Page 4 - KZN Buisiness Sense - Page One - Susan Abro
P. 4
INFORMATION COMPLIANCE IN 2026:
WHAT SHOULD BE ON YOUR RADAR
Johan van Deventer, Intensified Sector-Specific
KZN Regional Scrutiny
Manager, Labournet
While IC applies across all
sectors, enforcement focus is
nformation becoming more targeted.
Compliance Education, healthcare,
I(IC) has financial services, professional
moved to the services, and any sector
centre of how
businesses handling large volumes
of personal or sensitive
operate. information face heightened
It’s now a
critical part of governance, risk expectations. Generic
compliance frameworks are
management, and day-to-day starting to crack under this
operations across every sector. pressure.
Organisations that treat it as
essential rather than optional Regulators increasingly expect
are the ones protecting their organisations to demonstrate
reputation, avoiding penalties, how compliance is applied in
and building trust with clients their specific operating context,
and stakeholders. including how emerging
technologies such as AI are used
At its core, IC refers to the legal,
governance, and operational within that environment.
frameworks that ensure personal Reputation Damage is Enduring
and sensitive information is
collected, used, stored, shared, Fines are measurable, but
and protected lawfully, ethically, initiating investigations Shadow AI i.e. the use of ■ How are outputs reviewed reputational damage is not.
and accountably across the proactively, demanding Artificial Intelligence (AI) and validated? Enforcement notices,
organisation. documentary proof of tools by employees without ■ How are staff trained on investigations, and complaints
compliance, and assessing formal approval, governance, are increasingly public. Clients,
It extends beyond complying acceptable use?
with privacy legislation governance failures rather than or safeguards. ■ What happens when employees, and partners are
to supporting control, only responding to breaches. In many organisations, something goes wrong? paying closer attention to how
accountability, and oversight, For organisations, this means employees are already organisations handle personal
particularly when information that compliance must be visible, uploading personal or Organisations are often information and AI-driven
is misused, lost, or exposed. structured, and ongoing. You confidential information into exposed not because they have decision-making. For many
need to be able to show who AI tools, using AI to draft nothing in place, but because organisations, the long-term
2026: The Compliance is responsible, what controls emails, reports, contracts, and what they do have does not loss of trust far outweighs any
Turning Point exist, how risks are tracked, and HR documentation, and relying operate in practice. regulatory penalty.
The shift did not happen how issues are escalated and on AI-generated outputs to Living compliance now Businesses must be able to
overnight. addressed. make decisions. requires active registers, defend their decisions when they
In 2023 and 2024, enforcement Intentions and good faith This creates immediate IC risks: enforced policies, modern are scrutinised.
activity escalated significantly efforts are no longer enough. ■ Personal information might be training, tested incident Preparing for the New Reality
with regulators taking action Evidence matters. processed unlawfully. response plans, and clear
and expecting definite escalation paths that people The organisations that will
compliance. This included Boards Cannot escape ■ Data might be transferred actually understand and use navigate 2026 successfully are
fines of up to ZAR 5 million Accountability outside approved jurisdictions. effectively. those that treat IC as a strategic
against public bodies, alongside Another critical shift heading ■ Records of processing might be If AI use is not reflected in your risk, actively govern AI use
enforcement notices and into 2026 is the growing incomplete or inaccurate. compliance framework, that rather than ignoring it, embed
compulsory remedial actions. focus on board and executive ■ Accountability becomes framework is already outdated. compliance into governance
accountability. unclear. structures, and focus on evidence
2025 became the exposure year. rather than intention.
Many organisations discovered – Information Compliance does The challenge is that Shadow AI The Cyber-AI-Compliance
Nexus
often uncomfortably – that their not sit solely at operational level. rarely looks malicious. It looks Shadow AI is already inside
compliance frameworks did Boards are expected to exercise efficient and helpful – and often One of the defining features most organisations. The only
not reflect how information is oversight over information and goes unnoticed. of 2026 is the collapse of question is whether it is managed
actually used inside the business. privacy risk in the same way they silos. Cyber security, IC, or unmanaged.
Shadow AI, remote working do over financial, operational, Regulators will not be concerned and AI governance can no 2026 belongs to those that can
models, third-party platforms, and reputational risk. with whether AI use improved longer be treated as separate prove, not just promise, that
and fragmented governance productivity, but rather with conversations. A data breach, compliance lives and adapts
This means that compliance
structures widened the gap should feature meaningfully in whether it was lawful, controlled, an AI misuse incident, or a inside their organisation.
between policy and practice. and governed. privacy complaint now sits at
board packs, risk registers, annual the intersection of all three.
2026 is where consequences workplans, and governance AI makes Paper Compliance T: +27 (0)31 266 6570
land. Regulators now expect calendars. Directors are expected Obsolete Boards should expect M: +27 (0)82 786 7480
organisations to prove that to ask informed questions Policies that exist only on paper increasing scrutiny of access E: johanvd@labournet.com
W: www.labournet.com
compliance is active, governed, and ensure that appropriate are increasingly disconnected controls, of third-party and
and effective – not just that they appointments, delegations, and from reality. vendor risk, of incident
are trying. This year is about reporting lines are in place. response timelines, as well
enforcement, accountability, Where this does not happen, As AI tools become embedded as of alignment between IT,
and evidence. in day-to-day work, regulators legal, HR, compliance, and risk
silence can be interpreted as a are asking harder questions, functions.
Enforcement is Accelerating lack of oversight – and ignorance including: SCAN
will not hold up as a defence. Treating AI misuse or data
One of the most important ■ Who approved the tools incidents as purely technical QR CODE
realities for 2026 is that The Unmapped Shadow AI Risk being used? issues are now governance TO SEE
enforcement is no longer reactive. One of the fastest-growing ■ What data is being fed into failures with legal and VIDEO
Regulators are increasingly compliance blind spots is them? reputational consequences.
4
