Data breaches and the notification thereof

Data breaches and the notification thereof

With the Protection of Personal Information Act (POPI) created to regulate the protection of personal information, an enormous impact is expected as South African businesses will soon be legally obligated to notify of any data breaches.

What is expected from businesses faced with data breaches?

The responsible party will have to notify the Information Regulator, as well as the data subject, should there be reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, unless the identity of such data subject cannot be established. This notification has to be made as soon as reasonably possible.

The notification itself must be in writing and must be communicated either via email or posted to the data subject’s last known address. Alternatively, the notification could also be placed in a prominent position on the website of the responsible party, published in the media or as directed by the Information Regulator. The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise. It should also include a description of the measures taken by the responsible party on how the party intends to address the security breach, as well as a recommendation on what measures the data subject would take to mitigate the possible adverse effects of the breach. If known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information must also be divulged to the data subject.

With the increase in identity theft in South Africa, businesses should ascertain that they are actively devoting their attention to the requirements as stipulated by the POPI Act. Businesses involved in data breaches may be subject to, but not limited to, an administrative fine or imprisonment.

One thing is certain, security breaches are a matter of when the treatment and security of personal information ought to be a matter of high priority.


Damian Bothma is a legal advisor at SEESA Consumer Protection & POPI Legal department. He obtained his LLB degree from the University of South Africa. He started his career at SEESA in 2017 after leaving practice.



Leave a reply

Your email address will not be published. Required fields are marked *