• POPIA introduces a duty on all organisations to report certain personal data breaches to the Information Regulator. You must do this within a reasonable time of becoming aware of the breach, where feasible.
  • You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the rInformation Regulator or the affected individuals, or both.
  • You must also keep a record of any Personal Information breaches, regardless of whether you are required to notify.

Templates Forms, Policies, Guidelines – POPIA Data Breaches

Frequently Asked Questions

  1. A breach is only a security compromise if –
    1. there are reasonable grounds
    2. to believe that the personal information of a Data Subject has been accessed or acquired
    3. by any unauthorised person.
  2. Security compromises appear to be limited to confidentiality breaches, i.e. where there is unauthorised disclosure of or access to Personal Information.

A Responsible Party must notify the Information Regulator as soon as reasonably possible after discovery of a security compromise. If we look at similar reporting requirements in other legislation, it seems like 72 hours is considered a reasonable time to delay notification.