Authors: Rohan Isaacs and Tatum Govender

Less than 2 months after the commencement of the Protection of Personal Information Act (POPI), South Africa has suffered a massive data breach. Approximately 24 million individuals and 800 000 companies have had their personal information held by the credit bureau Experian hacked.

Under POPI, Experian is required to notify the Information Regulator. In addition, unless Experian has been notified by the Information Regulator or an authority investigating the crime not to do so, Experian is also required to notify every person and company whose personal information has been compromised.

Dealing with such a large loss of data, and so many affected data subjects, is plainly no easy task. The organisation will have complex legal obligations towards the public and, at the same time, needs to ensure that it avoids actions that result in unnecessary liability.

Data breaches are becoming more frequent in nature. This highlights the critical need for companies to adopt robust data breach response plans, which have been tested, so that their reaction is swift, compliant and coordinated. Part of this plan is to thoroughly analyse corporate data to intrinsically understand what data the organisation has and where that data is. This allows organisations to quickly assess the information lost, and who the affected data subjects are. Organisations should do this as soon as possible, and as part of a full POPI compliance exercise.

There are reports that the perpetrator of the Experian hack has been caught. Currently, South Africa does not have a comprehensive law regulating cybercrimes. The Cybercrimes Bill has been passed in Parliament, and is currently awaiting the President’s signature. This Bill creates specific offences, including hacking, and imposes additional reporting obligations on financial institutions.
The Experian hacker will have to be prosecuted under existing and rather outdated laws. However, once the Cybercrimes Bill is in force, prosecution of these crimes should become significantly more effective.

***Rohan Isaacs and Tatum Govender advise clients on all aspects of POPI including POPI compliance, running POPI compliance and awareness programmes and advising on data breaches and they have experience with the GDPR. 

For more information contact Rohan Isaacs and Tatum Govender, Technology, Privacy and Cyber team, Herbert Smith Freehills South Africa LLP:


Rohan Isaacs
Rohan Isaacs
Director, Johannesburg
+27 10 500 2667
Tatum Govender
Tatum Govender
Associate, Johannesburg
+27 10 500 2665