About
- POPIA introduces a duty on all organisations to report certain personal data breaches to the Information Regulator. You must do this within a reasonable time of becoming aware of the breach, where feasible.
- You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the rInformation Regulator or the affected individuals, or both.
- You must also keep a record of any Personal Information breaches, regardless of whether you are required to notify.
Templates Forms, Policies, Guidelines – POPIA Data Breaches
[product_category per_page=”12″ columns=”4″ orderby=”menu_order title” order=”ASC” category=”data-breaches”]
Frequently Asked Questions
- A breach is only a security compromise if –
- there are reasonable grounds
- to believe that the personal information of a Data Subject has been accessed or acquired
- by any unauthorised person.
- Security compromises appear to be limited to confidentiality breaches, i.e. where there is unauthorised disclosure of or access to Personal Information.
A Responsible Party must notify the Information Regulator as soon as reasonably possible after discovery of a security compromise. If we look at similar reporting requirements in other legislation, it seems like 72 hours is considered a reasonable time to delay notification.