POPIA Update: Don’t Hide a Data Breach — Report It Fast
This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.
South African organisations have been reminded that every security compromise must be reported to the Information Regulator, no matter how small. Under POPIA. There’s no such thing as a “low-risk” breach.
What counts as a security compromise?
It’s any incident where personal information is lost, leaked, stolen, or exposed, whether by:
Accident – sending an email to the wrong person or losing a laptop.
Deliberate attack – hacking, fraud, insider mischief.
Incidental events – theft, rioting, or hijacking where data is caught up.
Negligence – weak passwords, no encryption, or leaving files unattended.
Who must report and when?
The Information Officer (or Deputy) must notify both the Information Regulator and the affected individuals.
If an operator (like a service provider) is involved, they must inform the responsible party immediately.
Reports must be made as soon as you’re reasonably sure a breach occurred — you don’t need all the details first.
New: Faster reporting online
The Information Regulator has launched a new eServices Portal to make reporting breaches faster, more secure, and fully POPIA-compliant. Download the Reporting Security Compromises guide form more detail.
What should businesses do right now?
Identify and contain the compromise.
Notify the Information Regulator via the eServices portal.
Alert affected individuals, by email, SMS, website notice, or even media.
Fix the gaps, review and strengthen your security measures.
⏱️ Notices about breaches should usually stay on your website for 30 to 90 days, depending on how likely people are to see them.
👉 Bottom line
If you suffer a breach, report it early, notify affected people, and act fast to prevent harm. Hiding it could cost more than the breach itself.
