Last review date: 31 December 2024

Yes.

☒      general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

         obligation to take specific security measures e.g., encryption

Last review date: 31 December 2025

No. Section 54 of the Cybercrimes Act provides that electronic communications service providers or financial institutions that are aware or become aware that their electronic communications service or electronic communications network is involved in the commission of any category or class of offences in the Cybercrimes Act, must—

• without undue delay and, where feasible, not later than 72 hours after having become aware of the offence, report the offence in the prescribed form and manner to the South African Police Service; and
• preserve any information which may be of assistance to the South African Police Service in investigating the offence.

Section 54 of the Cybercrimes Act has not yet come into force.

Yes. The Information Regulator has issued enforcement notices and imposed administrative fines in 2024 relating to contraventions of POPIA in the context of data breaches. The Information Regulator also issued enforcement notices in 2024 pertaining to contraventions of PAIA.

☒       Data privacy

Last review date: 31 December 2024

Yes.

Last review date: 31 December 2024

Yes. Controllers/owners are required to notify data subjects and the Information Regulator of all security breaches.

☒        data protection authorities

☒        affected individuals

Last review date: 31 December 2024

Processors are required to notify controllers of security breaches in respect of any personal information processed on behalf of a controller.

☒      controller/ owner

Last review date: 31 December 2024

No.