Licentia takes data incidents and security compromises seriously. Where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, Licentia will respond in accordance with POPIA, its internal governance controls, and any lawful requirements relating to investigation, evidence preservation, regulatory reporting, and remediation. POPIA section 22 requires notification where there are reasonable grounds to believe personal information has been accessed or acquired by an unauthorised person.

12.1 Identification and Internal Escalation of a Security Compromise

Where Licentia becomes aware of, suspects, or identifies a security compromise, incident, breach, loss, unauthorised access event, unauthorised disclosure, or unlawful acquisition of personal information, the matter must be treated as a priority compliance and governance incident.

Licentia may immediately escalate the matter internally to the Information Officer, Deputy Information Officer, relevant governance personnel, and where required, the Legal Department operated within MaxMind Group of Companies (Pty) Ltd, in order to assess the incident, contain risk, preserve evidence, and determine the scope and impact of the compromise.

12.2 Investigation, Containment, and Restoration

Upon discovery of a suspected or confirmed security compromise, Licentia may take such steps as are reasonably necessary to:

• identify the nature and cause of the incident;
• determine the categories of information affected;
• determine which data subjects or records may be affected;
• contain or isolate the compromise;
• prevent further unauthorised access, disclosure, loss, or misuse;
• restore the integrity and security of the affected system or records; and
• preserve evidence for governance review, lawful enforcement, insurance, or regulatory purposes.

POPIA allows notification to take account of measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.

12.3 Notification to the Information Regulator and Data Subjects

Where POPIA requires notification, Licentia will notify:

• the Information Regulator; and
• the affected data subject, unless the identity of the data subject cannot be established.

POPIA requires that such notification be made as soon as reasonably possible after discovery of the compromise, taking into account the legitimate needs of law enforcement or measures reasonably necessary to determine scope and restore system integrity.

Licentia may delay notification to the data subject only where a public body responsible for the prevention, detection, or investigation of offences, or the Information Regulator, determines that notification will impede a criminal investigation.

12.4 Form and Method of Notification

Where notification to a data subject is required, Licentia will give such notification in writing and may communicate it by one or more lawful methods, including:

• to the data subject’s last known physical address;
• to the data subject’s last known email address;
• by publication on Licentia’s website;
• through news media; or
• in any other manner directed by the Information Regulator.

These methods are expressly contemplated by POPIA section 22(4).

12.5 Content of Notification

Where Licentia notifies a data subject of a security compromise, the notification will include sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, which may include:

• a description of the possible consequences of the compromise;
• a description of the measures Licentia intends to take or has taken to address the compromise;
• recommendations regarding measures the data subject may take to mitigate adverse effects; and
• if known to Licentia, the identity of the unauthorised person who may have accessed or acquired the personal information.

POPIA section 22(5) requires sufficient information to enable protective measures and lists these categories.

12.6 Internal Recordkeeping, Legal Hold, and Remedial Action

Licentia may retain internal records of security compromises, investigation findings, containment steps, communications, legal advice, notifications, and remedial measures for governance, audit, legal, and regulatory purposes.

Where a compromise may give rise to enforcement, dispute, litigation, insurance, or regulatory proceedings, Licentia may place relevant records on legal hold and preserve evidence until the matter is finalised and no further lawful retention basis remains.

Licentia may also implement corrective and preventative measures following a security compromise, including review of permissions, password resets, access restrictions, system changes, training, process amendments, or strengthened safeguards.

12.7 Third-Party Operators and Service Providers

Where a security compromise involves a third-party operator, hosting provider, developer, professional service provider, or other external party involved in Licentia’s processing environment, Licentia may require that party to cooperate in the investigation, containment, remediation, and lawful notification process.

Licentia will take reasonable steps to ensure that any operator processing personal information on its behalf maintains confidentiality and appropriate safeguards, consistent with POPIA’s security safeguard framework. POPIA separately addresses security measures where information is processed by an operator.

12.8 Lawful Basis

Licentia’s data breach procedure and related incident response processing are carried out on the basis of:

• legal and regulatory obligations under POPIA;
• lawful interests in protecting data subjects, restoring system integrity, preventing further compromise, preserving evidence, and ensuring governance accountability; and
• lawful enforcement, dispute resolution, and regulatory reporting requirements where applicable.