Industries
Overview
All IndustriesSecurity Compromise Notification Generator
Generate a POPIA security compromise notification draft
A practical data breach response plan to help your organisation comply with the notification requirements under Section 22 of the Protection of Personal Information Act (POPIA). Having a documented plan in place before a breach occurs is essential for a timely and compliant response.
Security Compromise Notification Generator
Create a draft security-compromise record and data subject notification aligned to Information Regulator guidance.
Draft only. The Information Regulator says POPIA has no low-risk reporting threshold for security compromises. Responsible parties should notify the Regulator and affected data subjects as soon as reasonably sure that a compromise occurred, and may update the notification as more information becomes available.
Generated draft
SECURITY COMPROMISE NOTIFICATION DRAFT Responsible party: [responsible party name] Information Officer: [Information Officer] Contact: [contact email] Incident reference: [incident reference] Date discovered: [date discovered] 1. What happened [incident summary] 2. Personal information affected [affected personal information] 3. Affected data subjects [affected data subjects] 4. Unauthorised person, if known Unknown at this stage. 5. Possible consequences [possible consequences] 6. Measures taken or proposed [measures taken or proposed] 7. Recommended steps for affected data subjects Be alert for suspicious communications, do not share passwords or one-time PINs, and contact us if you notice unusual activity. 8. Information Regulator notification Notification will be submitted through the Information Regulator eServices portal. 9. Reason for any delay No delay reason identified at this stage. 10. Further updates [next update timing] Review note: Submit the required security compromise notification through the Information Regulator channel and update the notification as more information becomes available. Keep an internal incident record, evidence of containment, and copies of communications to data subjects.
1. What Constitutes a Data Breach Under POPIA
- Under Section 22, a security compromise occurs when there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person
- This includes unauthorised access to, destruction of, loss of, alteration of, or disclosure of personal information
- Breaches can be caused by cyberattacks, employee negligence, theft of devices, accidental disclosure, or system failures
- Both the responsible party and any operator (third-party processor) must be vigilant in identifying potential compromises
2. Notification Obligations (Section 22)
- The responsible party must notify both the Information Regulator and the affected data subjects when a security compromise has occurred (Section 22(1))
- Notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures necessary to determine the scope of the compromise (Section 22(2))
- The notification must include: a description of the possible consequences, a description of the measures taken or proposed to address the compromise, a recommendation of what the data subject can do to mitigate possible adverse effects, and the identity of the unauthorised person who may have accessed the information, if known (Section 22(4))
- Notification must be in writing and communicated by mail, email, or placement on the responsible party's website if individual notification is not reasonably possible (Section 22(5))
- The Information Regulator may direct the responsible party to publicise the compromise if it would serve to protect the data subjects (Section 22(6))
3. Breach Response Timeline
- Immediately upon discovery: activate the incident response team and begin containment measures
- Within 24-48 hours: complete initial assessment of the scope, nature, and severity of the breach
- As soon as reasonably possible: notify the Information Regulator and affected data subjects as required by Section 22 (POPIA does not prescribe a fixed number of days, but the Information Regulator has indicated that delays must be justified)
- Ongoing: continue investigation, implement remediation measures, and provide updates to the Information Regulator as required
- Post-incident: conduct a thorough review and update security measures to prevent recurrence
4. Incident Response Team Roles
- Information Officer: overall responsibility for compliance, liaison with the Information Regulator, and oversight of the response
- IT/Security Lead: containment of the breach, forensic investigation, and implementation of technical remediation
- Legal Counsel: assessment of legal obligations, preparation of notifications, and management of legal risk
- Communications Lead: preparation and distribution of notifications to data subjects and, where necessary, public communications
- Senior Management: strategic decision-making, resource allocation, and sign-off on key actions
5. Containment and Assessment Steps
- Isolate affected systems to prevent further unauthorised access or data loss
- Preserve evidence for forensic investigation (do not delete logs or alter affected systems)
- Determine the type of personal information compromised and the number of data subjects affected
- Assess the likely consequences for affected data subjects (identity theft risk, financial loss, etc.)
- Identify the root cause of the breach and take steps to address it
- Consider using VerifyNow to verify identities of anyone claiming to be affected by the breach before sharing information about the incident
6. Post-Breach Review and Remediation
- Conduct a thorough post-incident review to identify lessons learned
- Update security measures, policies, and procedures based on findings
- Provide additional training to staff on data protection and breach prevention
- Review and update operator (third-party processor) agreements if the breach involved an operator
- Document all actions taken during and after the breach for regulatory and audit purposes
- Test the updated breach response plan to ensure it addresses the gaps identified