CATEGORIES
- (3) Negotiating Tax Debt and Payment Arrangements with SARS
- (2)Account / Profile
- (535)Accounting
- (2)Accounting and Finance
- (21)Audit
- (156)Auditing and Assurance
- (1)Business
- (1)Business Management
- (3)Business Rescue
- (94)CIPC
- (7)Compliance
- (18)Ethics and Professionalism
- (46)Financial Reporting
- (1)Government Funding Applications
- (4)Guides
- (1)Individuals Tax
- (19)Law
- (37)Legal and Compliance
- (2)Management
- (5)Miscellaneous
- (22)Money Laundering
- (1)Personal & Professional Development
- (2)Practice Management
- (2)Professional Ethics
- (3)Public Sector
- (145)Regulatory Compliance and Legislation
- (41)SARS Issues
- (26)Sustainability Reporting
- (33)Tax
- (1)Tax Update
- (5)Technology
- (1)Wills, Estates & Trusts
- Show All
Information Regulator: Fact Sheet on handling of Security Compromises
- 16 September 2025
- Law
- South African Accounting Academy
Summary:
The Information Regulator has published a Fact Sheet on handling of Security Compromises.
Article:
POPIA does not define a security compromise. In brief, a security compromise, also known as a data breach in other jurisdictions, is a compromise in the security, confidentiality, integrity or availability of personal information, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, processing or access to personal information. This can lead to harm being suffered by data subjects.
POPIA does not have a threshold for reporting of security compromises. All security compromises must be reported by the responsible party irrespective of the deemed level of risk. The reporting requirement is mandatory. Responsible parties do not have a discretion regarding when or if to report a security compromise nor in respect of notifying affected data subjects.
The following is discussed in this handy summary:
- What are some examples of security compromises?
- What is considered a reasonable time within which to report a security compromise?
- What should I do if a security compromise occurs?
- What if I do not have all the information at hand when notifying the security compromise?
- What should I write in my notification to the data subject?
- How long should a notice of a security compromise remain on our website?
Click here to download the document:
https://inforegulator.org.za/wp-content/uploads/2025/08/Fact-Sheet-on-security-compromises-2.pdf
Relevance to Auditors, Independent Reviewers & Accountants:
- POPIA is an important piece of legislation that your clients must comply with, and which you must assess compliance with. If they don’t comply with the relevant laws and regulations, you have certain reporting obligations in terms of NOCLAR (NOn-Compliance with Laws And Regulations) – this could include reporting to management, qualifying your audit opinion, reporting a Reportable Irregularity, etc.
- As an auditor, independent reviewer and accountant, you also need to be aware of Guides, media statements, enforcement notices, etc. that have been issued by/about the Information Regulator and its Enforcement Committee – especially regarding security and data breaches.
Relevance to Your clients:
- An entity (company or close corporation) should to be aware of Guides, media statements, enforcement notices, etc. that have been issued by/about the Information Regulator and its Enforcement Committee – especially regarding security and data breaches.