains, such as municipal governance or local retail, may have limited appeal beyond the national context, reducing opportunities for placement in top-tier, internationally indexed journals.
(iv)
Emerging research maturity—In fields like digital marketplaces or energy, POPIA-focused research is still in its early stages, with relatively few contributions achieving methodological or conceptual maturity that meets high-impact journal thresholds.
The low average for the health sector is particularly notable, given its prominence in the volume of POPIA literature. This suggests a mismatch between research quantity and the quality or ranking of publication outlets. Possible explanations include publication in specialized bioethics or public health law journals that, while thematically relevant, often have modest citation metrics compared to leading technology or law journals.
Overall, the data highlights a clear stratification in publication impact, where sectors with high global regulatory relevance and technological sophistication (finance and SMEs) outperform more localized or emerging domains in scholarly visibility. This suggests a need for targeted strategies to elevate the publication profile of underrepresented sectors—such as fostering interdisciplinary collaborations, adopting comparative international methodologies, and aligning research outputs with the editorial priorities of higher-ranked journals.
The statistical summary of POPIA research publications reveals several noteworthy patterns. The average number of citations across the studies is approximately 15.77, while the median stands at 5.00. The high standard deviation of 37.71 indicates substantial variability in citation counts, largely influenced by a few outliers, most notably a methodological study that alone received 211 citations. This suggests that while some works have garnered significant academic attention, the majority have seen more modest citation performance.
In terms of publishing impact, the mean SJR or H-index value across all sources is 1.25, with a median of 0.45 and a standard deviation of 2.26. These figures suggest a skewed distribution in journal and conference quality. A small number of studies were published in prestigious, high-impact venues such as IEEE and PLOS ONE, while a larger portion appeared in mid-tier or niche journals with lower visibility.
Despite lower average SJR values, retail and insurance sectors are discussed due to their critical role in processing consumer data and recurring compliance violations [12,15]. Health research remains central due to its ethical complexity and data sensitivity, not necessarily its publication impact. The skewed distribution in publication quality (Figure 8) reflects variation in the maturity and visibility of sector-specific research streams rather than the intrinsic importance of the sectors themselves.
Among the various study types, methodological studies were the most common, reflecting a scholarly emphasis on developing frameworks, assessment models, and systematic approaches to understanding and implementing POPIA compliance. Sectoral, health research emerged as the dominant focus, underscoring strong academic interest in the implications of POPIA for biomedical ethics, data privacy in healthcare settings, and the management of electronic health records as indicated in Table 5.
The collective insights drawn from these visualizations and statistical analyses indicate a clear and steady expansion in POPIA-related research, particularly following key milestones in the Act’s enforcement. The reviewed literature demonstrates methodological diversity, with a notable concentration of influence seen in methodological and theoretical studies, which tend to shape academic discourse more profoundly. Furthermore, the research that appears in high-impact publication venues is largely concentrated in sectors with strong international regulatory frameworks, such as finance, information technology, and insurance. In contrast, certain sectors—such as municipal governance and general organizational compliance—remain underrepresented in high-visibility outlets. This disparity suggests a valuable opportunity to enhance the quality and impact of research in these domains through interdisciplinary collaboration and more focused scholarly engagement.

4. Risk of Bias/Quality Assessment

To evaluate the methodological integrity of the studies included in this review, the Risk of Bias in Non-randomized Studies—of Interventions (ROBINS-I) tool was employed. ROBINS-I is widely recognized for its capacity to assess bias in non-randomized studies by applying a counterfactual causal inference approach. Unlike traditional assessment tools, it allows for comparisons of study quality on an absolute scale, where a low risk of bias in a non-randomized study may be considered equivalent to that of a well-executed randomized controlled trial (RCT). This makes ROBINS-I particularly valuable in systematic evidence synthesis for complex policy and regulatory topics like POPIA compliance.
The results of the ROBINS-I assessment are summarized in Figure 9. A clear majority of the studies, 37 out of 41, were rated as having a low risk of bias, indicating that these studies were conducted with rigorous methodological controls and present credible findings. Three studies were identified as having a moderate risk of bias, suggesting some limitations in design or data interpretation that do not critically undermine their conclusions but warrant cautious interpretation. Only one study was found to have a serious risk of bias, signaling substantial methodological flaws that may compromise the reliability of its inferences. This overall distribution indicates that the body of POPIA-related research exhibits strong methodological robustness, with the vast majority of studies demonstrating a high standard of design and execution. The predominance of low-risk studies enhances the credibility of the synthesized findings and supports the reliability of conclusions drawn about compliance patterns, sectoral focus, and implementation challenges across the reviewed literature.

4.1. Quality Assessment Using a Modified Likert Approach

To ensure the methodological soundness of the studies included in this systematic review, a structured quality assessment was conducted using a three-point Likert scale, adapted from established Likert scaling principles [51] and tailored to the specific needs of POPIA research evaluation. Within this framework, each quality criterion was scored as follows: 1 for Poor, 2 for Fair, and 3 for Good. This simplified scoring mechanism provided an accessible yet robust tool for evaluating scholarly rigor while maintaining reliability and objectivity.
Each criterion was rated using a three-point Likert scale: (1) Poor = missing or entirely undeveloped; (2) Fair = present but incomplete or vague (e.g., incomplete method, logical description); (3) Good = clearly articulated and substantiated with appropriate detail. This schema improves transparency and scoring consistency.
Each study was evaluated across seven predefined quality assurance (QA) criteria, which collectively addressed the relevance, methodological transparency, analytical depth, scholarly orientation, and thematic focus of the research.
The QA criteria are listed in Table 6 and include questions such as whether the study clearly indicates its objectives, employs a defined methodological and analytical approach, and focuses on POPIA implementation and compliance within South African organizational contexts.
The maximum attainable score for any single study was 21 points. A minimum threshold score of 5.5, equivalent to 50% of the maximum possible score, was set to determine inclusion in the final synthesis. This benchmark ensured that only studies demonstrating a baseline level of academic rigor and relevance were retained for analysis. Out of the total pool of reviewed publications, 41 studies met or exceeded this quality threshold and were therefore included in the final synthesis. The 41 studies are shown below in Table 7.

4.2. Quality Assessment and Inter-Rater Reliability

The quality assessment was designed to ensure transparency, methodological rigor, and high inter-rater reliability. Initial scoring and data extraction were per formed by one researcher, after which two additional team members independently verified the results. Three reviewers, each with expertise in data privacy, legal policy, and systematic review methodology, independently assessed every study against the predefined criteria in Table 6. The review team comprised a PhD candidate in information governance, a data protection legal scholar, and a computer science professor with extensive SLR experience as presented below:
  • Reviewer A—PhD candidate in information governance, specializing in African data protection frameworks.
  • Reviewer B—Legal scholar in data protection and privacy law.
  • Reviewer C—Professor of Computer Science with extensive SLR and bibliometric analysis experience.
To minimize bias and potential groupthink, initial scoring was anonymized.
Structured consensus meetings followed, during which reviewers justified their assessments with direct reference to the scoring criteria and supporting evidence. Disagreements were resolved through iterative discussion until full consensus was reached before final inclusion or exclusion decisions. Inter-rater agreement was evaluated using Cohen’s Kappa statistic, which adjusts for chance agreement. The resulting coefficient was 0.82, indicating almost perfect agreement according to Landis and Koch’s [52] benchmark scale (Figure 10). This high κ value confirms the consistency and reliability of the scoring process.
Beyond ensuring credibility and validity, this rigorous evaluation revealed persistent gaps in the POPIA-related literature, such as underreporting of analytical frameworks and inconsistent articulation of methodological strategies, highlighting the need for more standardized research practices in future compliance studies. This rigorous evaluation procedure not only ensured the credibility and validity of the included studies but also established a robust foundation for evidence synthesis. Furthermore, the process illuminated gaps in existing literature, such as the underreporting of analytical frameworks or inconsistent articulation of methodological strategies. These findings underscore the need for more standardized research practices in future POPIA compliance studies.
A transparent quality checklist table accompanies this assessment and presented the scoring outcomes, thus reinforcing the trustworthiness and applicability of the findings. By adhering to best practices in systematic review methodology, this study contributes meaningful and well-substantiated insights to the ongoing discourse on data protection regulation and compliance in South Africa.

5. Results

5.1. RQ1: What Are the Dominant Thematic Trends in the Scholarly Literature on POPIA’s Implementation and Compliance?

Thematic trends identified in the scholarly literature reveal several recurring and critical challenges in the implementation of and compliance with the Protection of Personal Information Act (POPIA) across South African sectors. One of the most persistent themes is a general lack of awareness and understanding of POPIA’s provisions. Many stakeholders, including those within South African universities, remain inadequately informed about their obligations under the Act [3]. This knowledge gap is not isolated to academia; it also extends across key sectors such as healthcare and retail, where institutional actors often demonstrate limited comprehension of data protection principles. This deficit underscores the urgent need for targeted training programs and awareness campaigns, especially tailored for professionals such as software developers and healthcare providers who routinely handle sensitive personal information.
Another dominant trend relates to the complexity and cost of compliance. Literature consistently highlights the high resource burden associated with POPIA implementation, particularly in the health sector. In these settings, organizations are expected to safeguard personal health data while balancing the public interest, creating operational tensions, and escalating compliance costs [7]. A third emerging theme involves deficiencies in data management practices. Many organizations struggle with classification, storage, and protection of personal information. Issues such as data leakage, unauthorized access, and non-compliance with direct marketing preferences are frequently reported. In sectors like health research, there has been progress in adopting risk assessment tools and data inventory systems, although these practices remain unevenly distributed. The challenge of consent management is also prevalent in the literature. Obtaining valid, specific, and informed consent remains difficult, particularly in complex data environments such as biobanking and health research. In response, some studies have proposed the development of formal consent frameworks and the exploration of limited exemptions where appropriate. Additional themes include inadequate security safeguards, unregulated third-party data sharing, and non-compliant direct marketing practices. These issues are most pronounced in the retail and insurance industries, where personal data is often shared across organizational boundaries without appropriate consent or auditing mechanisms. Similarly, cross-border data transfers raise concerns regarding the adequacy of protection in recipient jurisdictions, especially for multinational corporations and international research consortia [11]. A final theme focuses on the lack of standardized compliance assessment tools. The literature notes that while some progress has been made in developing sector-specific toolkits and frameworks, a uniformand widely adopted mechanism for evaluating POPIA compliance is still lacking [14]. These thematic insights are summarized in Table 8, which provides an overview of the key compliance areas, associated challenges, implementation approaches, and sectoral variations.
This thematic structure supports a holistic understanding of the multifaceted barriers to POPIA compliance and highlights the areas where further academic inquiry and policy intervention are most urgently required.

5.2. RQ2: What Methodological Trends and Approaches Are Used in These Studies?

An analysis of the methodological approaches adopted in POPIA-related research reveals diverse and evolving patterns. The most employed research strategy is the case study, with 13 studies adopting this method to explore organizational experiences and challenges in implementing the Act. Document analysis was the second most prevalent approach, appearing in nine studies, followed closely by theoretical analysis (eight studies), surveys (five studies), and interviews (four studies). A smaller number of studies applied multi-case study designs (two studies), while experimental research, exploratory analyses, the literature reviews, and formal concept analysis appeared less frequently. Regarding study types, qualitative research dominates the methodological landscape, accounting for 13 of the 41 reviewed studies. This is followed by methodological studies (nine studies), theoretical studies (eight studies), and empirical research (five studies). Other categories include literature studies (four studies) and single instances of scoping reviews, formal concept analysis, and development process-focused research.
Notably, many publications integrated multiple methodological techniques, blending qualitative and quantitative approaches to deliver richer, more nuanced analyses. Several key methodological trends emerge from literature. One is a progressive shift towards empirical research, reflecting the field’s maturation. While earlier investigations of POPIA were largely conceptual and theoretical, more recent work increasingly employs empirical methodologies such as surveys, interviews, and case studies. This transition suggests an increasing emphasis on practical implementation, real-world outcomes, and measurable indicators of compliance. The second trend is the prevalence of qualitative methods, particularly semi-structured interviews and in-depth case studies, which offer context-sensitive insights into the challenges organizations face in implementing POPIA.
These qualitative studies often examine sector-specific issues and organizational behavior, shedding light on both internal capacity constraints and external regulatory pressures. A third trend is the use of mixed-method designs, where qualitative insights are combined with quantitative data to produce comprehensive evaluations of compliance challenges and solutions. These approaches reflect the interdisciplinary nature of data protection research and its intersection with legal, technological, and organizational domains. A fourth trend involves the rise in systematic literature reviews, which have begun to emerge as a response to the expanding volume of POPIA-related research [53]. These reviews play a crucial role in synthesizing existing findings, identifying knowledge gaps, and offering direction for future inquiries. Additionally, comparative studies are gaining prominence. Several studies draw parallels between POPIA and international frameworks such as the General Data Protection Regulation (GDPR), highlighting areas of convergence and divergence [16]. Others compare POPIA compliance practices across different countries or sectors to uncover patterns in implementation and enforcement.
Lastly, this review reveals a growing focus on sector-specific analyses, particularly within health research and financial services. These targeted investigations underscore the distinct compliance requirements and operational challenges encountered by specific industries, suggesting the need for tailored regulatory guidance and implementation frameworks. Overall, the methodological diversity and evolution observed in the POPIA literature indicate a maturing research field that is increasingly empirical, context-sensitive, and aligned with international discourse on data protection and information governance. The shift from theoretical to empirical research coincides with the operationalization phase of POPIA, as organizations sought practical insights to comply with the Act. This transition reflects a broader maturation of the regulatory environment and a growing demand for implementation evidence to inform institutional policies. It is also aligned with South Africa’s broader digital public policy evolution, which increasingly emphasizes evidence-based governance. Additionally, increased access to institutional case studies, interview data, and sectoral compliance reports enabled researchers to explore real-world dynamics, moving beyond conceptual analysis.
This Figure 11 bar chart provides a comparative overview of the different methodological approaches employed in POPIA-related studies between 2015 and 2024.
The most frequently used method is case study, with 13 instances, highlighting the dominant trend of exploring organizational and institutional experiences in a real-world setting. This method is particularly effective for uncovering in-depth insights into POPIA compliance processes within specific contexts. Following closely are document analysis (nine studies) and theoretical analysis (eight studies), reflecting an early reliance on literature-based exploration and policy interpretation, especially during the initial stages of POPIA enforcement. The presence of surveys (five) and interviews (four) shows a growing interest in empirical and field-based evidence collection. However, quantitative experimental research, exploratory methods, formal concept analysis, and literature reviews remain underrepresented, each accounting for only a single study. This distribution highlights a strong preference for qualitative approaches in the field, suggesting that researchers are primarily focused on exploring interpretive, sector-specific, and implementation-level challenges. The low frequency of experimental and formalized quantitative studies points to an opportunity for future research to incorporate broader empirical validation and methodological diversification. The timeline graph compares theoretical vs. empirical methodological trends in POPIA research from 2015 to 2024. This graph visually demonstrates the gradual shift from theoretical to empirical approaches, highlighting the field’s methodological evolution.
Figure 12 illustrates the temporal evolution of theoretical and empirical research in the POPIA domain over a ten-year period. From 2015 to around 2018, theoretical studies consistently outnumber empirical ones, reflecting an initial phase in which scholars sought to understand and interpret the Act, its legal foundations, and its alignment with international frameworks like the GDPR. From 2019 onwards, there is a noticeable shift towards empirical methodologies, with empirical studies surpassing theoretical ones, particularly in 2021 and 2024, when three empirical studies were published each year. This shift indicates a maturing field where attention has moved from conceptual understanding to evaluating real-world implementation, compliance practices, and policy outcomes. The decline in theoretical work post-2019 suggests that foundational interpretations of the Act have largely been established, and researchers are increasingly focused on gathering practical evidence through case studies, surveys, interviews, and experimental designs. This trend aligns with the growing institutional pressure for evidence-based policy-making and highlights the importance of empirical contributions in shaping national compliance strategies, sector-specific adaptations, and future legislative reforms.

5.3. RQ3: Which Sectors Are Most Frequently Studied in POPIA Implementation, Compliance, and Cross-Cutting Implementation Barriers Research?

An analysis of the sectoral distribution in POPIA-related research reveals that certain industries have received considerably more scholarly attention than others. The most frequently studied domain is general organizational compliance, accounting for 14 out of 41 studies. These investigations typically examine the overarching challenges and practices associated with POPIA implementation across a variety of organizational settings, including public institutions, corporations, and non-profit entities. Health research follows closely, with 13 studies, reflecting sustained interest in the ethical, legal, and operational complexities of managing personal health data under the POPIA framework. Given the sensitive nature of health-related information and the sector’s reliance on data for research and care delivery, this area has emerged as a critical focus of POPIA compliance discourse.
The insurance sector has received moderate attention, represented by three studies that explore compliance dynamics, risk management, and data governance frameworks. Universities and cross-sectoral investigations, particularly those involving small and medium enterprises (SMEs), are covered in two studies each, highlighting growing but still limited academic interest in institutional data protection and capacity-building efforts in under-resourced environments. Several additional sectors only have been addressed in single studies, including energy, e-commerce, retail, financial services, information technology, and municipal government. While these industries are critical data handlers in the digital economy, their minimal representation suggests a gap in sector-specific investigations and points to opportunities for future research. In addition to this sectoral mapping, the reviewed literature identifies several cross-cutting implementation barriers that span across sectors and impact the overall effectiveness of POPIA compliance. One of the most pervasive barriers is the lack of awareness and understanding of POPIA’s legal and procedural requirements. This challenge is especially pronounced in SMEs and non-specialist sectors, where training resources and legal expertise may be limited. Many organizations demonstrate insufficient understanding of key compliance concepts such as lawful processing, consent management, and data subject rights. Another major obstacle is the complexity of the Act itself. POPIA’s principle-based framework and nuanced legal language present significant interpretive challenges, often leading to uncertainty in implementation. This results in varied compliance strategies across sectors and a lack of uniformity in organizational practices, even among institutions operating within the same regulatory environment. Resource constraints further exacerbate these issues.
Many organizations, particularly SMEs, face limited financial, technical, and human resources to support POPIA-aligned data protection programs. This includes barriers to appointing Information Officers, developing internal compliance frameworks, and maintaining secure digital infrastructure. In these settings, compliance efforts are often reactive and fragmented, rather than proactive and systematic. Taken together, the findings suggest that while POPIA research spans a diverse array of sectors, scholarly attention remains concentrated in a few domains. Moreover, persistent cross-sectoral challenges, namely limited awareness, legislative complexity, and resource scarcity—continue to hinder full-scale implementation. Addressing these challenges through targeted training, simplified regulatory guidance, and support for capacity-building is essential to advancing compliance across all sectors.
Figure 13 provides a clear visualization of the thematic concentration of scholarly work across various sectors in South Africa. The analysis is based on 41 reviewed studies, and the distribution highlights a substantial skew in research attention toward a few dominant domains. The general organizational compliance category accounts for the largest portion of studies at 35%, underscoring the broad interest in how various organizations across public, private, and non-profit sectors interpret and implement POPIA provisions. These studies often take a holistic view of compliance readiness, institutional challenges, and policy alignment, making them foundational to the POPIA discourse. Health research emerges as the second most studied sector, comprising 32% of the total. This high representation reflects the critical nature of personal health information and the stringent ethical and legal requirements tied to its management. Given the rise in digital health records and data-driven healthcare systems, the sector’s prominence in POPIA-related studies is both expected and justified. The insurance sector, while smaller, still garners 8% of the research focus. This reflects its reliance on sensitive personal and financial data, making it a logical priority area for compliance analysis. Universities and cross-sectoral small and medium enterprises (SMEs) each represent 5%, indicating emerging interest in institutional practices within education and the practical constraints faced by resource-limited enterprises.
The remaining sectors, including energy, e-commerce, retail, financial services, information technology, and municipal government, each account for only 3% of studies. This underrepresentation suggests a significant research gap, particularly in domains where large-scale personal data processing is routine and increasingly digitalized. In summary, the chart reveals a concentration of research in generalized and health-specific contexts, while sectors that are also critically exposed to data protection challenges remain underexplored. These findings emphasize the need for a more balanced and sector-responsive research agenda, especially in high-risk and underserved areas such as local governance, technology, and digital commerce.
Future investigations into these domains would not only enhance academic understanding but also provide practical insights into policy refinement and sector-specific compliance strategies.

5.4. Emerging Dimensions for Future Literature Mapping

Beyond the current RQs, future literature syntheses could analyze author collaboration networks, institutional affiliations, regional policy influences, and funding sources. Such metadata analysis would illuminate the structural dynamics behind POPIA research and offer insight into academic–practitioner linkages, as well as geographic and institutional drivers of knowledge production.

6. Discussion

This systematic literature review provides a comprehensive synthesis of the current scholarly landscape concerning the implementation and compliance with the Protection of Personal Information Act (POPIA) in South Africa. The discussion below integrates the findings related to the three key research questions posed in this study, drawing broader implications and identifying critical directions for future research and practice. In response to RQ1, the analysis reveals several cross-cutting thematic trends that consistently appear across multiple sectors. Foremost among these is the widespread lack of awareness and understanding of POPIA’s provisions among organizational staff and leadership. This knowledge gap is particularly evident in small and medium enterprises (SMEs) and sectors lacking specialized legal or data protection expertise. This review also highlights that while POPIA articulates overarching principles, there is a shortage of practical, operational guidance to support its implementation. Many organizations struggle to translate POPIA’s legal requirements into actionable, day-to-day procedures. A recurring barrier identified is the complexity of the Act itself. The principle-based structure, although flexible, often leads to uncertainty and inconsistent interpretations, particularly when applied in resource-constrained environments. This is further complicated by sectoral differences in data sensitivity, infrastructure readiness, and organizational maturity. Additionally, resource limitations, both financial and human, emerge as a pervasive obstacle, especially among SMEs. The cost of compliance-related technologies, staff training, and the hiring of Information Officers or legal specialists poses a significant challenge to effective implementation.
Addressing RQ2, this review reveals a methodological evolution in the field of POPIA research. Earlier studies were predominantly theoretical and conceptual, focusing on normative frameworks, legal interpretations, and comparative policy analyses. However, there is a clear and growing shift towards empirical research, with an increasing number of studies employing surveys, case studies, interviews, and experimental methods to assess real-world compliance practices. This trend underscores the field’s maturation and its alignment with evidence-based policymaking.
Qualitative methodologies remain prevalent, especially semi-structured interviews and document analysis, which offer detailed insights into organizational practices, compliance strategies, and policy implications. Sector-specific studies have become more prominent, particularly in domains such as healthcare, retail, insurance, and financial services, where the stakes of data protection are especially high. In recent years, there has also been an emergence of systematic literature reviews and experimental designs that test data-sharing practices and compliance behaviors, signaling a methodological diversification that enhances both analytical rigor and practical relevance. In relation to RQ3, this review highlights the disproportionate research focus on certain sectors, most notably general organizational compliance and healthcare, with comparatively limited attention given to sectors such as retail, municipal services, e-commerce, and ICT. This imbalance suggests the need for broader sectoral engagement to ensure that POPIA compliance strategies are informed by diverse operational realities.
In the health sector, concerns have been raised about the Act’s implications for the processing of health data, especially in research and clinical contexts. This has prompted a call for sector-specific codes of conduct to balance data protection imperatives with the ethical obligations of patient care and scientific inquiry. In retail and medical aid sectors, this review finds notable non-compliance, particularly regarding direct marketing practices and the failure to honor opt-in/opt-out preferences, raising concerns about consumer privacy and regulatory enforcement.
Within the insurance industry, comparative studies between South Africa and jurisdictions like the United Kingdom reveal a compliance gap, with South African insurers generally lagging in adherence to data protection standards. These findings point to the necessity of capacity-building, clearer regulatory interpretation, and enhanced enforcement mechanisms to support consistent POPIA implementation across sectors [26]. To address these implementation deficits, this review proposes the development of sector-specific compliance toolkits co-designed with stakeholders in healthcare, education, and retail. These toolkits should include practical templates for consent management, data classification protocols, and breach response procedures. Furthermore, the capacity of the Information Regulator could be enhanced through increased funding, inter-agency collaboration, and investment in regulatory technology (Reg Tech) to support real-time monitoring. Finally, a POPIA compliance maturity model could assist organizations in benchmarking their progress and identifying specific gaps in operational readiness.
To strengthen compliance and institutional readiness, this review recommends the following:
(i)
Establishment of sector-specific compliance benchmarks by the Information Regulator.
(ii)
Introduction of national POPIA awareness campaigns using public media and community ICT centers.
(iii)
Development of an open-access POPIA compliance maturity toolkit for SMEs;
(iv)
Facilitation of data governance incubator programs at universities to build technical and legal capacity.
These interventions should be piloted through public–private–academic partnerships to ensure relevance and scalability.
In summary, the discussion reinforces that while POPIA has catalyzed meaningful academic and institutional attention, significant gaps remain in practical implementation, sectoral responsiveness, and methodological coverage. Addressing these challenges requires not only enhanced regulatory clarity and institutional support but also a robust and inclusive research agenda that captures the evolving dynamics of data protection in South Africa.

7. Conclusions and Future Work

This systematic review highlights the evolving landscape of POPIA implementation and compliance in South Africa, emphasizing both progress and persistent challenges. While the legislative framework aligns closely with international data protection standards, its practical application across sectors remains uneven and often constrained by limited awareness, resource deficits, and interpretive complexity. Despite the Act’s potential to safeguard personal information and promote responsible data stewardship, many organizations, particularly SMEs, universities, and institutions within the health and insurance sectors, struggle to operationalize compliance effectively. Although South Africa can draw from international best practices, contextualized, sector-specific strategies are essential to overcoming local challenges. This review reveals that significant research gaps still exist, particularly in understanding how smaller and less-resourced entities engage with POPIA requirements. These gaps call for targeted empirical studies, the development of adaptable compliance frameworks, and expanded multi-sectoral engagement to support comprehensive, scalable, and practical solutions. Looking ahead, future research should focus on strengthening the ethical foundations of compliance, improving the robustness of existing assessment tools, and exploring the role of emerging technologies in automating and streamlining POPIA adherence. Technological innovations such as artificial intelligence, privacy-preserving machine learning, and automated consent management systems hold the potential to transform compliance practices, reduce the risk of non-compliance, and enhance transparency and accountability. Ensuring the sustained and equitable implementation of POPIA across South Africa’s diverse socio-economic landscape requires a collaborative effort between academia, industry, regulators, and civil society. Continued research, supported by practical innovation and policy reform, will be critical in advancing a culture of data protection, digital ethics, and regulatory compliance in the years to come.

Supplementary Materials

The following supporting information can be downloaded at: https://www.mdpi.com/article/10.3390/su17198529/s1, PRISMA 2020 Checklist [24].

Funding

This research received funding from Tshwane University of Technology-MICT Research Chair and the funding number is L688/L088.

Data Availability Statement

The original contributions presented in this study are included in the article/Supplementary Materials . Further inquiries can be directed to the corresponding author.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Hashmi, M.; Governatori, G.; Lam, H.P.; Wynn, M.T. Are we done with business process compliance: State of the art and challenges ahead. Knowl. Inf. Syst. 2018, 57, 79–133. [Google Scholar] [CrossRef]
  2. Kandeh, A.T.; Botha, R.A.; Futcher, L.A. Enforcement of the Protection of Personal Information (POPI) Act: Perspective of data management professionals. S. Afr. J. Inf. Manag. 2018, 20, 1–9. [Google Scholar] [CrossRef]
  3. Netshakhuma, N.S. Assessment of a South Africa national consultative workshop on the Protection of Personal Information Act (POPIA). Glob. Knowl. Mem. Commun. 2020, 69, 58–74. [Google Scholar] [CrossRef]
  4. Mbonye, V.; Moodley, M.; Nyika, F. Examining the applicability of the Protection of Personal Information Act in AI-driven environments. S. Afr. J. Inf. Manag. 2024, 26, 1808. [Google Scholar] [CrossRef]
  5. Botha, J.; Grobler, M.M.; Hahn, J.; Eloff, M. A High-Level Comparison Between the South African Protection of Personal Information Act and International Data Protection Laws. In Proceedings of the ICMLG2017 5th International Conference on Management Leadership and Governance, Johannesburg, South Africa, 16–17 March 2017; p. 57. [Google Scholar]
  6. South Africa, Department of Justice. Government Gazette; Protection of Personal Information Act 2013; South African Government: Cap Town, South Africa, 2013; p. 37067. [Google Scholar]
  7. Staunton, C.; Tschigg, K.; Sherman, G. Data protection, data management, and data sharing: Stakeholder perspectives on the protection of personal health information in South Africa. PLoS ONE 2021, 16, e0260341. [Google Scholar] [CrossRef]
  8. Swales, L. The Protection of Personal Information Act 4 of 2013 in the context of health research: Enabler of privacy rights or roadblock? Potchefstroom Electron. Law J. Potchefstroomse Elektron. Regsblad 2022, 25, 236881. [Google Scholar]
  9. Raaff, E.; Rothwell, N.; Wynne, A. Aligning South African Data and Cloud Policy with the POPI Act. In Proceedings of the International Conference on Cyber Warfare and Security, Albany, NY, USA, 17–18 March 2022; Academic Conferences International Limited: Reading, UK, 2022; Volume 17, pp. 279–287. [Google Scholar]
  10. Thaldar, D.; Townsend, B. Exempting health research from the consent provisions of POPIA. Potchefstroom Electron. Law J. Potchefstroomse Elektron. Regsblad 2021, 24, 235940. [Google Scholar] [CrossRef]
  11. Staunton, C.; Adams, R.; Botes, M.; De Vries, J.; Labuschaigne, M.; Loots, G.; Mahomed, S.; Loideain, N.N.; Olckers, A.; Pepper, M.S.; et al. Enabling the Use of Health Data for Research: Developing a POPIA Code of Conduct for Research in South Africa. S. Afr. J. Bioeth. Law 2021, 14, 33–36. [Google Scholar]
  12. Da Veiga, A.; Vorster, R.; Pilkington, C.; Abdullah, H. Compliance with the Protection of Personal Information Act and Consumer Privacy Expectations: A Comparison Between the Retail and Medical AID industry. In Proceedings of the 2017 Information Security for South Africa (ISSA), Johannesburg, South Africa, 16–17 August 2017; IEEE: New York, NY, USA; pp. 16–23. [Google Scholar]
  13. Da Veiga, A.; Vorster, R.; Li, F.; Clarke, N.; Furnell, S.M. Comparing the Protection and Use of Online Personal Information in South Africa and the United Kingdom in Line with Data Protection Requirements. Inf. Comput. Secur. 2019, 28, 399–422. [Google Scholar] [CrossRef]
  14. Moabalobelo, T.; Ngobeni, S.; Molema, B.; Pantsi, P.; Dlamini, M.; Nelufule, N. Towards a Privacy Compliance Assessment Toolkit. In Proceedings of the 2023 IST-Africa Conference (IST-Africa), Tshwane, South Africa, 31 May 2023–2 June 2023; IEEE: New York, NY, USA, 2023; pp. 1–8. [Google Scholar]
  15. Buys, M. Protecting personal information: Implications of the Protection of Personal Information (POPI) Act for healthcare professionals. S. Afr. Med. J. 2017, 107, 954–956. [Google Scholar] [CrossRef]
  16. Govender, I. 2015, August. Mapping ‘Security Safeguard’ Requirements in a Data Privacy Legislation to an International Privacy Framework: A Compliance Methodology. In Proceedings of the 2015 Information Security for South Africa (ISSA), Johannesburg, South Africa, 12–13 August 2015; IEEE: New York, NY, USA, 2015; pp. 1–8. [Google Scholar]
  17. Chimboza, T.; Smith, E. How Does Compliance with the Protection of Personal Information Act (POPI Act) Affect Organisations in South Africa? In Proceedings of the 10th Annual ACIST Proceedings (2024), Virtual, 12 September 2024. [Google Scholar]
  18. De Bruyn, M. The Protection of Personal Information (POPI) Act—Impact On South Africa. Int. Bus. Econ. Res. J. (Online) 2014, 13, 1315. [Google Scholar] [CrossRef]
  19. Jafta, Y.; Leenen, L.; Chan, P. An Ontology for the South African Protection of Personal Information Act. In Proceedings of the ECCWS 2020 19th European Conference on Cyber Warfare and Security, Chester, UK, 25–26 June 2020; Volume 2020, pp. 158–167. [Google Scholar]
  20. Coetzee, J. Cross-Border Data Flows the Protection of Personal Information Act 4 of 2013-Part II: The Data Transfer Provision. Potchefstroom Electron. Law J. (PELJ) 2024, 27, 1–29. [Google Scholar] [CrossRef]
  21. Moraka, L.I.; Singh, U.G. The POPIA 7th Condition Framework for SMEs in Gauteng. In Computational Intelligence: Select Proceedings of InCITe 2022; Springer Nature: Singapore, 2023; pp. 831–838. [Google Scholar]
  22. Pittman, F.P.; Hafiz, A.; Hamm, A. Data Protection Laws and Regulations USA 2024; White & Case LLP: New York, NY, USA, 2024. [Google Scholar]
  23. Jones, B. Is POPIA bad business for South Africa? Comparing the GDPR to POPIA and analyzing POPIA’s impact on businesses in South Africa. Penn State J. Law Int. Aff. 2022, 10, 218. [Google Scholar]
  24. Page, M.J.; McKenzie, J.E.; Bossuyt, P.M.; Boutron, I.; Hoffmann, T.C.; Mulrow, C.D.; Shamseer, L.; Tetzlaff, J.M.; Akl, E.A.; Brennan, S.E.; et al. The PRISMA 2020 statement: An updated guideline for reporting systematic reviews. BMJ 2021, 372, n71. [Google Scholar] [CrossRef] [PubMed]
  25. Baloyi, N.; Kotzé, P. Are Organisations in South Africa Ready to Comply with Personal Data Protection or Privacy Legislation and Regulations? In Proceedings of the 2017 IST-Africa Week Conference (IST-Africa), Windhoek, Namibia, 30 May–2 June 2017. [Google Scholar]
  26. Da Veiga, A.; Vorster, R.; Li, F.; Clarke, N.; Furnell, S. A Comparison of Compliance with Data Privacy Requirements in Two Countries. In Proceedings of the ECIS 2018: 26th European Conference on Information Systems: Beyond Digitization-Facets of Socio-Technical Change, Portsmouth, UK, 23–28 June 2018; University of Portsmouth: Portsmouth, UK, 2018. [Google Scholar]
  27. Da Veiga, A.; Ochola, E.; Mujinga, M.; Mwim, E. Investigating Data Privacy Evaluation Criteria and Requirements for e-Commerce Websites. In Proceedings of the International Conference on Advanced Research in Technologies, Information, Innovation and Sustainability, Cartagena de Indias, Colombia, 21–23 October 2025; Springer Nature: Cham, Switzerland, 2025; pp. 297–307. [Google Scholar]
  28. Kumalo, M.O.; Botha, R.A. POPIA Compliance in Digital Marketplaces: An IGOE Framework for Pattern Language Development. In Proceedings of the Annual Conference of South African Institute of Computer Scientists and Information Technologists, Gqeberha, South Africa, 15–17 July 2024; Springer Nature: Cham, Switzerland, 2024; pp. 331–346. [Google Scholar]
  29. Bredenkamp, I.E.; Kritzinger, E.; Herselman, M. A conceptual framework for consumer is compliance awareness: South African government context. In Proceedings of the Informatics and Cybernetics in Intelligent Systems. CSOC 2021, Online, 15–16 July 2021; Springer International Publishing: Berlin/Heidelberg, Germany, 2021; Volume 3, pp. 682–701. [Google Scholar]
  30. Mbonye, V.; Subramaniam, P.R.; Padayachee, I. POPIA compliant regulatory framework for smart grids to secure gaps in existing privacy laws. In Proceedings of the 2021 International Conference on Artificial Intelligence, Big Data, Computing and Data Communication Systems (icABCD), Durban, South Africa, 5–6 August 2021; pp. 1–8. [Google Scholar]
  31. Malepeng, P.; Speckman, T.; Gerber, M. An Assessment of POPIA Compliance in Case 1 Municipal Fresh Produce Market. In Proceedings of the 2024 IST-Africa Conference (IST-Africa), Dublin, Ireland, 20–24 May 2024; IEEE: New York, NY, USA, 2024; pp. 1–11. [Google Scholar]
  32. Tsegaye, T.; Flowerday, S. PoPI Compliance Through Access Control of Electronic Health Records. In Proceedings of the South African Institute of Computer Scientists and Information Technologists, Skukuza, South Africa, 17–18 September 2019; pp. 1–9. [Google Scholar]
  33. Arthur, J. The protection of personal information act compliance and requirements for higher education institutions: Pre covid. S. Afr. J. High. Educ. 2021, 35, 221–237. [Google Scholar]
  34. Hertzog, L.; Wittesaele, C.; Titus, R.; Chen, J.J.; Kelly, J.; Langwenya, N.; Baerecke, L.; Toska, E. Seven essential instruments for POPIA compliance in research involving children and adolescents in South Africa. S. Afr. J. Sci. 2021, 117, 9–10. [Google Scholar] [CrossRef]
  35. Botha, J.; Eloff, M.M.; Swart, I. Evaluation of Online Resources on the Implementation of the Protection of Personal Information Act in South Africa. In Proceedings of the 10th International Conference on Cyber Warfare and Security: ICCWS2015, Kruger National Park, South Africa, 24–25 March 2015; p. 39. [Google Scholar]
  36. Botha, J.G.; Eloff, M.M.; Swart, I. The Effects of the PoPI Act on Small and Medium Enterprises in South Africa. In Proceedings of the 2015 Information Security for South Africa (ISSA), Johannesburg, South Africa, 12–13 August 2015; IEEE: New York, NY, USA, 2015; pp. 1–8. [Google Scholar]
  37. Staunton, C.; De Stadler, E. Protection of Personal Information Act No. 4 of 2013: Implications for biobanks. S. Afr. Med. J. 2019, 109, 232–234. [Google Scholar] [CrossRef] [PubMed]
  38. Staunton, C.; Adams, R.; Anderson, D.; Croxton, T.; Kamuya, D.; Munene, M.; Swanepoel, C. Protection of Personal Information Act 2013 and data protection for health research in South Africa. Int. Data Priv. Law 2020, 10, 160–179. [Google Scholar] [CrossRef]
  39. Thaldar, D. Does data protection law in South Africa apply to pseudonymised data? Front. Pharmacol. 2023, 14, 1238749. [Google Scholar] [CrossRef]
  40. Theys, M.W.; Ruhode, E.; Harpur, P. May. Challenges of Implementation of Data Protection Legislation in a South African context. In Proceedings of The 11th International Conference on Research in Science and Technology, Paris, France, 14–16 May 2021; Diamond Scientific Publishing: Vilnius, Lithuania, 2021; pp. 39–50. [Google Scholar]
  41. Bronstein, V. Prioritising Command-and-Control Over Collaborative Governance: The Role of the Information Regulator Under the Protection of Personal Information Act. Potchefstroom Electron. Law J. (PELJ) 2022, 25, 1–41. [Google Scholar] [CrossRef]
  42. Legodi, S.F.; Abdullah, H. Assessing the Impact of Information Privacy Protection Awareness Among Online Users and Consumers. In Proceedings of the 2021 IEEE Mysore Sub Section International Conference (MysuruCon), Hassan, India, 24–25 October 2021; IEEE: New York, NY, USA, 2021; pp. 498–504. [Google Scholar]
  43. Sekgweleo, T.; Mariri, M. Critical analysis of PoPI Act within the organisation. Int. J. Comput. Sci. Inf. Secur. (IJCSIS) 2019, 17, 64–69. [Google Scholar]
  44. Dala, P.; Venter, H.S. Understanding the Level of Compliance by South African Institutions to the Protection of Personal Information (POPI) Act. In Proceedings of the Annual Conference of the South African Institute of Computer Scientists and Information Technologists, Johannesburg, South Africa, 26–28 September 2016; pp. 1–8. [Google Scholar]
  45. Katurura, M.; Cilliers, L. The Extent to Which the POPI Act Makes Provision for Patient Privacy in Mobile Personal Health Record Systems. In Proceedings of the 2016 IST-Africa Week Conference, Durban, South Africa, 11–13 May 2016; IEEE: New York, NY, USA, 2016; pp. 1–8. [Google Scholar]
  46. Pelteret, M.; Ophoff, J. Organizational Information Privacy Strategy and the Impact of the PoPI Act. In Proceedings of the 2017 Information Security for South Africa (ISSA), Johannesburg, South Africa, 16–17 August 2017; IEEE: New York, NY, USA, 2017; pp. 56–65. [Google Scholar]
  47. Scharnick, N.; Gerber, M.; Futcher, L. Review of Data Storage Protection Approaches for POPI Compliance. In Proceedings of the 2016 Information Security for South Africa (ISSA), Johannesburg, South Africa, 17–18 August 2016; IEEE: New York, NY, USA, 2016; pp. 48–55. [Google Scholar]
  48. De Waal, P.J. The protection of personal information act (POPIA) and the promotion of access to information act (PAIA): It is time to take note. Curr. Allergy Clin. Immunol. 2022, 35, 232–236. [Google Scholar]
  49. Zenda, B.; Vorster, R.; Da Viega, A. Protection of personal information: An experiment involving data value chains and the use of personal information for marketing purposes in South Africa. S. Afr. Comput. J. 2020, 32, 113–132. [Google Scholar] [CrossRef]
  50. Kaddu, S.; Ssekitto, F. Africa’s Data Privacy Puzzle: Data Privacy Laws and Compliance in Selected African Countries. Univ. Dar Salaam Libr. J. 2023, 18, 264002. [Google Scholar] [CrossRef]
  51. Joshi, A.; Kale, S.; Chandel, S.; Pal, D.K. Likertscale: Explored and explained. Br. J. Appl. Sci. Technol. 2015, 7, 396. [Google Scholar] [CrossRef]
  52. Landis, J.R.; Koch, G.G. An Application of Hierarchical Kappa-Type Statistics in the Assessment of Majority Agreement among Multiple Observers. Biometrics 1977, 33, 363–374. [Google Scholar] [CrossRef] [PubMed]
  53. Da Veiga, A.; Abdullah, H.; Eybers, S.; Ochola, E.; Mujinga, M.; Mwim, E. Evaluating Data Privacy Compliance of South African E-Commerce Websites Against POPIA. J. Inf. Syst. Inform. 2024, 6, 2693–2732. [Google Scholar] [CrossRef]
  54. United States Congress. Children’s Online Privacy Protection Act 15; United States Congress: Washington, DC, USA, 1998. [Google Scholar]
Sustainability 17 08529 g001
Figure 1. Comparative heatmap visualizing South Africa’s POPIA principles.
Figure 1. Comparative heatmap visualizing South Africa’s POPIA principles.
Sustainability 17 08529 g001
Sustainability 17 08529 g002
Figure 2. The PRISMA flow diagram for the systematic literature review carried out in this study Page et al., 2020 [24].
Figure 2. The PRISMA flow diagram for the systematic literature review carried out in this study Page et al., 2020 [24].
Sustainability 17 08529 g002
Sustainability 17 08529 g003
Figure 3. Distribution of publication sources in POPIA research (2014–2024).
Figure 3. Distribution of publication sources in POPIA research (2014–2024).
Sustainability 17 08529 g003
Sustainability 17 08529 g004
Figure 4. Annual distribution of POPIA compliance research publications (2015–2024).
Figure 4. Annual distribution of POPIA compliance research publications (2015–2024).
Sustainability 17 08529 g004
Sustainability 17 08529 g005
Figure 5. Country distribution of studies that are included in the SLR.
Figure 5. Country distribution of studies that are included in the SLR.
Sustainability 17 08529 g005
Sustainability 17 08529 g006
Figure 6. VOS viewer Co-occurrence of keywords.
Figure 6. VOS viewer Co-occurrence of keywords.
Sustainability 17 08529 g006
Sustainability 17 08529 g007
Figure 7. Citation distribution by study.
Figure 7. Citation distribution by study.
Sustainability 17 08529 g007
Sustainability 17 08529 g008
Figure 8. Average SJR/H-index by sector.
Figure 8. Average SJR/H-index by sector.
Sustainability 17 08529 g008
Sustainability 17 08529 g009
Figure 9. Distribution of risk of bias across included studies.
Figure 9. Distribution of risk of bias across included studies.
Sustainability 17 08529 g009
Sustainability 17 08529 g010
Figure 10. Kappa calculation method (Landis and Koch’s [52]).
Figure 10. Kappa calculation method (Landis and Koch’s [52]).
Sustainability 17 08529 g010
Sustainability 17 08529 g011
Figure 11. Frequency of methodological approaches in POPIA research (n = 41).
Figure 11. Frequency of methodological approaches in POPIA research (n = 41).
Sustainability 17 08529 g011
Sustainability 17 08529 g012
Figure 12. Temporal evolution of theoretical and empirical research in the POPIA domain over a ten-year period.
Figure 12. Temporal evolution of theoretical and empirical research in the POPIA domain over a ten-year period.
Sustainability 17 08529 g012
Sustainability 17 08529 g013
Figure 13. Sectoral distribution of POPIA implementation and compliance.
Figure 13. Sectoral distribution of POPIA implementation and compliance.
Sustainability 17 08529 g013
Table 1. Eight principles of POPIA for lawful processing (Department of Justice, 2013) [6].
Table 1. Eight principles of POPIA for lawful processing (Department of Justice, 2013) [6].
POPIA PrincipleDescription
AccountabilityThe responsible party must ensure that all conditions for lawful processing are fulfilled and adhered to throughout the data lifecycle
Processing limitationInformation must be processed lawfully, fairly and not excessively, with adherence to minimality and consent requirements
Process specificationPersonal information must be collected for a specific, explicitly defined and lawful purpose. Data subject must be informed of this purpose.
Further processingAny further processing of the data must be compatible with the original purpose for which it was collected.
Information qualityThe responsible party must ensure that data is complete, accurate, not misleading and updated where necessary
OpennessThe data subject must be informed that data is collected. A notification must also be submitted to the Information Regulator, where applicable.
Security safeguardsReasonable technical and organisational measures must be implemented to ensure integrity and confidentiality of personal information.
Data subject participationData subjects have the right to access, update or correct their personal information held by the responsible party for free of charge.
Table 2. Comparative overview of POPIA principles with international and African data protection laws.
Table 2. Comparative overview of POPIA principles with international and African data protection laws.
ContinentCountryActPOPIA PrinciplesOther Areas
AccountabilityProcessing LimitationsPurpose SpecificationFurther Processing LimitationInformation QualityOpennessSecurity SafeguardsData Subject ParticipationDPO RequiredBreach NotificationCross-Border Data Transfer LimitationElectronic MarketingOnline PrivacyEnacted Year
EuropeUKGDPR 2009
SpainLOPD 1999
BulgarianDPA 2002
AmericaUSCCPA 2018
USCOPPA 1998
CanadaPIPEDA 2000
AsiaChinaPIPL 2021
South KoreaPIPA 2011
SingaporePDPA 2012
AfricaSouth AfricaPOPIA 2013
KenyaDPA 2019
BeninPPD 2009
Burkina FasoPPD 2004
GhanaDPA 2012
MallPPD 2013
MauritiusDPA 2004
TunisiaDPA 2004
Ivory CoastPPD 2013
SeychellesDPA 2003
MoroccoPIRPD 2009
Cape VerdeDPL 2001
GabonPPD 2011
Source: Own compilation based on legal provisions and literature synthesis (Botha, Eloff, and Swart [5]).
Table 3. Eligibility and study selection synthesis.
Table 3. Eligibility and study selection synthesis.
Database Initial Search Results Screened Articles Full Text Assessed Relevant Articles
Google scholar19701963193627
Scopus99948014
Total20692057201641
Table 4. Characteristics of included studies.
Table 4. Characteristics of included studies.
Author Year Citation Study Type Sector Focus Methodological Approach Primary Research Focus Publisher SJR and H-Index
Baloyi and Kotzé [25]201717Empirical researchCross-sectoralQuantitative
study (survey)		Organizational readiness for data privacy compliance2017 IST-Africa Week Conference (IEEE)7
Da Veiga et al. [12]20174Qualitative studyRetail industry Medical aidCase studyCompliance with POPIA and consumer privacy expectationsEmerald Publishing Limited surge0.485
Da Veiga et al. [26]20188Qualitative studyInsurance industryMulti-case study; empirical researchA comparison of compliance with data privacy requirements in two countriesUniversity of Portsmouth0.271
Da Veiga et al. [13]201915Multi-case study methodologyInsurance industryMulti-case study; empirical researchComparing the protection and use of online personal information in SA and the UKEmerald Publishing Limited0.485
Da Veiga et al. [27]20220Exploratorye-commerceDocument analysisEvaluating data privacy compliance of South African e-commerce websites against POPIAIGI Global0.253
Kumalo and Botha [28]20240Methodological
study		General organizational complianceDocument analysis POPIA compliance in digital marketplaces: an IGOE framework for pattern language developmentSAICSIT0.191
Bredenkamp, Kritzinger, and Herselman [29]20210Methodological
study		General organizational
compliance		Document analysisEvaluating a consumer data protection framework for IS compliance awareness in South AfricaSAICSIT0.191
Chimboza and Smith [17]20240Qualitative study General organizational
compliance		Semi-structured interviewsHow does compliance with the Protection of Personal Information Act (POPI Act) affect organizations in South Africa?The 10th African Conference on Information Systems and Technology8
Mbonye, Subramaniaaand Padayachee [30]20215Methodological studyEnergy sector (smart grids)Systematic literature reviewPOPIA-compliant regulatory framework for smart gridsIEEE7
Malepeng Speckman, and Gerber [31]20240Qualitative studyMunicipal fresh produce
markets		Document analysisAssessment of POPIA compliance in municipal fresh produce marketIEEE7
Tsegaye [32]20195Scoping review and thematic analysisHealth researchDocument analysisPoPI compliance through access control of electronic health recordsACM0.191
Arthur [33]20240Qualitative studyUniversitiesMono method qualitativeThe Protection of Personal Information Act compliance and requirements for higher education institutions: pre-COVIDUniversity of Johannesburg0.249
Hertzog et al. [34]20233Methodological
study		Health research, universitiesFramework developmentPOPIA compliance in research involving children and adolescents IASSIST Quarterly0.165
Botha et al. [35]2015a14Methodological
study		General organizational complianceDocument analysisEvaluation of online resources for Protection of Personal Information Act (POPIA) implementationACI0.629
Botha et al. [36]2015b27Literature studyCross-sectoral
(small and medium enterprises (SMEs))		Survey; theoretical analysisEffects of POPI Act on small and medium enterprisesIEEE7
Staunton and Stadler [37]201912Theoretical analysisHealth researchConceptual analysisImplications of POPIA for biobanksSAMJ0.199
Staunton et al. [38]202034Qualitative studyHealth researchCase studyPOPIA and data protection for health researchPlosone0.803
Staunton., Tschigg, and Sherman [7]202134QualitativeHealth researchSemi-structured interviewsStakeholder perspectives on protection of personal health informationPlosone0.803
Thaldar and Townsend [10]202120TheoreticalHealth researchConceptual analysisExempting health research from POPIA consentPotchefstroom Electronic Law0.242
Swales [8]202213Methodological studyHealth researchDocument analysisThe Protection of Personal Information Act 4 of 2013 in the context of health research: Enabler of privacy rights or roadblock?Potchefstroom Electronic Law0.242
Moabalobelo et al., 2023 [14]20233Development process; methodological studyGeneral organizational
compliance		Experimental researchDevelopment of POPIA Compliance AssessmentIEEE7
Netshakhuma [3]202043Case study approachUniversitiesInterviews and workshopAssessment of a South African national consultative workshop on the Protection of Personal Information Act (POPIA)Emerald Publishing Limited0.485
Staunton et al. [11]20216Theoretical analysisHealth researchConceptual
analysis		Developing a POPIA code of conduct for researchSouth African Journal of Bioethics and Law0.446
Thaldar [39]20232TheoreticalHealth researchConceptualApplicability of POPIA to pseudonymized dataFrontiers0.576
Theys [40]20214Qualitative studyOrganizational complianceCase study, interviews, surveysChallenges of implementation of data protection legislationRSTCONF0.165
Bronstein and
Nyachowe [41]		20231TheoreticalHealth researchConceptual analysisApplicability of POPIA in health researchSAMJ0.446
Legodi and Abdullah [42]20210Qualitative studyOrganizational complianceCase study and interviewsAssessing the impact of information privacy protection awarenessIEEE7
Sekgweleo and Mariri [43]20195Qualitative studyOrganizational complianceCase study interviewsCritical analysis of PoPI Act within the organizationIJCSIS0.204
Dala and Venter [44]20161Empirical researchOrganizational complianceSurveyUnderstanding level of compliance with POPIA MappingProQuest0.239
Kandeh, Botha, and Futche [2]201846Qualitative studyOrganizational complianceSemi-structured interviewsEnforcement of POPIA from data management professionals’ perspectiveSouth African Journal of Information Management0.446
Katurura and Cilliers [45]201620Theoretical analysisHealth research; information technologyConceptual analysisPerspective: POPI Act provisions for patient privacy in mobile health record
systems		IEEE7
Pelteret and Ophoff [46]20176Qualitative studyFinancial services industryCase studyOrganizational information privacy strategy and POPI Act impactIEEE7
Scharnick, Gerber, and Futcher [47]20163Literature review and qualitative content analysisGeneral organizational compliance (focus on SMMEs)Literature review; content analysisReview of data storage protection approaches for POPI complianceIEEE7
Mbonye, Moodley, and Nyika [4]20241Qualitative studyCross-sectoralDocument reviewApplicability of POPIA in AI-driven environmentsSouth African Journal of Information Management0.446
Buys [15]201737Theoretical analysisHealth researchConceptual analysisImplications of POPIA for healthcare
professionals		SAMJ0.446
de Waal [48]20225Theoretical analysisHealth researchConceptual analysisThe Protection of Personal Information Act (POPIA) and the Promotion of Access to Information Act (PAIA)Current Allergy & Clinical Immunology0.692
Raaff et al. [9]20225Formal concept analysisInformation technologyFormal Concept AnalysisAligning South African data and cloud policy with POPI ActICCWS7
Zenda Vorster and Da Viega [49]202014Empirical researchInsurance industryExperimentalProtection of personal information in data value chainsSouth African Computer Journal0.191
Kaddu and Ssekitto [50]20243Methodological
study		General organizational
compliance, universities, information technology		Systematic reviewData privacy laws and compliance in African countriesAJOL
Hashmi et al. [1]2018211Methodological
study		General organizational contextSystematic Literature reviewState of the art in business process complianceSpringer0.352
Govender [16]20154Methodological
study		General organizational
context		Theoretical analysis, framework mappingMapping security safeguard requirements to international privacy frameworksISSA7
Table 5. Metrics summary and insights.
Table 5. Metrics summary and insights.
Summary Insights: POPIA Compliance Research (2025–2024)
MetricValue
Mean Citations15.77
Median Citations5.0
Standard Deviation (Citations)37.71
Mean SJR/H-index1.25
Median SJR/H-index0.45
Standard Deviation (SJR/H-index)2.26
Most common study typeMethodological
Most common sectorHealth
Table 6. Quality assessment checklist.
Table 6. Quality assessment checklist.
NoQuestions
QA1Does the paper focus on POPIA implementation and compliance within South African organisation?
QA2Does the abstract indicate the methodology approach?
QA3Does the study indicate the analytical approach?
QA4Do the study indicate scholarly work?
QA5Do the study address implementation and compliance challenges?
QA6Is the study relevant to POPIA?
QA7Do the study clearly indicates its objective?
Table 7. Quality assessment of selected studies.
Table 7. Quality assessment of selected studies.
Study IDAuthorYearQA1QA2QA3QA4QA5QA6QA7Total Score
S1[4]2017332333320
S2[13]2017333333321
S3[14]2018233333320
S4[15]2019233333320
S5[33]2022323333320
S6[7]2024311333317
S7[11]2021112322314
S8[17]2024332333320
S9[38]2021223323319
S10[40]2023333323320
S11[37]2024333233320
S12[41]2019232322317
S13[52]2019323332319
S14[34]2022312133317
S15[2]2024333333321
S16[36]2023112322314
S17[7]2025222323317
S18[6]2015333333321
S19[45]2019322333320
S20[46]2020312323317
S21[47]2021333333321
S22[48]2021233333320
S23[19]2021323333320
S24[20]2023323333320
S25[51]2021332233319
S26[9]2023213323317
S27[35]2021131313317
S28[43]2019131313317
S29[12]2016332333320
S30[30]2018333333321
S31[32]2016323333320
S32[42]2017333333321
S33[44]2016323333320
S34[39]2024323323319
S35[10]2017322233318
S36[22]2022322223216
S37[53]2022323333320
S38[54]2020333333321
S39[37]2024112321313
S40[25]2018121321313
S41[23]2015323333320
Source: Own compilation.
Table 8. Thematic analysis table.
Table 8. Thematic analysis table.
Compliance AreaKey ChallengesImplementation ApproachesSectoral Variations
Awareness and understandingLow awareness levels among staff and managementTraining programs, awareness campaignsHigher financial services, lower in Small and Medium Enterprises (SMEs)
Data managementLack of proper data classification and handling proceduresImplementing data inventory and risk assessment toolsMore advanced practices in health research sector
Consent managementChallenges in obtaining and managing specific consentDeveloping consent frameworks, exploring exemptionsParticularly complex in health research and biobanking
Security safeguardsInadequate technical and organizational measures Adopting international security standards, regular auditsNo mention found
Third-party data sharingUnconsented distribution of personal informationImplementing strict data sharing agreements, auditsMore prevalent issues in retail and insurance sectors
Direct Marketing practicesNon-compliance with opt-in/opt-out preferencesDeveloping compliant marketing strategies, consent management systemsSignificant challenges in retail and insurance sectors
Cross-border data transfersEnsuring adequate protection in recipient countries Implementing binding corporate rules, standard contractual clausesMore relevant in multinational corporations and research collaborations
Compliance AssessmentLack of standardized assessment toolsDevelopment of compliance toolkits and frameworksVarying approaches across sectors, need for sector-specific tools
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Sema, G.G.; Owolawi, P.A.; Olugbara, O.O. Protection of Personal Information Act in Practice: A Systematic Synthesis of Research Trends, Sectoral Applications, and Implementation Barriers in South Africa. Sustainability 2025, 17, 8529. https://doi.org/10.3390/su17198529

AMA Style

Sema GG, Owolawi PA, Olugbara OO. Protection of Personal Information Act in Practice: A Systematic Synthesis of Research Trends, Sectoral Applications, and Implementation Barriers in South Africa. Sustainability. 2025; 17(19):8529. https://doi.org/10.3390/su17198529

Chicago/Turabian Style

Sema, Gugu G., Pius A. Owolawi, and Oludayo O. Olugbara. 2025. "Protection of Personal Information Act in Practice: A Systematic Synthesis of Research Trends, Sectoral Applications, and Implementation Barriers in South Africa" Sustainability 17, no. 19: 8529. https://doi.org/10.3390/su17198529

APA Style

Sema, G. G., Owolawi, P. A., & Olugbara, O. O. (2025). Protection of Personal Information Act in Practice: A Systematic Synthesis of Research Trends, Sectoral Applications, and Implementation Barriers in South Africa. Sustainability, 17(19), 8529. https://doi.org/10.3390/su17198529

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop