Dan Cooper, Benjamin Haley, Deon Govender, Ahmed Mokdad, and Mosa Mkhize of Covington and Burling write:
On April 7, 2025, South Africa’s Information Regulator announced a new requirement for organizations to report data breaches—referred to under local law as “security compromises”—via an online eServices Portal. The announcement marks a significant procedural shift in how companies must comply with the Protection of Personal Information Act, 2013 (“POPIA”), South Africa’s data protection framework.
The move to a digital platform aligns South Africa with international trends toward streamlined breach reporting mechanisms. For companies that process personal information using means located in South Africa—whether or not they are headquartered in the country—this development highlights the importance of understanding when and how POPIA may apply. Foreign-based companies that rely on South African infrastructure, service providers, or operations to process data should review whether their activities fall within POPIA’s extraterritorial scope.
POPIA and the Concept of a “Security Compromise”
POPIA defines a “security compromise” broadly as any unauthorised access to, or acquisition of, personal information.
Read more at Inside Privacy.