The information regulator published a Guideline on notification of security compromises to the information regulator in July 2020. The guideline explains the procedure responsible parties or information officers should follow to notify the regulator of a security compromise or data breach. Information security is an important part of your data protection plan. As a responsible party, you have a duty to data subjects to protect their personal data from harm. We’ve summarised the guideline for you and provided some insight into the actions you can take to align with them.
How to report a security compromise to the Information Regulator in South Africa?
You must report the security compromise through the Information Regulator’s eServices portal. On 1 April 2025, the Information Regulator launched an online reporting platform for security compromises. From that date, you cannot use the Security Compromise Notification Form mentioned below and in the guidelines.
The guideline also creates an obligation on operators, in some instances, to report a data breach to the responsible party.
Do not use the Security Compromise Notification Form (SCN1)
Objectives of the guideline on notification of security compromises
The guideline seeks to standardise the process of reporting a security compromise to the information regulator. For example, the guideline provides guidance to responsible parties, information officers or deputy information officers on how to notify the regulator of security compromises. The guideline is already in effect.
The regulator will consider a notification as non-compliant if you do not use the eServices portal to report a data breach.
What does the guideline cover?
The guideline is six pages long and provides information into the regulator’s process of dealing with security compromise notifications. The guideline stresses the mandatory nature of reporting a data breach to the regulator and the data subject. However, it still fails to provide guidance on what a reasonable timeframe for reporting a breach is. You must submit reasons to the regulator if you run into a delay in submitting your data breach notification within a reasonable time.
Guidelines on section 22 notification of security compromises or guidelines on completing section 22 security compromise notification form
This is the full title of the regulator’s guideline!
Actions you can take
- Report a breach to the Information Regulator correctly by asking for our assistance as a breach coach.
- Consider what impact the information regulator’s guidelines will have on your organisation by downloading them.
- Submit your data breach notification correctly by reporting through the eServices portal.
- Keep up to date with all the regulatory developments from the regulator by joining our programme.
