How to Report a Data Breach to the Information Regulator | POPIA Guide

Your IT team just confirmed it. Personal data has been compromised. Customer records, employee information, or client details have been accessed by someone who should not have had access. Your stomach drops. Now what?

Under POPIA, you have a legal obligation to notify the Information Regulator and the affected individuals. Failing to do so can result in fines of up to R10 million, criminal prosecution, and the kind of reputational damage that is nearly impossible to recover from.

This is the step-by-step. What to do, in what order, with what information.

Step 1: confirm a notifiable breach has occurred

Not every security incident requires notification. Under POPIA, you notify when there are "reasonable grounds to believe" that personal information has been accessed or acquired by an unauthorised person.

Notification is required when customer, employee, or client personal information has been accessed without authorisation. Names. ID numbers. Contact details. Financial information. Health records. Anything that can identify a specific person. The breach can be a cyber attack. It can equally be a stolen laptop, an employee sending data to the wrong recipient, a physical break-in where documents were taken, or a misconfigured system that exposed data publicly.

Notification is typically not required when the breach involved only data that is already publicly available, when the data was encrypted and the encryption key was not compromised, or when you can demonstrate that the unauthorised access could not reasonably result in harm.

If you are unsure whether your incident meets the threshold, err on the side of notification. The consequences of failing to notify are far worse than notifying unnecessarily.

Step 2: notify the Information Regulator

Since April 2025, breach notifications to the Information Regulator must be submitted through their online eServices Portal. This replaced the previous email-based notification process.

How to access the portal. Visit inforegulator.org.za and navigate to the eServices Portal. Create an account if you do not already have one. Keep your login credentials secure. You may need to submit updates or respond to follow-up queries.

When to notify. POPIA requires notification "as soon as reasonably possible" after the breach has been discovered. The Act does not specify a hard deadline like the GDPR's 72 hours, but the expectation is that you act without unnecessary delay. In practice, if you are taking more than 72 hours, you should be able to justify the delay. Legitimate reasons for a short delay include law enforcement asking you to hold notification to support an investigation, or the need to gather basic facts about the scope of the breach.

What the notification must include.

A description of the nature of the security compromise. What happened? Cyber attack. Lost device. Internal error. Something else.
A description of the personal information compromised. Names and contact details. ID numbers. Financial information. Health records. Be specific about the categories.
An estimate of the number of data subjects affected. If you do not have an exact count, provide your best estimate and note that it may change as the investigation continues.
The identity and contact details of your Information Officer or designated contact person.
A description of the measures you have taken or intend to take. What have you done to contain the damage? What are you doing to prevent it from happening again?
Recommendations regarding the measures affected data subjects should take to protect themselves.

For a plain-language walkthrough of section 22 timelines and what counts as a notifiable breach, see our POPIA breach notification guide.

Step 3: notify the affected individuals

In addition to notifying the Information Regulator, you must notify every person whose personal information was compromised. This is a separate obligation and equally important.

How to notify. POPIA requires that notification be communicated by mail to the data subject's last known physical or email address, by placing a notice in a prominent position on the website, or through publication in the news media. Use the method most likely to reach the affected individuals. For most businesses, direct email notification is the most practical approach.

What to tell them. A clear description of what happened in plain language. What types of their personal information were affected. What you are doing about it. Specific recommendations for them to protect themselves. Change passwords. Enable 2FA. Monitor bank statements. Watch for phishing emails that reference the breach.

Tone matters. Be honest, direct, and empathetic. People are understandably upset when their data is exposed. Acknowledge the seriousness, take responsibility, and focus on what you are doing to make it right. Do not hide behind legal language. Do not minimise the breach. The Durban school case in our school data breach article shows exactly what happens when affected parents find out from a WhatsApp group before the institution communicates.

Step 4: investigate and remediate

Notification is not the end of the process. You need to fully understand what happened and take steps to prevent it from happening again.

Complete the forensic investigation. Determine exactly how the breach occurred, what data was accessed, and whether the attacker still has access to your systems. If you do not have internal forensic capability, engage an external team. Ubuntu Guard provides investigation and remediation services for businesses across South Africa.

Close the vulnerability. Whatever allowed the breach to happen must be fixed before you can consider the incident resolved. Patching software. Changing access controls. Improving email security. Implementing monitoring that should have been in place.

Document everything. Keep detailed records of the timeline, the actions taken, the decisions made, and the reasoning behind them. This documentation may be requested by the Information Regulator and will be essential if any legal proceedings follow.

Update the Regulator if the situation changes. If your investigation reveals that more data was compromised than initially thought, or that more individuals are affected, submit an updated notification. The Regulator expects transparency and ongoing communication.

Step 5: prevent the next one

The most important step comes after the crisis is over. Use the lessons learned from this breach to strengthen your defences.

Get a comprehensive security assessment. A cybersecurity assessment identifies the remaining vulnerabilities in your systems, policies, and processes. You cannot fix what you have not found.

Train your staff. If the breach involved human error, such as an employee clicking a phishing email or using a weak password, training is essential. Cyber awareness training turns your team from a vulnerability into a defence layer.

Implement monitoring and detection. Many breaches in South Africa go undiscovered for months. Set up alerts for unusual login activity, failed access attempts, and changes to sensitive data. The faster you detect a breach, the less damage it causes and the simpler the notification process.

Review and update your cybersecurity policy. If you did not have a written policy before, now is the time to create one. If you did, this incident has shown you where it needs improvement.

Key contacts and resources

Information Regulator of South Africa: inforegulator.org.za for breach notifications, complaints, and guidance.
South African Police Service (SAPS): If the breach involved criminal activity such as hacking, ransomware, or fraud, report it to SAPS. The Cybercrimes Act 19 of 2020 requires electronic communications service providers and financial institutions to report certain incidents.
Cybersecurity Hub: cybersecurityhub.gov.za, South Africa's national CSIRT.
Ubuntu Guard: incident response, breach investigation, and POPIA notification assistance for businesses in Durban and across South Africa. Call 079 159 5040 or reach us at [email protected].

Do not wait for a breach to prepare

The best time to plan your breach notification process is before you need it. Know who your Information Officer is. Know how to access the eServices Portal. Know who you will call for forensic support. Have a notification template drafted and ready to customise.

If a breach happens and you are scrambling to figure out your obligations for the first time, you have already lost valuable time. Time that decides whether this is a contained incident or a catastrophe.

Sources

South African Government: Protection of Personal Information Act 4 of 2013 (Published: 2013)
Information Regulator South Africa: eServices Portal and Breach Notification Guidance (Published: 2024-2026)
Department of Justice and Constitutional Development: R5 Million Enforcement Action (Ransomware Breach 2021) (Published: 2021)
Cybersecurity Hub (CSIRT): National Computer Security Incident Response Team (Accessed: 2026)
South African Government: Cybercrimes Act 19 of 2020 (Published: 2020)

How to Report a Data Breach to the Information Regulator Under POPIA