Data breaches in South Africa have surged despite five years of enforcing the country’s privacy law, raising questions about whether companies are doing enough to protect personal information.
The Information Regulator received 2 374 security breach notifications during the 2024/25 financial year, averaging almost 200 incidents every month. Between April and November 2025 alone, a further 1 947 notifications were received, representing a 40% increase in reported security compromises.
The rising numbers come despite increased compliance efforts since the Protection of Personal Information Act (POPIA) became fully enforceable in 2021. Most organisations have appointed Information Officers and implemented privacy policies, yet breaches continue to climb.
The cost of getting it wrong is substantial. IBM’s 2025 Cost of a Data Breach Report found that the average cost of a breach in South Africa is R44.1 million, far exceeding POPIA’s maximum administrative fine of R10 million.
Compliance does not equal protection
Muhammad Ali, managing director of ISO standardisation specialist World Wide Industrial & Engineering Systems, says the issue is no longer simply one of compliance, but accountability.
“Most organisations understand what POPIA requires. The real question is whether their controls and governance frameworks are actually effective,” he said.
Ali believes many organisations continue to treat compliance as an administrative exercise rather than an ongoing governance responsibility.
“Many businesses have privacy policies, compliance documentation and Information Officers in place, but that does not necessarily mean personal information is properly protected,” he said. “Policies alone do not prevent data breaches. Accountability, ownership, monitoring and continual improvement do.”
Reputational damage exceeds financial costs
The risk environment is also intensifying. Organisations process increasing volumes of personal data while cyber threats become more sophisticated. Customers, regulators, investors and business partners are demanding greater transparency and stronger governance.
“While the financial impact of a breach is significant, the reputational damage is often more severe,” Ali said. “Once trust is lost, it is extremely difficult to rebuild.”
Organisations that fail to adequately protect personal information face legal action, operational disruption, regulatory scrutiny, higher insurance costs and reputational damage. Public breaches can also erode customer confidence and investor sentiment.
Enforcement alone cannot solve the problem
POPIA provides for fines of up to R10 million and criminal penalties of up to 10 years’ imprisonment for serious offences, including failure to comply with enforcement notices or obstructing the Information Regulator.
However, Ali says enforcement alone cannot solve the problem.
“A regulator cannot monitor every organisation every day,” he said. “Accountability must sit inside the organisation, with boards, executives, Information Officers and operational leaders responsible for protecting personal data.”
Many organisations still treat information governance as an IT or compliance function rather than a core business priority, he added.
“Privacy and security must be embedded in leadership, performance and risk management. Without accountability at that level, compliance becomes reactive rather than proactive.”
International standards offer structured approach
Internationally recognised standards such as ISO 27001 and ISO 27701 are becoming increasingly relevant, providing structured frameworks to implement, monitor and continually improve information security and privacy controls.
Ali notes that POPIA-aligned governance programmes and ISO certification can take one to three years from gap assessment to certification, with costs ranging from around R100 000 to more than R250 million, depending on organisational size and complexity.
“Organisations should view this as an investment,” he said. “The financial, operational and reputational impact of a major cyber breach can far exceed the investment required.”
Several South African organisations have already moved beyond basic compliance. Discovery has publicly highlighted its privacy governance framework and customer privacy controls, while technology company Sybrin has achieved ISO 27001 certification.
Certification provides independent third-party assurance that controls are not only documented, but operating effectively.
“Stakeholders want evidence that risks are understood, controls are in place, and those controls are effective,” Ali said.
As cyber threats and regulatory scrutiny intensify, organisations with strong governance, leadership accountability and recognised standards will be best positioned to protect personal information and strengthen trust.
“Five years on, the challenge is no longer understanding POPIA, but proving accountability,” he said. “Those that can demonstrate they protect personal information will be better positioned to manage risk, protect their reputation and secure stakeholder confidence.”
ALSO READ: Matric results to be published in newspapers, education department confirms





