POPIA and Cybersecurity – From Policy to Practice

As cyberattacks and data breaches continue to rise in South Africa, compliance with the Protection of Personal Information Act (POPIA) is increasingly being measured not only by policies and procedures, but by whether organisations can demonstrate that their cybersecurity controls work in practice.
The number of reported security compromise incidents involving personal information continues to rise in South Africa. According to recent statements by the Information Regulator, more than 2 300 security compromise incidents were reported during the 2024/25 financial year, highlighting growing concerns around the protection of personal information.
Organisations across multiple sectors – from financial services and retail to legal services, property and government – have all been affected in recent years, reinforcing that cybersecurity and data protection risks now affect organisations across almost every sector.
At the same time, regulators are placing greater focus on whether organisations can demonstrate that they have implemented effective measures to safeguard personal information and manage cybersecurity risks, as required by POPIA.
For many businesses, this means POPIA compliance is no longer just about having policies and procedures in place. Increasingly, it is about whether their systems, controls and operational practices are capable of protecting personal information effectively.
While not all POPIA breaches are caused by cyber incidents, the increasing digital processing of personal information means effective cybersecurity controls have become a critical part of demonstrating POPIA compliance.
Why cybersecurity has become central to POPIA compliance
POPIA does not specifically prescribe which IT or cybersecurity controls organisations must implement. Instead, Section 19 of the Act requires responsible parties to take “appropriate, reasonable, technical and organisational measures” to protect personal information against loss, damage, unauthorised access or unlawful processing.
In practice, this means organisations must assess the risks associated with the personal information they hold and implement controls that are proportionate to those risks.
As more businesses rely on cloud platforms, remote working arrangements, digital onboarding processes and third-party service providers, personal information is increasingly processed and stored digitally. This has made cybersecurity an essential part of POPIA compliance.
For certain financial sector organisations, Joint Standard 1 of 2023 on IT Governance and Risk Management and Joint Standard 2 of 2024 on Cybersecurity and Cyber Resilience have reinforced regulatory expectations around IT governance, cyber resilience, operational controls, third-party oversight and incident response readiness.
Technical controls such as access management, encryption, monitoring tools and system updates help organisations protect personal information and identify suspicious activity at an early stage. Organisational measures such as staff awareness training, incident response plans and operator agreements help ensure these controls are implemented consistently and effectively.
Importantly, regulators are increasingly looking beyond policy documents to assess whether controls are functioning in practice. A well-written POPIA policy may create the right framework, but if employees share passwords, access rights are not properly managed or incidents go undetected for long periods, the organisation may still face significant compliance risk.
What recent breaches reveal
Recent breaches and cyberattacks affecting organisations such as Experian (2020), the Department of Justice (2021), Dis-Chem (2022), the National Health Laboratory Service (2024), Pam Golding (2025) and Standard Bank (2026) have highlighted the growing cybersecurity and data protection risks facing organisations across multiple sectors.
Although the circumstances differed, these incidents point to recurring risk areas such as access control, credential protection, monitoring, incident detection, system maintenance and third-party oversight.
The incidents have also reinforced the importance of having clear incident response and communication procedures in place to support timely and effective responses to security compromises. Under Section 22 of POPIA, organisations are required to notify the Information Regulator and affected data subjects as soon as reasonably possible after becoming aware that personal information has been accessed or acquired by an unauthorised person.
Another important lesson is that the Information Regulator is not only concerned with the breach itself, but also with whether reasonable safeguards were in place before the incident occurred. Organisations may therefore be required to demonstrate that they had assessed risks, implemented appropriate controls and maintained oversight of their systems and service providers, including third-party operators.
Common gaps between policy and practice
Many organisations have POPIA and information security policies in place, but there is often a disconnect between these documented requirements and the controls implemented in practice.
One of the most common issues relates to access management. Policies may state that access to personal information is restricted on a “need-to-know” basis, but in practice employees may still have excessive access rights, shared credentials may be used, or former employees’ accounts may remain active.
Another common gap is incident response readiness. While organisations often have breach response procedures on paper, many have never tested them in practice. As a result, when an incident occurs, there may be uncertainty about who is responsible, whether the incident must be reported, and how quickly notifications should be made.
Importantly, incident response readiness is increasingly becoming a compliance issue, particularly where organisations are required to notify the Information Regulator and affected data subjects following a security compromise.
Third-party oversight is another area of concern. POPIA requires responsible parties to ensure that operators processing personal information on their behalf maintain appropriate security measures. However, many organisations rely heavily on service providers without properly assessing or reviewing their cybersecurity controls.
Staff awareness also remains a significant challenge. Employees are frequently targeted by phishing emails and social engineering attacks, yet cybersecurity awareness training is often treated as a once-off exercise rather than an ongoing process.
Internal risks and human behaviour remain some of the most underestimated cybersecurity threats. Employee error, inappropriate access, phishing attacks and accidental disclosure of personal information continue to contribute significantly to POPIA-related incidents.
Practical steps businesses can take
Businesses do not necessarily need complex or expensive cybersecurity programmes to improve their POPIA compliance. In many cases, practical and consistent measures can significantly reduce risk.
Some important controls organisations should prioritise include:
• Implementing multi-factor authentication (MFA): MFA adds an additional layer of protection to systems and accounts and can significantly reduce the risk of unauthorised access resulting from compromised passwords.
• Reviewing user access regularly: Access rights should be reviewed periodically and updated when employees change roles or leave the organisation.
• Improving staff awareness: Regular training and phishing simulations can help employees recognise suspicious activity and understand their responsibilities when handling personal information.
• Testing incident response processes: Organisations should ensure they have clear procedures for identifying, escalating and responding to data breaches, including processes for notifying affected parties and the Information Regulator where required.
• Managing third-party risk: Businesses should assess service providers that process personal information on their behalf and ensure appropriate contractual and security measures are in place.
Understanding what personal information is held
Businesses should understand what personal information they hold, where it is stored, who has access to it and how long it is retained. This should include information stored on older or legacy systems, shared drives and archived records that may no longer be actively managed. This helps organisations apply appropriate controls and respond more effectively when incidents occur.
Importantly, POPIA’s requirement for “appropriate and reasonable” measures is based on proportionality. Smaller organisations are not expected to implement the same level of cybersecurity infrastructure as large financial institutions. However, this does not exempt them from compliance. The measures they implement should still be appropriate and reasonable, taking into account the nature, volume and sensitivity of the personal information they process.
Putting POPIA into practice
As businesses continue to process increasing volumes of personal information digitally, cybersecurity has become an essential component of POPIA compliance.
Recent enforcement action and data breaches have demonstrated that compliance is no longer measured only by the existence of policies and procedures, but by whether organisations can show that their controls work in practice.
By strengthening areas such as access management, staff awareness, incident response and third-party oversight, organisations can better protect personal information while also demonstrating a more proactive and defensible approach to POPIA compliance.