In the United Kingdom (UK), the Data Protection Act (DPA) has been in force since 1998, whereas South African (SA) organisations are preparing for compliance with the Protection of Personal In-formation Act (POPIA). The objective of this research is to compare aspects of data protection compliance between the UK and SA to establish if a country that has had data protection in place for a longer period of time has a higher level of compliance with data protection requirements in an online context compared to a country that is preparing for compliance, using the results to make recommendations for non-compliance aspects. To fulfil the research objective, an insurance industry multi-case study was conducted. Similar data privacy requirements from the DPA and POPIA were selected for the multi-case study and as such, consent for direct marketing, secure processing of personal information (PI), privacy policies and sharing of PI collected via websites were evaluated. For each country, PI of four created consumer profiles was deposited to 10 insurance company websites in each country to evaluate the requirements. The results showed that some of the websites did not honor the selected opt-out preferences as direct marketing material was sent to the SA and UK consumer profiles. Forty two unsolicited third party contacts were received by the SA consumer profiles indicating unconsented distribution of PI in SA. In comparison, no unsolicited contacts were received by any of the UK profiles. The results demonstrate that the UK, being regarded as a jurisdiction with a heavy stance towards privacy implementation and regulation, is more compliant than SA in terms of implementation of the evaluated data protection requirements included in the scope of this study. SA insurance organisations should ensure that the non-compliance aspects are addressed and can learn from the manner in which the UK insurance organisations implement the privacy requirements. Furthermore, the UK insurance organisations should focus on improved compliance for direct marking to aid with compliance to the DPA and upcoming General Data Protection Act.