On April 7, 2025, South Africa’s Information Regulator announced a new requirement for organizations to report data breaches—referred to under local law as “security compromises”—via an online eServices Portal. The announcement marks a significant procedural shift in how companies must comply with the Protection of Personal Information Act, 2013 (“POPIA”), South Africa’s data protection framework.

The move to a digital platform aligns South Africa with international trends toward streamlined breach reporting mechanisms. For companies that process personal information using means located in South Africa—whether or not they are headquartered in the country—this development highlights the importance of understanding when and how POPIA may apply. Foreign-based companies that rely on South African infrastructure, service providers, or operations to process data should review whether their activities fall within POPIA’s extraterritorial scope.

POPIA and the Concept of a “Security Compromise”

POPIA defines a “security compromise” broadly as any unauthorised access to, or acquisition of, personal information. While this may sound similar to the concept of a “data breach” in the EU General Data Protection Regulation (“EU GDPR”), the terminology and legal framework in South Africa differ in several key respects.

Under POPIA:

  • A “responsible party” (analogous to a data controller in EU or UK data protection law) is the person or entity that determines the purpose and means of processing personal information
  • An “operator” (akin to a data processor) is a third party that processes information on behalf of the responsible party under contract
  • Both responsible parties and operators must take “appropriate, reasonable technical and organisational measures” to safeguard personal information and prevent unauthorised access, damage, loss or destruction

If a responsible party has reasonable grounds to believe a security compromise has occurred, they are required to notify both the Information Regulator and the affected data subjects as soon as reasonably possible.

The notification to data subjects must include:

  • A description of the possible consequences of the breach
  • A description of the measures taken or to be taken by the responsible party to address the breach
  • Recommendations on how data subjects can mitigate potential adverse effects
  • If known, the identity of the unauthorised person who may have accessed or acquired the personal information

There are limited exceptions that allow a delay in notification—for example, where immediate notice would impede a criminal investigation by law enforcement.

New Reporting Mechanism: eServices Portal

The Information Regulator’s new online eServices Portal serves as the official platform for submitting breach notifications. It is still unclear whether reporting via the official platform fully replaces the use of Form SCN1, the Information Regulator’s prescribed form for manually reporting security compromises, first released in 2023, but Information Officers are encouraged to submit their reports digitally via the portal going forward.

 According to the Information Regulator’s announcement, the portal aims to:

  • Simplify the submission process for Information Officers, a statutory role under POPIA assigned to a senior individual within an organization and functionally comparable to a Data Protection Officer under the EU GDPR and similar global frameworks
  • Improve the Regulator’s ability to monitor and respond to breach notifications
  • Standardize the quality of information submitted in response to security incidents

Does POPIA Apply to Foreign-Based Organizations?

Although POPIA does not explicitly provide that it has extraterritorial application, its reach extends beyond South African borders in certain instances. A company that is not domiciled in South Africa may still be subject to POPIA if it makes use of automated or non-automated means in the country to process personal information, unless those means are used solely for transit through the country.

The potential extraterritorial scope means that foreign-headquartered companies may fall within POPIA’s regulatory ambit in scenarios such as:

  • Using South African-based vendors or IT infrastructure to store or process data
  • Outsourcing HR, payroll, or customer support functions to South African service providers

In these situations, such companies may be required to inter alia:

  • Comply with POPIA’s principles, including security safeguards and breach notification requirements
  • Designate an Information Officer to inter alia serve as a point of contact for the Information Regulator and affected data subjects

While POPIA shares similarities with frameworks such as the GDPR, including in its extraterritorial reach and underlying privacy principles, it also contains South Africa-specific obligations and enforcement mechanisms. Multinational organizations should therefore assess their exposure under POPIA independently and avoid relying solely on global privacy programs.

Implications and Next Steps

The rollout of the eServices Portal signals the Information Regulator’s continued efforts to operationalise POPIA and strengthen its enforcement infrastructure. It also underscores the expectation that organizations subject to POPIA take a proactive and structured approach to managing data breach responses.

For international organizations—particularly those without a physical presence in South Africa—this development is an opportunity to revisit how personal information from or about South African individuals is processed, stored, and secured. It may also be a trigger to assess whether POPIA compliance obligations apply, and whether existing incident response plans account for the nuances of local law.

If you have questions about the applicability of POPIA to your operations, breach notification obligations under South African law, or broader data governance strategies, Covington’s global privacy and cybersecurity team is available to assist.

* * *

If you have questions about the application of POPIA or broader privacy regulation across Africa, please contact Dan Cooper at dcooper@cov.com, Ben Haley at bhaley@cov.com, Deon Govender at dgovender@cov.com, Ahmed Mokdad at amokdad@cov.com, and Mosa Mkhize at mmkhize@cov.com. This article is intended to provide general information. It does not constitute legal advice.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Read more about Dan Cooper
Show more Show less
Photo of Benjamin Haley Benjamin Haley

Ben Haley leads the firm’s White Collar and Anti-Corruption Practice in the Middle East and Africa and is a chair of the firm’s broader Africa Practice. With deep experience representing clients before regulators in high-profile white collar and disputes matters and a history…

Ben Haley leads the firm’s White Collar and Anti-Corruption Practice in the Middle East and Africa and is a chair of the firm’s broader Africa Practice. With deep experience representing clients before regulators in high-profile white collar and disputes matters and a history operating on the ground in emerging markets, he helps clients assess and mitigate a wide range of complex legal and compliance risks.

Complementing his investigations and dispute resolution practice, Ben has a broad-based compliance advisory practice, helping clients proactively manage compliance risk in areas including anti-corruption, trade controls, anti-money laundering, fraud, and data privacy.

Ben represents corporate and individuals clients in a wide range of investigations and disputes, including:

Investigations under the U.S. Foreign Corrupt Practices Act (“FCPA”).
Investigations into anti-money laundering, financial crimes, anti-terrorism, and sanctions and export control issues.
Securities fraud and accounting matters.
Board investigations and shareholder litigation.
Insurance recovery.

Ben also regularly advises clients on a range of regulatory compliance and corporate governance issues. His compliance advisory practice includes:

Performing risk and compliance program assessments.
Leading compliance reviews on business partners and assisting companies with third-party risk management processes.
Conducting forensic accounting reviews and testing and enhancing financial controls.
Advising on market entry, cross-border transactions, and pre-acquisition diligence and post-acquisition integration.
Assisting companies in designing, implementing, and maintaining best-in-class compliance programs.

In recent years, Ben has steered a number of clients to successful resolutions and declinations in complex FCPA and corporate fraud matters with the U.S. Department of Justice and Securities Exchange Commission. In his advisory practice, Ben has served as lead compliance counsel on a number of major M&A and investment transactions. He has developed special expertise assisting clients in leveraging technology in their compliance programs, including assisting one of the world’s largest consumer goods companies in the design and implementation of an award-winning compliance data analytics and monitoring system.

Ben has been described by the Chief Compliance Officer of one of his clients as “[a]n outstanding senior lawyer and advisor,” and “a guiding light for all things compliance advisory in Africa,” whose “advice is crystal clear, covers all angles and is business friendly.”

Read more about Benjamin Haley
Show more Show less
Photo of Deon Govender Deon Govender

Deon Govender is a vice chair of the Africa Practice Group. He focuses his practice on project development and corporate and project finance transactions across Africa, with particular emphasis on southern Africa. His experience ranges from advising on the development and financing of…

Deon Govender is a vice chair of the Africa Practice Group. He focuses his practice on project development and corporate and project finance transactions across Africa, with particular emphasis on southern Africa. His experience ranges from advising on the development and financing of renewable energy and thermal power projects and various other infrastructure assets in the transportation and telecommunications sectors. Deon’s experience additionally includes advising on financing independent power producer projects under the South African government’s Renewable Energy Independent Power Producer Procurement Programme.

Read more about Deon Govender
Show more Show less
Photo of Ahmed Mokdad Ahmed Mokdad

Ahmed Mokdad is an associate based in the Johannesburg office, and a member of the firm’s White Collar Defense and Investigations and Anti-Corruption Practice Groups, as well as the Privacy and Cyber Security Practice Group. With a depth of experience representing clients across…

Ahmed Mokdad is an associate based in the Johannesburg office, and a member of the firm’s White Collar Defense and Investigations and Anti-Corruption Practice Groups, as well as the Privacy and Cyber Security Practice Group. With a depth of experience representing clients across various sectors, Ahmed regularly assists clients navigate and mitigate a broad spectrum of regulatory and compliance risks.

Ahmed’s investigations practice includes internal and government investigations into anti-corruption, anti-money laundering, fraud, and financial crimes matters more generally. Complementing his investigations practice, Ahmed has a broad-based compliance advisory practice in these areas and in data protection and information security matters. This includes assisting clients in numerous sectors with compliance under South Africa’s Protection of Personal Information Act (POPIA).

Adding to his investigative, regulatory and compliance advisory experience, Ahmed has extensive experience advising on numerous M&A and complex financial transactions. He has also been involved in several high profile international arbitrations, and litigious matters before the South African courts relating to, among other things, commercial and tax disputes, exchange control violations, government procurement irregularities, and defending white collar crimes. This experience gives Ahmed valuable perspectives and insights when advising on compliance advisory matters.

For international clients facing compliance issues cutting into Africa, Ahmed regularly advises on a range of issues that can arise in such context, e.g., labor and employment considerations, legal professional privilege, whistleblower protections, corporate governance reporting obligations, and control processes and protocols for engaging with government and law enforcement agencies. Ahmed is recognized by clients for providing practical advice and solutions on complex legal issues in ambiguous statutory regimes.

Read more about Ahmed Mokdad
Show more Show less
Photo of Mosa Mkhize Mosa Mkhize

Mosa Mkhize is a policy advisor and leads the firm’s Africa Public Policy Practice. Drawing on her experience both in government and in various roles in the private sector, Mosa provides strategic policy and regulatory advice to clients doing business with and across…

Mosa Mkhize is a policy advisor and leads the firm’s Africa Public Policy Practice. Drawing on her experience both in government and in various roles in the private sector, Mosa provides strategic policy and regulatory advice to clients doing business with and across Africa. Mosa does so by leveraging close to two decades of experience in international trade, public policy and government affairs.

Mosa assists clients on a broad range of issues including advocacy, strategic policy, regulatory, and dispute resolution advice in various sectors, including technology, energy and life sciences. In addition to this, Mosa’s capabilities include building strategic relationships and coalitions in support of smart technologies. Furthermore, she is currently working with government officials, private corporations, academia, and the general public on the development of regulations and policies that will bring about an enabling environment for digital transformation and economic growth in Africa.

Read more about Mosa Mkhize
Show more Show less