A staff member reports that someone logged into their email account from overseas. Your accountant mentions client details in a spreadsheet that went to the wrong person. A laptop containing customer records is stolen from a staff member’s car.
These are all data breaches under POPIA. Not every breach makes the news. Most are small, contained, and fixable – but only if you respond properly. Under the Protection of Personal Information Act, you have legal obligations the moment you discover personal information has been compromised. The first 72 hours matter.
This is not legal advice. This is practical guidance on what to do when a breach happens, based on POPIA requirements and what we have seen work in real incidents. For formal legal advice, consult a qualified South African attorney.
What actually counts as a data breach
Under POPIA, a data breach is any unauthorised access to, loss of, or disclosure of personal information. That definition is broader than most people realise.
These are all data breaches:
- Someone guesses a staff member’s password and reads their email inbox (which contains client correspondence)
- Ransomware encrypts your server, making client records inaccessible
- An employee sends a quote with another client’s pricing details still attached
- A laptop containing unencrypted client data is stolen
- An ex-employee still has access to your system two weeks after they left and views customer records
- You discover that a database containing customer email addresses was exposed online due to a misconfigured backup
These are NOT breaches (or are not your problem):
- A marketing email platform you use has a breach, but the data was already public (business names and contact details published on websites) – this may still need reporting depending on context
- Someone calls pretending to be a client and tries to get information, but your staff follow verification procedures and give them nothing
- An attempted phishing attack is blocked by your email security before anyone clicks it
The key test: was personal information accessed, lost, or disclosed by someone who should not have had access to it?
Your legal obligations under POPIA
Section 22 of POPIA requires you to notify the Information Regulator “as soon as reasonably possible” after becoming aware of a breach. There is no fixed deadline written into the law, but the 72-hour guideline comes from GDPR and is considered good practice in South Africa.
Who you must notify:
- The Information Regulator – always, as soon as you understand what happened
- Affected individuals – only if there are reasonable grounds to believe the breach will cause them harm (identity theft risk, financial loss, reputational damage, safety concerns)
What you must include in the notification:
- Description of the breach (what happened, when you discovered it, what type of data was affected)
- Number of people affected (approximate if exact number is not yet known)
- Likely consequences of the breach
- Measures you have taken or propose to take to address it
- Recommendation for affected individuals to mitigate harm (change passwords, watch for fraud, etc.)
Contact details for the Information Regulator:
- Email: POPIAComplaints@inforegulator.org.za
- Website: www.inforegulator.org.za
What happens if you do not report:
Failing to notify the Information Regulator of a breach is itself a compliance failure under POPIA. Penalties include fines up to R10 million and potential criminal charges for serious cases. More practically, a breach that is discovered later – after you knew about it but did not report it – looks far worse than one you reported promptly.
The first 72 hours: what to do and when
Time matters. Here is a practical timeline for the first three days after you discover a breach.
Hour 1: Contain the damage
Stop the breach from getting worse. Your immediate actions depend on what happened:
If it is a compromised account:
- Disable the affected account immediately
- Force a password reset
- Revoke any active sessions
- Check the account’s recent activity (sent emails, file access, login locations)
If it is ransomware or malware:
- Disconnect affected devices from the network (unplug network cable, turn off WiFi)
- Do not shut down the device – some forensic information is lost when you power off
- Call your IT support immediately – this is a priority incident
If it is a lost or stolen device:
- Remotely wipe the device if you have mobile device management
- Change passwords for any accounts that were logged in on that device
- If the device was not encrypted, assume the data on it is now accessible
If it is an accidental disclosure (wrong recipient, wrong attachment):
- Try to recall the message if possible (Outlook recall rarely works, but try)
- Contact the recipient and ask them to delete it and confirm deletion
- Document the conversation
In all cases:
- Preserve evidence – screenshots, logs, email headers, anything that shows what happened
- Do not delete or wipe systems before documenting what occurred
- Start a written timeline of events as you discover them
Hours 1-24: Assess the scope
You need to understand what data was affected, how many people, and what the risk is. This determines whether you notify affected individuals and what you tell the Information Regulator.
Questions to answer:
- What type of personal information was compromised? (Names and emails are different from ID numbers and banking details)
- How many individuals are affected?
- Was the data encrypted or otherwise protected?
- How long did the unauthorised access exist before you discovered it?
- Is there evidence the data was actually accessed or copied, or just potentially accessible?
- What harm could come to the affected individuals? (This determines whether you notify them)
Who to involve:
- Your IT support or internal IT person – they can check logs, access records, and system activity
- Your Information Officer (usually the owner or director) – they are legally responsible
- A legal advisor if the breach is significant or complex
- Your insurer if you have cyber insurance
Do not:
- Try to cover it up or delay reporting because you are not sure yet – report what you know and update as you learn more
- Publicly announce anything before you understand the scope – premature communication can cause unnecessary panic
- Assume it is fine just because no client has complained yet
Hours 24-72: Notify and document
By now you should understand what happened and what the impact is. Time to fulfil your legal obligations.
Notify the Information Regulator:
Draft your notification email to POPIAComplaints@inforegulator.org.za. Include:
- Your organisation details and Information Officer contact details
- Date and time of discovery (not necessarily when it happened, but when you became aware)
- Description of the breach – what occurred, how it occurred
- Type of personal information affected (be specific – client names and emails, ID numbers, financial records, etc.)
- Number of data subjects affected (approximate is acceptable if exact count is not yet known)
- Steps taken to contain and remedy the breach
- Steps you recommend to affected individuals
- Contact person for follow-up queries
Decide whether to notify affected individuals:
You must notify them if there are “reasonable grounds to believe” the breach will cause harm. Examples of harm include:
- Identity theft risk (if ID numbers, passwords, or financial information was exposed)
- Financial loss (if banking details or payment information was compromised)
- Reputational damage (if sensitive personal or business information was disclosed)
- Safety risk (if location data or security information was exposed)
If the breach was a name and email address accidentally sent to one other person who deleted it, the harm threshold may not be met. If a database of client information was exposed online for a week, it is met.
If you notify individuals:
- Be clear and direct about what happened
- Tell them what information of theirs was affected
- Explain what you have done to fix it
- Give them specific steps to protect themselves (change passwords, monitor accounts, etc.)
- Provide a contact point for questions
Document everything:
Keep a written record of:
- Timeline of events from discovery to resolution
- Who was notified and when
- What actions were taken and by whom
- Any responses from the Information Regulator or affected individuals
- Costs incurred (for insurance and internal review)
This documentation is critical if the Information Regulator investigates or if affected individuals make claims.
What NOT to do after a breach
We have seen businesses make these mistakes. Do not repeat them.
Do not try to hide it
Hoping nobody notices or trying to fix it quietly without reporting is a terrible idea. If the Information Regulator finds out later that you knew about a breach and did not report it, the penalties are worse than if you had reported it immediately. And in most cases, someone does find out.
Do not wipe evidence
When a system is compromised, the instinct is to rebuild it immediately and get back to work. That destroys forensic evidence that might show what happened, what data was accessed, and whether the attacker is still in your systems. Contain first, investigate second, rebuild third.
Do not assume it is over
Just because you changed a password or deleted a file does not mean the breach is resolved. Attackers who compromise an email account often set up forwarding rules to keep receiving your emails even after you change the password. Ransomware often sits in a network for days or weeks before activating. A proper investigation confirms whether the threat is actually gone.
Do not communicate publicly before you understand the scope
Sending a panicked email to all your clients saying “we may have been hacked” before you know what actually happened damages trust and may not even be accurate. Understand the situation first, then communicate clearly.
Do not ignore your IT provider’s recommendations
If your IT support tells you to enable multi-factor authentication, encrypt devices, or segment your network after a breach, do it. These are not upsells. They are the fixes that prevent the same breach from happening again.
How to reduce your breach risk before it happens
Most breaches are preventable. Not with expensive enterprise security, but with basic measures that most small businesses either skip or do inconsistently.
Multi-factor authentication on all accounts
A stolen password is useless if the attacker also needs access to your phone to approve the login. MFA blocks over 99% of account compromise attacks according to Microsoft. Enable it on every business account, especially email and financial systems.
Endpoint protection and monitoring
Managed antivirus catches known threats. Endpoint Detection and Response (EDR) catches suspicious behaviour even from new threats. More importantly, somebody needs to be watching when these tools flag something at 2am. See our security solutions for how this works.
Email authentication
DMARC, SPF, and DKIM stop criminals from sending emails that look like they come from your business. That protects your clients and prevents your domain being used in fraud. Our BEACON platform manages this from R150 per month.
Access controls
Not everyone in your business needs access to everything. Limit who can see personal information to those who need it for their job. Use individual user accounts, not shared logins. Remove access immediately when someone leaves. These are not technical challenges – they are policy decisions.
Regular, tested backups
If ransomware encrypts your data or a staff member deletes the wrong folder, a recent backup that you know works is the difference between a bad day and a disaster. Backups must be off-site or cloud-based so ransomware cannot reach them. See our disaster recovery guide for how to set this up properly.
Staff awareness
Your staff do not need formal cybersecurity training. They need to know three things: do not open unexpected attachments, do not click links in emails that create urgency, and report anything suspicious instead of ignoring it. The person who reports a weird email has just prevented a breach.
Encryption on portable devices
Any laptop or external drive that leaves the office should have full disk encryption enabled. If the device is lost or stolen, the data on it is unreadable. This is built into Windows Pro and requires no additional software – just someone to turn it on and manage it.
Is your business ready to respond?
Most small businesses find out they were not prepared for a breach only after one happens. By then, it is too late to avoid the scramble.
If you are not certain your current IT setup would contain a breach, or if you do not know who your Information Officer is or what your notification obligations are, we can help you work it out.
Talk to us about your data protection
Or get in touch directly:
Call: 087 820 5005
WhatsApp: 081 526 1626
Already managing your own IT? Make sure you have the basics covered. Our POPIA compliance guide explains what your IT setup needs to include to meet South African data protection law. And see our security solutions for endpoint protection, email security, and monitoring that catch breaches before they escalate.
0 Comments