Gone are the days when data breaches were a plot point in a Hollywood thriller. In today's digital world, they have become a routine and often unavoidable reality. The question is no longer if your organisation will face a data breach, but when. In South Africa the Protection of Personal Information Act 4 of 2013 ("POPIA") governs the collection, storage, use and safeguarding of personal information. As such, it is the cornerstone legislation when addressing data breaches - referred to as "security compromises" under POPIA.
But how well do most organisations truly understand their obligations in the event of a data breach? In this article we unpack the concept of a security compromise, outline what the law requires of responsible parties and introduce the new online portal launched by the Information Regulator to streamline the reporting of such breaches.
The responsibility to secure personal
information
Section 19 of POPIA places a clear duty on responsible
parties—those who determine the purpose and means of
processing personal information—to secure the integrity and
confidentiality of personal information in their possession. This
must be done through the implementation of appropriate, reasonable
technical and organisational measures designed to prevent loss,
damage, unauthorised access, or unlawful processing of personal
information.
But what exactly are these "reasonable technical and organisational measures"? This phrase, which mirrors similar provisions in the EU's General Data Protection Regulation (GDPR), includes:
- the implementation of privacy and data protection policies;
- the adoption of data breach response plans;
- regular risk assessments;
- monitoring and audit procedures;
- staff training; and
- encryption or pseudonymisation where appropriate.
Section 19 specifically requires responsible parties to:
- identify all foreseeable internal and external risks to the security of personal information;
- establish and maintain safeguards against those risks;
- regularly verify the effectiveness of these safeguards; and
- update safeguards in response to new risks or deficiencies.
Responding to a security compromise
When a breach occurs, the immediate response can often be panic.
However, POPIA provides a clear legal framework for how to handle
such incidents.
What is a Security Compromise?
A security compromise is defined under POPIA as any instance where there are reasonable grounds to believe that the personal information of a data subject (that's you and me) has been accessed or acquired by an unauthorised person. The threshold for notification is not based on the number of affected individuals. Whether a single data subject or 100,000 are affected, the responsible party must act.
Who Must Be Notified and When?
Section 22 of POPIA requires responsible parties to notify both the Information Regulator and the affected data subjects as soon as reasonably possible after discovering a security compromise. While POPIA does not define "as soon as reasonably possible," guidance from other jurisdictions, including the GDPR, suggests that a 72-hour window from discovery is considered best practice, where feasible.
The notification must include:
The notice to affected data subjects must contain sufficient information to allow them to take protective steps. This includes:
- a description of the possible consequences of the breach;
- a description of the remedial action taken or to be taken by the responsible party;
- recommendations to data subjects on how they can mitigate adverse effects; and
- if known, the identity of the unauthorised person who may have accessed or acquired the information.
Where appropriate, the Information Regulator may direct the responsible party to publicise the breach to ensure affected individuals are informed and can protect themselves.
Introducing the Information Regulator's new breach notification portal
To enhance transparency and streamline compliance, the Information Regulator of South Africa has introduced an online portal dedicated to logging security compromise notifications. This portal enables responsible parties to:
- log and submit details of a breach electronically;
- upload supporting documents;
- track the status of submitted reports; and
- facilitate efficient communication with the Information Regulator.
The portal is accessible via the Information Regulator's website and is intended to improve oversight, reduce administrative delays, and ensure that data breaches are recorded and investigated swiftly and effectively. Responsible parties should incorporate use of this portal into their internal breach response procedures and ensure that relevant personnel are trained on how to access and complete the online forms accurately.
Consequences of non-compliance
Failure to notify the Information Regulator and affected data subjects as required under Section 22 may lead to:
- an investigation by the Regulator into the responsible party's conduct;
- the issuing of an enforcement notice, which must be complied with or formally appealed; or
- failure to comply with an enforcement notice may constitute an offence under POPIA, and may result in a fine, criminal prosecution, or both.
Conclusion: Be prepared, not sorry
While not all data breaches are preventable, the law expects responsible parties to have the necessary systems, policies and protocols in place to manage them effectively. The best defence is a proactive one: regularly review and update your information security measures and ensure your staff are trained to respond swiftly and in line with POPIA. And when the inevitable happens, don't panic—follow the law, notify the Regulator and data subjects without delay, and make full use of the Information Regulator's new portal to streamline your response.
After all, in the world of personal data, preparedness is protection.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
