Communication and notification requirements are essential steps when managing data breaches. These rules guide how and when to inform affected people, authorities, and others. Following these steps helps reduce harm, meet legal duties, and maintain trust.

In South Africa, the Protection of Personal Information Act (POPIA) sets clear obligations on communication after a data breach. If personal information is lost or accessed without permission, organisations must assess whether the breach poses a risk to the rights of those affected.
If the risk is high, notification must happen without delay. This means:
This timely communication allows affected individuals to take protective action, such as changing passwords or monitoring accounts.
Good communication does not stop at notification. Organisations should keep communicating updates to the Information Regulator and affected people during the investigation and recovery process. Transparency builds trust and supports better incident management.
In summary, communication and notification requirements are not just legal duties but practical steps to protect individuals and reduce damage after a data breach. Organisations with strong incident response plans include clear communication procedures aligned with POPIA.
Live Scenario • Active Situation
You are the Data Privacy and Protection Officer at a mid-sized South African company handling a recent data breach.
There is no single perfect answer. Choose what you would do in this situation.