POPIA Data Breach Notification: A Step-by-Step Guide

Most South African organisations focus their POPIA compliance efforts on prevention: appointing an Information Officer, building a privacy policy, implementing security controls. These are important. But POPIA also imposes specific obligations for what happens after prevention fails — and those obligations carry some of the Act's most immediate enforcement risks.

Section 22 of POPIA requires every responsible party that becomes aware of a security compromise to notify the Information Regulator and affected data subjects. The notification must happen "as soon as reasonably possible." There is no grace period for getting your documentation in order first.

Here is exactly what the process requires, step by step.

What Triggers the Notification Obligation?

A notification obligation arises when there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.

This definition is broader than many organisations assume. It covers:

• Ransomware attacks — where personal information was accessible to attackers during the dwell period, even if the primary visible impact is encryption
• Data exfiltration — where personal information has been stolen and transmitted to external parties
• Accidental disclosure — an email containing personal information sent to the wrong recipient
• Unauthorised access — a staff member accessing personal information outside their authorised scope, or an external party gaining unauthorised system access
• Lost or stolen devices — a laptop, phone, or USB drive containing unencrypted personal information that is lost or stolen
• Third-party breaches — a cloud provider or other operator suffers a breach affecting personal information you hold with them

The threshold is "reasonable grounds to believe" — not certainty. You do not need to complete a forensic investigation before notifying. If you have reason to believe a breach has occurred, the notification obligation is triggered.

Step 1: Contain and Assess

Before drafting a notification, take immediate steps to contain the breach and assess its scope.

Contain the breach: Disconnect affected systems, revoke compromised credentials, close the entry point if identified, and prevent further unauthorised access or exfiltration.

Assess the scope: Determine, as far as possible:

• What personal information was accessed or acquired?
• How many data subjects are affected?
• What categories of personal information are involved (standard personal information, or special personal information such as health data, financial records, or biometric data)?
• What is the likely harm to data subjects from the breach?

This assessment informs the content of your notification. It does not need to be complete before you notify — you can submit a preliminary notification and update it as the investigation proceeds.

Step 2: Notify the Information Regulator

Submit notification to the Information Regulator as soon as reasonably possible. In practice, treat 72 hours from becoming aware of the breach as your target — this aligns with GDPR's standard and is the benchmark the Regulator is likely to apply when evaluating whether notification was sufficiently prompt.

What the notification must include (per POPIA Section 22(2)):

• A description of the possible consequences of the security compromise
• A description of the measures the responsible party intends to take or has taken to address the security compromise
• A list of the information that may have been accessed or acquired
• The identity of the unauthorised person who may have accessed or acquired the information (if known)

For a preliminary notification, you may not have all of this information. Notify with what you know, clearly indicating that the investigation is ongoing and that you will provide updates.

How to notify: The Information Regulator provides a notification form (Form 2) on their website. Submit electronically to the Regulator's offices. Retain a copy of the submission and the submission confirmation.

Step 3: Notify Affected Data Subjects

In addition to notifying the Regulator, you must notify the individuals whose personal information was compromised. This notification must also happen as soon as reasonably possible, and must be done in a manner that is likely to reach the affected data subjects.

What the data subject notification must include:

• The fact that their personal information has been compromised
• The nature of the compromise (what happened and what data was affected)
• What the organisation is doing about it
• What the data subject can do to protect themselves
• Contact details for further queries

Acceptable notification methods include direct email or letter to affected individuals, prominent notice on your website if individual notification is not reasonably possible, or notification through the media if the number of affected persons is very large and individual notification would require disproportionate effort.

The notification should be written in plain language — not legal boilerplate — that allows the data subject to understand what happened and take meaningful protective action.

Step 4: Document the Breach and Response

Maintain a written record of every security compromise, regardless of severity. This breach register should include:

• Date and time the breach was discovered
• Nature of the breach (how it occurred, what data was affected)
• Number of data subjects affected
• Categories of personal information involved
• Actions taken to contain the breach
• Date and content of Regulator notification
• Date and method of data subject notification
• Outcome of any investigation
• Remediation actions taken

This register is your primary evidence of POPIA compliance in the event of a Regulator investigation. An organisation that cannot produce a breach register — or whose register shows breaches that were not notified — is in a significantly worse position than one with thorough documentation.

What Happens If You Don't Notify?

Failure to notify is one of the most clearly enforceable POPIA contraventions. Unlike some compliance gaps that require investigation to uncover, a failure to notify a known breach is often discovered through the breach itself — a data subject who knows their information was compromised, a third party that reports the breach publicly, or a cyber insurance claim that triggers regulatory scrutiny.

The Information Regulator can impose administrative fines of up to R10 million for failure to comply with Section 22. The Information Officer carries personal liability for compliance failures. And late or absent notification — when a breach becomes public through other means — is reputationally damaging in a way that proactive, transparent notification is not.

Building Readiness Before an Incident

The organisations that handle breach notification well are those that have prepared for it in advance. Preparation means:

A documented breach response procedure: Who declares a breach, who is responsible for the Regulator notification, who drafts the data subject notification, and who signs off on communications.

Template notifications: A draft Regulator notification and a draft data subject notification that can be adapted quickly. Having these ready reduces the time pressure when a real incident occurs.

A breach register: A file or spreadsheet where every incident — including minor ones that may not meet the Section 22 threshold — is recorded. This gives you an audit trail and helps identify patterns.

Tested communication channels: If you need to notify 5,000 customers by email, you need to know that your email system can send at that volume and that your customer email list is current. Test this before you need it.

A POPIA assessment will identify whether your organisation has these elements in place. Most South African businesses that have not formally addressed breach notification do not have a response procedure, do not have template notifications, and have never tested their ability to notify at scale.