You have probably given a blood sample at a Lancet collection point in the last few years. Most South Africans have. Picture, for a moment, that one morning a year from now you open an email saying the pathology data attached to that visit may have been accessed by an unauthorised third party — and that nobody got around to telling you at the time. The breach is one thing. The silence is what stays with you.
That, in essence, is why the Information Regulator went after Lancet Laboratories. The breaches mattered, but the part the regulator chose to act on was something else. It was the failure to notify — the regulator and the affected people — within a reasonable time. The R100,000 the company paid at the end of it was, on the regulator’s own published reasoning, a paperwork fine.
Now stay with that, but switch sides of the desk.
The compliance test isn’t whether you get breached. It’s the first eight hours after you notice.
It is 9:14 on a Monday morning. Your IT lead has just put their head into your doorway to say that something unusual showed up in the logs over the weekend. They are not yet certain whether it is a real incident or a misconfigured tool. They are eight to twelve hours away from being sure.
What happens in those eight hours is the question the regulator is increasingly interested in. Section 22 of POPIA requires that, when there is reasonable basis to believe personal information has been accessed by an unauthorised person, the business must notify the Information Regulator and the affected people “as soon as reasonably possible.” The phrase does the work — it is deliberately not a hard deadline, because the regulator understands that the first hours of an incident are often a fog. But it is also not “when we’ve cleaned up and put together a press release.” It is closer to: do it as fast as a competent business handling itself responsibly would.
Most companies have a plan for getting a breach contained. Many fewer have a plan for getting one disclosed.
Lancet’s fine wasn’t really about money. It was about the published pattern.
The R100,000 administrative fine is not a meaningful number on its own. It is small enough that most businesses of any size could absorb it without a board conversation. What the fine actually represented was the punctuation at the end of a process: a regulator-published compliance assessment, an enforcement notice, a refusal to comply, an infringement notice, a fine, and a press statement noting the fine had been paid. The cost was not the cash. It was the trail.
That trail is now part of how the regulator says it intends to operate. In its 2025/26 Annual Performance Plan, presented to Parliament on 5 May 2026, the Information Regulator named banking, insurance, health, retail, and telecommunications as priority sectors for targeted assessments — meaning sector-wide, proactive scrutiny rather than waiting for individual complaints to come in. The pattern Lancet’s case established is, increasingly, the operating model for whole industries.
For a business inside one of those sectors, the question reframes itself. It is not “will we be looked at?” The question is: if we are, what does the assessor find?
A notification protocol is shorter than you think — and more revealing than you’d expect.
A workable internal breach-notification protocol does not need to run to twenty pages. The parts that matter are unglamorous and answerable in a few sentences. Who in the business is empowered to declare that an incident has occurred — not who runs the response, but who makes the call to start the clock. By when after that declaration does the regulator get notified, and on what evidence. By when after that do affected people get notified, and through which channel. Who signs off on the wording of those notifications. What we say to the regulator when we don’t yet have all the answers. What we say to affected people when the same is true.
What makes those questions revealing is that answering them honestly forces a business to confront whether it actually has the underlying capabilities. You cannot notify the regulator within forty-eight hours if you don’t know which database held the affected records. You cannot tell customers what was exposed if your data inventory is two years out of date. You cannot decide whether to declare an incident if there is no agreed threshold for what counts.
A protocol that looks paper-thin on the page is often the visible end of months of operational work. That is the work.
The procurement teams figured this out before the regulators did.
Enterprise procurement questionnaires have been asking about incident response capability for a few years now — not because regulators told them to, but because they learned the hard way that an organisation’s behaviour in the first hours of a breach predicts the quality of the relationship that follows. The question that has been migrating into security questionnaires is some version of: walk us through what would happen, hour by hour, if you discovered a compromise tomorrow.
Companies that have a clean answer to that question tend also to have shorter sales cycles, fewer escalations, and renewal conversations that take a third the time. The capability is the same one section 22 is asking for. Building it once serves both purposes.
This is the part of compliance that nobody calls compliance. It is the operational maturity customers can feel — the sense that this is a business that knows where its data is, what would happen if something went wrong, and who would say what to whom. The regulator’s enforcement model is not a tax on that work. It is, increasingly, an audit of it.
The question that lingers after the Lancet story is not whether your business is going to be breached. It probably is, eventually. Most businesses of meaningful size will see at least one notifiable security compromise in the next five years. The question is what the regulator and your customers see in the eight hours after.
This week, if you do nothing else, find out who in your business has the authority to declare that an incident has occurred. Not theoretically — in the policy. Concretely — on a Wednesday morning, at 9:14, with the IT lead in their doorway. If the answer is unclear, you are closer to Lancet’s position than to the one you would prefer.