What to Do When You Have a Data Breach in South Africa (POPIA Response Plan)

Data Breaches Happen to Businesses of All Sizes

A data breach is not something that only happens to banks and hospitals. If your website gets hacked, if an employee accidentally emails a spreadsheet of customer details to the wrong person, or if your laptop gets stolen with client records on it, you have experienced a data breach under POPIA.

The Protection of Personal Information Act (POPIA) has very specific requirements for how you must respond. Getting this wrong can turn a manageable incident into a catastrophe with severe fines and even prison time.

Step 1: Contain the Breach Immediately

The moment you discover a breach, take immediate action to stop it from getting worse:

• Disconnect compromised systems from the network.
• Change all passwords for affected accounts.
• Revoke access tokens for compromised APIs or third-party integrations.
• Preserve evidence - do not wipe logs or servers. You will need these for investigations.

Step 2: Assess What Was Compromised

Determine the scope of the breach. Ask yourself:

• What categories of personal information were exposed (names, emails, financial data, ID numbers)?
• How many people are affected?
• Is the breach ongoing or has it been contained?
• Was the data encrypted or in plain text?

Step 3: Notify the Information Regulator

POPIA Section 22 requires that your Information Officer must notify the Information Regulator of any data breach "as soon as reasonably possible" after discovering it. Unlike the GDPR, POPIA does not set a hard 72-hour deadline, but any unnecessary delay will be treated as a serious aggravating factor if the Regulator investigates.

Your notification must include:

• A description of the breach.
• The categories and approximate number of data subjects affected.
• What measures you have taken and plan to take.
• A recommendation on what affected individuals should do to protect themselves.

Step 4: Notify the Affected Individuals

You must also directly notify every person whose data was compromised. This notification must be in writing (email is acceptable), must be in plain language, and must include the same details you gave the Regulator plus specific guidance on what they should do (e.g., change passwords, monitor bank statements).

Step 5: Review and Strengthen

After a breach, you must take concrete steps to prevent it from happening again. This includes reviewing your security measures, updating your compliance checklist, training staff, and documenting the lessons learned.

Prevention Starts with Compliance

The best way to minimise the impact of a data breach is to have your compliance foundations in place before one happens. Ensure your website has the correct legal documents, including a Privacy Policy that addresses breach procedures, by using POPIA Ready.