Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

South Africa: Regulator publishes guidelines and form for security compromise notifications

The Information Regulator ('the Regulator') announced, on 12 August 2022, that it had published guidelines on how the security compromise notification form to the Regulator in terms of Section 22 of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') must be completed by responsible parties. In particular, the guidelines outline how responsible parties and information officers, or deputy information officers may complete the security compromise notification form. More specifically, the guidelines provide a step-by-step guide as to the process to be followed, starting with the responsible party notifying the Regulator of any security compromise as soon as possible after it occurs using the notification form and including the reason for delay of notification to the data subjects in the notification form. Furthermore, the guidelines state that the responsible party must notify data subjects, unless their identity cannot be established.

In addition, the Regulator noted that use of the form is effective immediately and that failure to do so may result in the notification being regarded as non-compliant.

You can read the guidelines here and the form here.