CATEGORIES
- (3) Negotiating Tax Debt and Payment Arrangements with SARS
- (2)Account / Profile
- (535)Accounting
- (2)Accounting and Finance
- (21)Audit
- (156)Auditing and Assurance
- (1)Business
- (1)Business Management
- (3)Business Rescue
- (94)CIPC
- (7)Compliance
- (18)Ethics and Professionalism
- (46)Financial Reporting
- (1)Government Funding Applications
- (4)Guides
- (1)Individuals Tax
- (19)Law
- (37)Legal and Compliance
- (2)Management
- (5)Miscellaneous
- (22)Money Laundering
- (1)Personal & Professional Development
- (2)Practice Management
- (2)Professional Ethics
- (3)Public Sector
- (145)Regulatory Compliance and Legislation
- (41)SARS Issues
- (26)Sustainability Reporting
- (33)Tax
- (1)Tax Update
- (5)Technology
- (1)Wills, Estates & Trusts
- Show All
Information Regulator: Reporting Security Compromises – Guide
- 16 September 2025
- Law
- South African Accounting Academy
Summary:
The Information Regulator has published a step-by-step POPIA guide on How to report Security Compromises on the eServices Portal.
Article:
South African organisations have been reminded that every security compromise must be reported to the Information Regulator, no matter how small. Under POPIA, there is no such thing as a “low-risk” breach.
Any incident where personal information is lost, leaked, stolen, or exposed, counts as a security compromise - whether by:
- Accident – sending an email to the wrong person or losing a laptop.
- Deliberate attack – hacking, fraud, insider mischief.
- Incidental events – theft, rioting, or hijacking where data is caught up.
- Negligence – weak passwords, no encryption, or leaving files unattended.
The Guide provides information about the following:
- Accessing the eServices Portal
- Navigating to the Security Compromises Reporting Process
- Reporting Options
- Selecting an Organisation
- Submitting the Report
- Viewing Your Reports
Who must report and when?
- The Information Officer (or Deputy) must notify both the Information Regulator and the affected individuals.
- If an operator (like a service provider) is involved, they must inform the responsible party immediately.
- Reports must be made as soon as you’re reasonably sure a breach occurred — you don’t need all the details first.
Earlier this year, the Information Regulator has launched a new eServices Portal to make reporting breaches faster, more secure, and fully POPIA-compliant. Refer to our previous Alert dated 30 April 2025
Click here to download the 9-page Guide:
https://inforegulator.org.za/wp-content/uploads/2025/05/stepbystepguide.pdf
Relevance to Auditors, Independent Reviewers & Accountants:
- POPIA is an important piece of legislation that your clients must comply with, and which you must assess compliance with. If they don’t comply with the relevant laws and regulations, you have certain reporting obligations in terms of NOCLAR (NOn-Compliance with Laws And Regulations) – this could include reporting to management, qualifying your audit opinion, reporting a Reportable Irregularity, etc.
- As an auditor, independent reviewer and accountant, you also need to be aware of Guides, media statements, enforcement notices, etc. that have been issued by/about the Information Regulator and its Enforcement Committee – especially regarding security and data breaches.
Relevance to Your clients:
- An entity (company or close corporation) should to be aware of Guides, media statements, enforcement notices, etc. that have been issued by/about the Information Regulator and its Enforcement Committee – especially regarding security and data breaches.