How to Handle a Data Breach in the First 72 Hours Under POPIA

How to Handle a Data Breach in the First 72 Hours Under POPIA

A security incident is already stressful. Not knowing what you are required to do next makes it worse. This guide walks through the practical steps South African businesses typically take in the first 72 hours after discovering a data breach, with reference to what POPIA section 22 requires of responsible parties.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation — including whether and how the breach notification obligations apply to you — consult a qualified attorney.

---

What POPIA section 22 actually says

POPIA section 22 requires a responsible party (the entity that determined the purpose of and means for processing personal information) to notify both the Information Regulator and affected data subjects when there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person.

The notification must happen as soon as reasonably possible after the responsible party becomes aware of the compromise. The Information Regulator's published guidance and the Act's own language do not fix a hard 72-hour deadline in the statute itself — that framing is borrowed from the EU's GDPR, which is a separate regime. South African practitioners and the Regulator's own communications do, however, treat "as soon as reasonably possible" as creating urgency in roughly that window. Acting within 72 hours is the standard a prudent responsible party should aim for. Check the Information Regulator's current guidance at inforegulator.org.za for the latest notification form and any updated timelines.

---

Hour 0 – Confirm you have an incident

Before anything else, establish whether this is a confirmed breach or a suspected one. The distinction matters because premature external notifications can cause unnecessary panic, while delayed confirmed notifications create legal exposure.

Actions in this phase: - Isolate affected systems to prevent further unauthorised access — do not switch them off entirely if forensic evidence may be needed. - Identify the nature of the compromise: ransomware, unauthorised access, accidental disclosure, device theft, or something else. - Establish which categories of personal information are involved. POPIA section 26 identifies special personal information (health data, biometric data, religious or political beliefs, criminal history, and similar categories) — a breach involving these categories carries additional sensitivity and potentially greater harm to data subjects. - Assign an incident lead. Your Information Officer (whose duties are described under POPIA section 55) should be notified immediately and should coordinate the response.

---

Hours 1–12 – Contain and assess

Contain the breach - Revoke compromised credentials. - Patch or close the vector if it is known. - Preserve logs and artefacts for forensic review.

Assess the scope - How many data subjects are potentially affected? - What categories of personal information were exposed (names, ID numbers, financial details, health records)? - Is there evidence the data has already been exfiltrated, sold, or misused? - Which third-party operators or processors (if any) had access to the data, and do they need to be notified under your data processing agreements?

Document everything as you go. POPIA section 17 requires responsible parties to maintain records of processing activities; your incident record forms part of that obligation and will be central to any regulatory inquiry.

---

Hours 12–24 – Notify internally and prepare external notifications

Internal escalation - Brief senior leadership and legal counsel. - If your business is part of a group or uses a shared-services IT function, loop them in now. - If a third-party processor caused or discovered the breach, confirm your contractual notification timelines with them.

Prepare the Information Regulator notification

The Information Regulator provides a prescribed notification form on its website. The submission typically requires: - A description of the nature of the compromise. - The categories and approximate number of data subjects affected. - The categories and approximate number of personal information records involved. - The likely consequences of the breach. - The measures taken or proposed to address the compromise. - Contact details for your Information Officer.

Do not wait until the form is perfect before submitting. An initial notification that flags the incident and states that a full assessment is underway is better than a delayed comprehensive one.

---

Hours 24–72 – Notify affected data subjects

POPIA section 22 also requires notification to the affected data subjects themselves, unless the Information Regulator directs otherwise (for example, where notification could compromise a law-enforcement investigation).

What the notification to data subjects should cover: - What happened and when. - What personal information was involved. - What the responsible party is doing about it. - What the data subject can do to protect themselves (for example, monitor their bank accounts, change passwords, place a fraud alert). - Contact details of your Information Officer for follow-up queries.

The communication should be direct, plain, and honest. Avoid corporate language that obscures what actually occurred.

---

Ongoing – Document, review, remediate

The 72-hour window is the acute phase, not the end of the process. After the immediate notifications are made:

• Continue the forensic investigation to establish root cause.
• Review and strengthen the security safeguards required under POPIA section 19.
• Assess whether your data retention practices under section 14 contributed to unnecessary exposure (data you no longer needed, still stored).
• Update your incident-response plan based on what you learned.
• Stay in contact with the Information Regulator — they may have follow-up questions or requirements.

---

A quick reference checklist

| Time | Action | |---|---| | Hour 0 | Confirm incident, isolate systems, notify Information Officer | | Hours 1–12 | Contain breach, assess scope, preserve evidence, document | | Hours 12–24 | Brief leadership and legal counsel, prepare Regulator notification | | Hours 24–72 | Submit Regulator notification, notify affected data subjects | | Ongoing | Investigate, remediate, update your security measures |

---

Where to get the official notification form

The Information Regulator publishes its breach notification form and guidance at [inforegulator.org.za](https://www.inforegulator.org.za). Always download the current version directly from the source — forms are updated periodically.

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. The steps described here are commonly followed by responsible parties and reflect the Regulator's published expectations, but every incident is different. For advice specific to your situation — including your notification obligations, potential liability, and communications strategy — consult a qualified attorney as early in the incident as possible.