Legal & Compliance

Data Breaches Under POPIA and GDPR: What You Must Do When It Happens

What to do when a data breach happens. POPIA and GDPR breach notification requirements, step-by-step response, and how to reduce regulatory and reputational damage.

The first 72 hours after a data breach are critical

A data breach is not just a cyberattack. It includes a staff member emailing client data to the wrong person, a stolen laptop with an unencrypted hard drive, a cloud storage folder set to public by mistake, or a phishing email that a team member clicked. Under both POPIA and GDPR, how you respond — and how quickly — will determine the outcome.

What counts as a data breach?

Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data: ransomware or hacking; accidental email to wrong recipient; lost or stolen device with unencrypted records; cloud storage misconfiguration; insider misuse; or theft of paper records.

GDPR: the 72-hour rule

Under GDPR, you must notify your supervisory authority within 72 hours of becoming aware of a breach — unless the breach is unlikely to result in risk to individuals. This is a hard deadline. If you determine notification is not required, you must still document your reasoning.

POPIA: notification requirements

POPIA requires you to notify the Information Regulator and affected data subjects "as soon as reasonably possible" after becoming aware of a breach likely to result in harm. The Information Regulator's guidance aligns with the 72-hour standard in practice.

When must you notify affected individuals?

When the breach is likely to result in high risk (GDPR) or harm (POPIA) to individuals — particularly any breach involving sensitive data, any breach that could enable identity theft or fraud, and any breach involving a large number of people.

Step-by-step breach response

  1. Contain (0–2 hours): Revoke compromised account access, take affected systems offline if needed, recall misdirected emails if possible. Preserve evidence — do not wipe devices before documenting.
  2. Assess (2–24 hours): Determine what data was affected, how many individuals, how the breach occurred, whether data was encrypted, and likely consequences. Document everything.
  3. Decide on notification (24–48 hours): Determine whether regulatory notification is required. If unsure, err on the side of notifying.
  4. Notify the regulator (48–72 hours): Submit your breach notification — Information Regulator portal (SA) or ICO breach reporting tool (UK/EU). Include: nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken.
  5. Notify individuals if required (post-72 hours): Send a plain-language notification explaining what happened, what data was involved, what you are doing about it, and what individuals can do to protect themselves.

Build a breach response plan now

Create a one-page procedure covering: who manages a breach, how to report one internally, the 72-hour notification deadline, regulator contact details, and a list of the personal data you hold and where it lives. Test it once a year — even a 30-minute tabletop exercise reveals gaps.

Reducing your breach risk

  • Enable multi-factor authentication on all business accounts
  • Encrypt devices and portable storage
  • Train staff to recognise phishing — still the most common attack vector
  • Limit access — staff should only see the personal data they need for their role
  • Revoke access promptly when staff leave