Data BreachNotificationSection 22

POPIA Data Breach Notification: What You Must Do

POPIAdesk Team··6 min read

Section 22 of POPIA requires responsible parties to notify both the Information Regulator and affected data subjects when a data breach occurs. Acting quickly and correctly is critical — delays can compound both legal and reputational damage.

What Constitutes a Breach?

A data breach under POPIA includes any unauthorised access to, or acquisition of, personal information that compromises the confidentiality, integrity, or availability of that information. Examples include:

  • Hacking or cyber attacks resulting in data exposure
  • Lost or stolen devices containing personal information
  • Accidental email of personal information to the wrong recipient
  • Employee accessing records without authorisation
  • Ransomware attacks affecting personal data

Notification Requirements

Who to Notify

  1. Information Regulator — Must be notified as soon as reasonably possible after the breach is discovered.
  2. Affected Data Subjects — Must be notified if the breach poses a risk of harm to them.

What to Include

The notification must contain:

  • Description of the possible consequences of the breach
  • Description of the measures taken or proposed to address the breach
  • Recommendation about the measures data subjects can take to mitigate harm
  • Identity and contact details of the Information Officer

Timing

POPIA requires notification "as soon as reasonably possible" after the breach is discovered. While there's no specific hour or day deadline, best practice is to notify within 72 hours, aligned with international standards like the GDPR.

Preparing for Breaches

Don't wait for a breach to happen. Have a breach notification template ready. POPIAdesk can generate a compliant breach notification letter pre-filled with your organisation's details, ready to customise when needed.

Ready to get POPIA compliant?

POPIAdesk helps South African businesses generate compliance documents, track their compliance score, and manage data subject requests.