Legal & Risk: What Businesses Need to Watch

Legal & Risk: What Businesses Need to Watch

2026-05-25

South African and UK businesses must navigate evolving legal risks tied to data management, corporate strategy, and infrastructure governance. This week’s developments underscore the importance of proactive compliance in three critical areas.

1. Data Breach Claims and POPIA Compliance: The SARS Case

The South African Revenue Service (SARS) has refuted claims of a data breach, stating no evidence of system compromise. However, the incident highlights risks for businesses under POPIA (Protection of Personal Information Act 4 of 2013). While SARS’s systems appear secure currently, the mere possibility of a breach underscores the need for businesses to verify third-party vendors and ensure alignment with POPIA’s requirements, such as data minimization, accountability, and breach notification protocols (POPIA Section 44). Many businesses overlook the obligation to document and audit data-handling processes with government agencies, risking penalties if gaps exist.

Compliance actions for businesses:

• Review contracts with government entities to confirm compliance with POPIA’s data-sharing obligations.
• Conduct internal audits to ensure data minimization and encryption practices meet POPIA standards.
• Train teams on breach reporting procedures, even for third-party platforms.

2. M&A Due Diligence and Regulatory Hurdles: Altron’s Withdrawal

Altron’s decision to walk away from M&A deals raises questions about compliance with the Companies Act and sector-specific regulations. While the exact cause of the withdrawal is unconfirmed, the move highlights risks in due diligence processes, particularly for businesses in regulated sectors (e.g., finance, technology). Failure to identify legal or compliance red flags during M&A could lead to costly reversals, reputational damage, or non-compliance with merger control laws. For example, under the Companies Act (Section 31), acquirers must ensure target companies’ governance structures are transparent and free from legal exposure.

Compliance actions for businesses:

• Embed legal due diligence into pre-acquisition processes, focusing on regulatory risks and sector-specific obligations.
• Engage specialists to audit target companies for potential non-compliance with environmental, labor, or data laws.
• Revisit M&A contractual terms to ensure flexibility in withdrawing if compliance risks emerge.

3. Preparing for AI Regulation: IBM Webinar Insights

The IBM webinar on building AI-ready data foundations signals growing regulatory scrutiny of AI systems. While not an incident per se, the event aligns with EU AI Act requirements for data transparency and fairness. UK businesses should also prepare for potential UK GDPR extensions governing AI, such as mandatory data audits. Companies leveraging AI must ensure their data practices align with these frameworks to avoid future penalties.

Compliance actions for businesses:

• Assess AI systems for compliance with EU AI Act and UK GDPR transparency requirements.
• Establish data governance frameworks to document AI training sets and minimize bias.
• Partner with legal counsel to anticipate future AI-related legislation.

**