Security, breaches & governance

Data breaches: section 22 notification, the portal, and the clock

Notify the Regulator and affected people as soon as reasonably possible — via the eServices portal, with no materiality threshold.

Published Last reviewed 8 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
Where there are reasonable grounds to believe personal information has been accessed or acquired by an unauthorised person, section 22 obliges you to notify the Information Regulator and the affected data subjects as soon as reasonably possible after discovery. Since 1 April 2025, Regulator notification is mandatory through its eServices portal; there is no materiality threshold — all compromises must be reported — and you must not wait for the forensic investigation to finish before reporting.

On this page

What triggers the duty?

Section 22(1): where there are reasonable grounds to believe that personal information “has been accessed or acquired by any unauthorised person”, you must notify the Regulator and the affected data subjects (unless their identity cannot be established). Note the threshold — reasonable grounds to believe, not forensic certainty. The hacked mailbox, the stolen laptop, the misdirected bulk email, the rogue employee in the CRM: each crosses it. Your operators must tell you immediately (s 21(2)) — their discovery starts your analysis.

The clock: as soon as reasonably possible

Source — the actual words

“as soon as reasonably possible after the discovery of the compromise”

Note — The only permitted delays: legitimate needs of law enforcement, and measures reasonably necessary to determine the scope of the compromise and restore your systems’ integrity. POPIA has no 72-hour rule like the GDPR — “as soon as reasonably possible” can be sooner.

Protection of Personal Information Act 4 of 2013, s 22(2)Read it on Dept of JusticePDF

And the Regulator has killed the wait-for-forensics instinct in terms: “an investigation into a security compromise does not need to be completed before it is reported... report the security compromise as soon as reasonably practicable based on the information at hand, and then... update the notification as further information comes to light.”

The eServices portal — and the no-threshold rule

Two 2025 developments hardened the practicalities:

Source — the actual words

“as of 01 April 2025, is mandatory for all organisations to report any security compromises using the portal, rather than via email”

Media statement: mandatory eServices portal reporting of security compromises (7 April 2025), media statement, 7 April 2025Read it on Information RegulatorPDF
Source — the actual words

“POPIA does not have a threshold for reporting of security compromises. All security compromises must be reported by the responsible party irrespective of the deemed level of risk.”

Fact Sheet: Handling of Security Compromises (19 August 2025), Fact Sheet, 19 August 2025Read it on Information Regulator

Practical upshot: register on the eServices portal before you need it (your information officer needs portal credentials anyway), and strike “too small to report” from the incident playbook.

What the notification must say

Section 22(5): enough to let data subjects protect themselves against the potential consequences — including a description of the possible consequences, the measures you have taken or will take, the steps you recommend they take (change passwords, watch accounts, fraud alerts), and the identity of the intruder if known. Write it for the reader, not the lawyer: the notification’s legal function is enabling protective action.

The breach plan to have ready

  • Who decides: the information officer + escalation chain, named, with after-hours contacts
  • eServices portal access: registered, credentials current, tested
  • Operator notification clauses in place (s 21(2)) — their "immediately" feeds your clock
  • Draft data-subject notice on file: consequences / measures / recommended steps / contact point
  • Containment-vs-notification discipline: contain and scope, but never let forensics delay the report
  • Log everything — discovery time, decisions, notifications — the record is your defence

Failure to notify is itself a breach that features in nearly every enforcement notice to date — Dis-Chem, SAPS, TransUnion, the IEC, Lancet Laboratories. Lancet’s R100 000 fine (paid) grew specifically from repeated unreported compromises. See the enforcement tracker.

Frequently asked questions

Must a small breach affecting one person be reported?

Yes. The Regulator’s Fact Sheet is explicit: "POPIA does not have a threshold for reporting of security compromises. All security compromises must be reported by the responsible party irrespective of the deemed level of risk."

Ransomware encrypted our data but we found no evidence of exfiltration — report?

Section 22 triggers on reasonable grounds to believe information was accessed or acquired by an unauthorised person. An intruder who could encrypt your data accessed your systems — report on what you know, and update as forensics clarify.

How do we notify the affected people?

Section 22(4) channels: mail, email, prominent publication on your website or in the media, or as the Regulator directs — chosen to actually reach the data subjects. The content must let them protect themselves.

Can we wait for the forensic report before notifying?

No. The Regulator: "an investigation into a security compromise does not need to be completed before it is reported... report the security compromise as soon as reasonably practicable based on the information at hand, and then... update the notification as further information comes to light."

What happens if we don’t notify?

Failure to notify features in nearly every enforcement notice to date — Dis-Chem, SAPS, TransUnion, the IEC, Lancet. Lancet’s R100 000 fine grew specifically from repeated unreported compromises.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Security, breaches & governance

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub