Security, breaches & governance

Security safeguards: where the real POPIA risk sits

Appropriate, reasonable measures — identified, maintained, verified and updated. The R5m DoJ fine was for lapsed security licences.

Published Last reviewed 7 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
Section 19(1) requires appropriate, reasonable technical and organisational measures to prevent loss, damage, unauthorised destruction and unlawful access. Section 19(2) makes it a cycle: identify reasonably foreseeable risks, establish and maintain safeguards, regularly verify they are effectively implemented, and keep them updated. The standard is risk-based and proportionate — and failing the basics is what attracts fines: the Department of Justice’s R5 million fine traced to security licences that lapsed in 2020 and were never renewed.

On this page

The standard: appropriate, reasonable — and yours

Source — the actual words

“A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent— (a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information.”

Protection of Personal Information Act 4 of 2013, s 19(1)Read it on Dept of JusticePDF

Look at the enforcement record: most actions have been about security failures and breach handling, not about processing without consent. This is the part of POPIA to spend money on. “Technical and organisational” means firewalls and training, encryption and access policies — the password taped to the monitor defeats the best perimeter.

The section 19(2) cycle

Section 19(2) spells out a management cycle, not a shopping list: identify all reasonably foreseeable internal and external risks; establish and maintain appropriate safeguards against them; regularly verify that the safeguards are effectively implemented; and ensure they are continually updated in response to new risks and deficiencies. The verbs are continuous — a security posture is something you run, not something you bought. Regulation 4 adds the organisational layer: a compliance framework and a personal information impact assessment, owned by your information officer.

The R5 million lesson: lapsed licences

The Department of Justice and Constitutional Development was fined R5 million — the first POPIA fine — after the Regulator found its SIEM, intrusion-detection and antivirus licences had lapsed in 2020 and were never renewed, contributing to the September 2021 ransomware loss of about 1 204 files; the Department then failed to comply with the enforcement notice. Read that sequence carefully: the fine punished not the sophistication of the attacker but the mundanity of the failure — renewals nobody owned, followed by a notice nobody actioned. Both failures are organisational, and both are cheap to avoid. The full record is on the enforcement tracker.

The basics that decide cases

  • Patch and update — operating systems, applications, firmware; on a cadence, with an owner
  • License and renew security tooling — antivirus, monitoring, intrusion detection (the DoJ failure)
  • Control access — need-to-know permissions, MFA on remote and admin access, leavers removed same-day
  • Back up and test restores — ransomware turns untested backups into decoration
  • Train people — phishing remains the front door; TransUnion fell to a weak password
  • Contract your operators (s 21) and verify their measures — their breach is your accountability
  • Run the regulation 4 personal information impact assessment and keep it current

When prevention fails anyway, the next provision takes over — section 22 breach notification, where the enforcement record shows the second, often costlier, failure happens.

Frequently asked questions

Does POPIA require ISO 27001 or any specific standard?

No. The standard is "appropriate, reasonable technical and organisational measures", risk-based and proportionate — informed by generally accepted practices for your sector. Frameworks like ISO 27001 or the CIS controls are evidence of reasonableness, not statutory requirements.

Is encryption mandatory?

Not by name. But for sensitive data at scale, encryption at rest and in transit is what "appropriate and reasonable" looks like in 2026 — its absence after a breach is hard to defend.

How often must safeguards be verified?

Section 19(2)(c) requires regular verification that safeguards are effectively implemented — patch audits, access reviews, restore tests, penetration tests scaled to your risk. "We installed it in 2021" is not verification.

Does a small business need the same security as a bank?

No — proportionality is built into the standard. A small firm needs the basics done consistently: patched systems, licensed security software, MFA, backups, access on need-to-know. What it cannot do is nothing.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Security, breaches & governance

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub