Back to FICA Toolkit

Data Breach Response Plan

POPIA-compliant data breach response plan template and guide

A practical data breach response plan to help your organisation comply with the notification requirements under Section 22 of the Protection of Personal Information Act (POPIA). Having a documented plan in place before a breach occurs is essential for a timely and compliant response.

1. What Constitutes a Data Breach Under POPIA

  • Under Section 22, a security compromise occurs when there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person
  • This includes unauthorised access to, destruction of, loss of, alteration of, or disclosure of personal information
  • Breaches can be caused by cyberattacks, employee negligence, theft of devices, accidental disclosure, or system failures
  • Both the responsible party and any operator (third-party processor) must be vigilant in identifying potential compromises

2. Notification Obligations (Section 22)

  • The responsible party must notify both the Information Regulator and the affected data subjects when a security compromise has occurred (Section 22(1))
  • Notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures necessary to determine the scope of the compromise (Section 22(2))
  • The notification must include: a description of the possible consequences, a description of the measures taken or proposed to address the compromise, a recommendation of what the data subject can do to mitigate possible adverse effects, and the identity of the unauthorised person who may have accessed the information, if known (Section 22(4))
  • Notification must be in writing and communicated by mail, email, or placement on the responsible party's website if individual notification is not reasonably possible (Section 22(5))
  • The Information Regulator may direct the responsible party to publicise the compromise if it would serve to protect the data subjects (Section 22(6))

3. Breach Response Timeline

  • Immediately upon discovery: activate the incident response team and begin containment measures
  • Within 24-48 hours: complete initial assessment of the scope, nature, and severity of the breach
  • As soon as reasonably possible: notify the Information Regulator and affected data subjects as required by Section 22 (POPIA does not prescribe a fixed number of days, but the Information Regulator has indicated that delays must be justified)
  • Ongoing: continue investigation, implement remediation measures, and provide updates to the Information Regulator as required
  • Post-incident: conduct a thorough review and update security measures to prevent recurrence

4. Incident Response Team Roles

  • Information Officer: overall responsibility for compliance, liaison with the Information Regulator, and oversight of the response
  • IT/Security Lead: containment of the breach, forensic investigation, and implementation of technical remediation
  • Legal Counsel: assessment of legal obligations, preparation of notifications, and management of legal risk
  • Communications Lead: preparation and distribution of notifications to data subjects and, where necessary, public communications
  • Senior Management: strategic decision-making, resource allocation, and sign-off on key actions

5. Containment and Assessment Steps

  • Isolate affected systems to prevent further unauthorised access or data loss
  • Preserve evidence for forensic investigation (do not delete logs or alter affected systems)
  • Determine the type of personal information compromised and the number of data subjects affected
  • Assess the likely consequences for affected data subjects (identity theft risk, financial loss, etc.)
  • Identify the root cause of the breach and take steps to address it
  • Consider using VerifyNow to verify identities of anyone claiming to be affected by the breach before sharing information about the incident

6. Post-Breach Review and Remediation

  • Conduct a thorough post-incident review to identify lessons learned
  • Update security measures, policies, and procedures based on findings
  • Provide additional training to staff on data protection and breach prevention
  • Review and update operator (third-party processor) agreements if the breach involved an operator
  • Document all actions taken during and after the breach for regulatory and audit purposes
  • Test the updated breach response plan to ensure it addresses the gaps identified