Section 22 of POPIA requires responsible parties to notify both the Information Regulator and affected data subjects when a data breach occurs. Acting quickly and correctly is critical — delays can compound both legal and reputational damage.
What Constitutes a Breach?
A data breach under POPIA includes any unauthorised access to, or acquisition of, personal information that compromises the confidentiality, integrity, or availability of that information. Examples include:
- Hacking or cyber attacks resulting in data exposure
- Lost or stolen devices containing personal information
- Accidental email of personal information to the wrong recipient
- Employee accessing records without authorisation
- Ransomware attacks affecting personal data
Notification Requirements
Who to Notify
- Information Regulator — Must be notified as soon as reasonably possible after the breach is discovered.
- Affected Data Subjects — Must be notified if the breach poses a risk of harm to them.
What to Include
The notification must contain:
- Description of the possible consequences of the breach
- Description of the measures taken or proposed to address the breach
- Recommendation about the measures data subjects can take to mitigate harm
- Identity and contact details of the Information Officer
Timing
POPIA requires notification "as soon as reasonably possible" after the breach is discovered. While there's no specific hour or day deadline, best practice is to notify within 72 hours, aligned with international standards like the GDPR.
Preparing for Breaches
Don't wait for a breach to happen. Have a breach notification template ready. POPIAdesk can generate a compliant breach notification letter pre-filled with your organisation's details, ready to customise when needed.