In an important move to strengthen data protection compliance in South Africa, the Information Regulator has launched a new online platform for reporting security compromises. A security compromise, also referred to as a data breach, occurs when there is unauthorised access to or acquisition of, sensitive, protected or confidential data. The online platform came into effect on 1 April 2025, making it mandatory for all public and private entities to report all data breaches through the Regulator’s eServices portal. Previously all reporting was done via an email-based submission method.
In terms of Section 22(1) of POPIA, organisations must notify the Regulator, and in most cases, the affected data subjects, when there are reasonable grounds to believe that personal information has been accessed or acquired by unauthorised parties.
The newly introduced Security Compromises reporting functionality is now live on the Regulator’s official eServices portal. Responsible parties must report security compromises without undue delay. A security compromise report must be submitted to the Information Regulator as soon as reasonably possible after the responsible party becomes aware of the compromise; and data subjects must be notified promptly.
In terms of Protection of Personal Information Act, 2013 (POPIA), the Regulator is attempting to keep abreast of technological advances in order to improve the efficiency, accuracy, and traceability of data breach notifications. The intention behind the implementation of the online platform is to streamline the reporting process and to improve the monitoring of security incidents.
To ease the transition, the Regulator has published a step-by-step guide to help Information Officers register and submit breach reports online. This guide is available on both the eServices portal and the Regulator’s website.