Your business has just had a breach. Someone accessed client data they should not have. You do not know the full extent yet. You are not sure if it is serious enough to report.
POPIA does not give you the option to decide later.
Section 22 of the Protection of Personal Information Act requires you to notify both the Information Regulator and affected data subjects "as soon as reasonably possible" after you have reasonable grounds to believe a breach has occurred. The phrase "as soon as reasonably possible" has teeth. The question is not whether to report. The question is how quickly and what to include.
This guide covers exactly that.
What triggers the notification obligation under POPIA Section 22
The obligation is triggered when you have reasonable grounds to believe that personal information held by your organisation has been accessed or acquired by an unauthorised person.
"Reasonable grounds to believe" does not require certainty. It does not require a completed forensic investigation. It does not require knowing the identity of the attacker. If your monitoring shows unusual data access patterns, if an employee has reported a potential phishing compromise, if your IT service provider has flagged anomalous behaviour, or if files are encrypted and a ransom note has appeared, you have reasonable grounds.
The notification obligation covers any type of breach: ransomware, unauthorised access by an external attacker, data shared incorrectly to the wrong recipient, stolen device containing personal information, or employee misuse of data.
Not every breach triggers the notification obligation. If the breach involves personal information that was already publicly available, or if it is unlikely that the unauthorised access will cause any harm to the data subjects, the Regulator may accept that notification to data subjects is not required in that specific case. But you still need to assess this and document your reasoning. The default is to notify unless you have a clear basis for concluding harm is unlikely.
Who you have to notify and in what order
First, notify the Information Regulator. The Regulator must receive notification before or at the same time as affected data subjects. Do not notify clients before you have submitted to the Regulator.
The Information Regulator's notification process is online at www.justice.gov.za/inforeg/. As of 2026, the Regulator accepts breach notifications via email at [email protected], but check the current process on the website before submitting.
Second, notify the affected data subjects. These are the people whose personal information was compromised. If the breach involves employee data, those employees must be notified. If it involves client data, those clients must be notified. If it involves data the business held on behalf of someone else, the data controller, meaning your client, must also be notified.
The notification to data subjects can be done in any manner that is reasonably likely to reach them. Email is acceptable if you have current email addresses. In some circumstances, a public notice in a newspaper or on your website may be appropriate if direct notification is not possible for all affected individuals.
What your notification must contain
The notification to the Information Regulator must include:
The nature of the personal information involved, meaning what categories of data were compromised. Names, ID numbers, banking details, health information, and so on, each reported separately.
The number of data subjects affected, or a reasonable estimate if the exact number is not yet established.
The identity of the unauthorised person, if known. If not known, say so.
The likely consequences of the breach for affected data subjects.
The measures taken or planned to address the breach, including any steps to minimise the harm.
The notification to data subjects must include the same information in a form they can understand, plus specific guidance on what they should do to protect themselves. If banking details were exposed, advise them to alert their bank. If ID numbers were compromised, advise them to place a fraud alert with the South African Fraud Prevention Service.
How long "as soon as reasonably possible" has been interpreted in practice
The Act does not specify a number of days. GDPR, which is the EU equivalent, specifies 72 hours. The Information Regulator has not formally published an SA-specific timeline.
In practice, guidance from the Regulator and from legal practitioners specialising in information law consistently suggests that "as soon as reasonably possible" means within a few days of the breach being identified, not within a few weeks. The emphasis is on speed, not on completing your full investigation before you notify.
The DoJ&CD enforcement case, in which the Department of Justice itself was fined R5 million following a ransomware incident in 2021, established that the Regulator can and will enforce. That case also made clear that delayed or inadequate notification is itself a compliance failure.
Your obligation is not to have all the answers when you notify. Your obligation is to notify early and update as your investigation progresses.
The risk of not notifying
The Information Regulator can issue compliance notices, require remediation steps, and impose administrative fines of up to R10 million for breaches of POPIA. Repeat or wilful non-compliance can also result in criminal prosecution with penalties including imprisonment.
The DoJ&CD R5 million fine is the most visible enforcement action to date. It was levied not just for the breach itself but for the Department's failure to implement adequate security measures and for non-compliance with its obligations under the Act.
For a business, the reputational damage of an undisclosed breach that later becomes public is typically worse than the damage of a promptly and transparently handled one. Clients who discover a breach through a WhatsApp group, as happened with the Durban school case discussed in our school data breach article, react differently to clients who receive a direct, honest notification from the business.
What to do in the first 24 hours after discovering a breach
These steps in order:
Contain the breach. Change compromised credentials. Isolate affected systems. Prevent further access or exfiltration if possible. This happens immediately, before you do anything else.
Preserve evidence. Do not wipe systems or delete logs. The forensic trail matters for your investigation and for SAPS.
Assess the scope. What data was involved? Whose data? What is the likely harm to affected individuals? You do not need all the answers now, but you need to start gathering them.
Notify the Information Regulator. Submit within 72 hours of identifying the breach. If you do not have all the information yet, submit what you have and indicate that the investigation is ongoing. You can submit an updated notification as more information becomes available.
Notify affected data subjects. As soon as you have done so with the Regulator, or concurrently, notify the individuals whose data was compromised. Be direct. Tell them what happened, what data was involved, and what they should do.
Document everything. Every step, every call, every decision. Your response records may be reviewed by the Regulator, your insurer, or in legal proceedings.
If you are in the middle of a breach right now and need immediate incident response help, contact our team at /services/incident-response/. For ongoing POPIA compliance support, visit /services/popia-compliance/.
Reach us at [email protected].
Sources: - South African Government: Protection of Personal Information Act 4 of 2013 (Published: 2013) - Information Regulator South Africa: Breach Notification Guidance and E-Portal Reporting (Published: 2024-2026) - Department of Justice and Constitutional Development: R5 Million Enforcement Action (Ransomware Breach 2021) (Published: 2021)
© 2026 Ubuntu Guard Cybersecurity | Durban, South Africa ubuntuguard.co.za