Data Breaches Under POPIA and GDPR: What You Must Do When It Happens
What to do when a data breach happens. POPIA and GDPR breach notification requirements, step-by-step response, and how to reduce regulatory and reputational damage.
The first 72 hours after a data breach are critical
A data breach is not just a cyberattack. It includes a staff member emailing client data to the wrong person, a stolen laptop with an unencrypted hard drive, a cloud storage folder set to public by mistake, or a phishing email that a team member clicked. Under both POPIA and GDPR, how you respond — and how quickly — will determine the outcome.
What counts as a data breach?
Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data: ransomware or hacking; accidental email to wrong recipient; lost or stolen device with unencrypted records; cloud storage misconfiguration; insider misuse; or theft of paper records.
GDPR: the 72-hour rule
Under GDPR, you must notify your supervisory authority within 72 hours of becoming aware of a breach — unless the breach is unlikely to result in risk to individuals. This is a hard deadline. If you determine notification is not required, you must still document your reasoning.
POPIA: notification requirements
POPIA requires you to notify the Information Regulator and affected data subjects "as soon as reasonably possible" after becoming aware of a breach likely to result in harm. The Information Regulator's guidance aligns with the 72-hour standard in practice.
When must you notify affected individuals?
When the breach is likely to result in high risk (GDPR) or harm (POPIA) to individuals — particularly any breach involving sensitive data, any breach that could enable identity theft or fraud, and any breach involving a large number of people.
Step-by-step breach response
- Contain (0–2 hours): Revoke compromised account access, take affected systems offline if needed, recall misdirected emails if possible. Preserve evidence — do not wipe devices before documenting.
- Assess (2–24 hours): Determine what data was affected, how many individuals, how the breach occurred, whether data was encrypted, and likely consequences. Document everything.
- Decide on notification (24–48 hours): Determine whether regulatory notification is required. If unsure, err on the side of notifying.
- Notify the regulator (48–72 hours): Submit your breach notification — Information Regulator portal (SA) or ICO breach reporting tool (UK/EU). Include: nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken.
- Notify individuals if required (post-72 hours): Send a plain-language notification explaining what happened, what data was involved, what you are doing about it, and what individuals can do to protect themselves.
Build a breach response plan now
Create a one-page procedure covering: who manages a breach, how to report one internally, the 72-hour notification deadline, regulator contact details, and a list of the personal data you hold and where it lives. Test it once a year — even a 30-minute tabletop exercise reveals gaps.
Reducing your breach risk
- Enable multi-factor authentication on all business accounts
- Encrypt devices and portable storage
- Train staff to recognise phishing — still the most common attack vector
- Limit access — staff should only see the personal data they need for their role
- Revoke access promptly when staff leave