Before the breach: Why discovery comes first

When unauthorised access occurs, the first question regulators ask is what controls were in place beforehand. (Image: Faranani DocTec)

---

In early April 2026, a major South African bank wrote to its business clients to confirm what no organisation ever wants to confirm: someone had been inside their data. Account numbers. Business names. ID and registration numbers. The bank moved quickly, activated its response teams and assured clients that transactional systems remained intact. Within days, the Information Regulator announced it would conduct its own parallel investigation – probing access controls, encryption, authentication and monitoring.

This was not an isolated incident. It arrived alongside a separate breach at a major insurer, a ransomware attack on Stats SA and a hacker group claiming 147GB of data from a Gauteng provincial entity. April 2026 was, by any measure, a bad month for South African data security. 

But the bad months have been getting worse for years.

South Africa ranked 27th globally among the most breached countries last year. In January alone, local organisations faced an average of 2 145 cyber attacks per week – a 36% increase year on year, slightly above the global average of 2 090. Since 2004, more than 124 million personal records have been exposed in this country. And yet, when I speak to IT and compliance leaders across sectors, the honest conversation rarely starts with "here is our data governance posture". It usually starts with "we know we have a problem, we are just not sure how big it is".

That is the actual risk.

When an incident occurs, the investigation that follows is as revealing as the breach itself. Regulators want to know whether the organisation had adequate access controls, whether personal information was encrypted, whether monitoring and logging was in place and whether foreseeable risks had been identified and addressed before the event – not scrambled for afterwards.

If your answer to any of those questions is "we are not entirely sure", you already have your finding.

Most organisations are sitting on years, sometimes decades, of accumulated content – documents, records, customer data – spread across shared drives, legacy systems, e-mails and departmental silos. No one deliberately created that sprawl. It just grew. And because it grew without governance, no one knows exactly what personal information exists, where it lives, who has access to it or how long it has been retained past its useful life.

POPIA does not give organisations the luxury of that ambiguity. The moment personal information is processed, the responsible party carries obligations around its protection, accuracy, retention and disclosure. You cannot comply with what you cannot see. And you cannot defend what you do not know you have.

One of the most persistent misconceptions I encounter is that data governance begins – and ends – with IT. Buy the right tools, configure the right systems and you are compliant.

It does not work that way.

Data governance is a business discipline. It requires understanding what data your organisation holds and why, who is accountable for it, how long it needs to be kept and what controls exist around access and use. Technology supports that discipline, but it does not replace the decisions that have to be made by people who understand both the legal obligations and the operational context.

Faranani DocTec has worked through enterprise content discovery and data governance implementations across South African organisations, and the pattern it sees consistently is this: the organisations that handle incidents well are not necessarily the ones with the most sophisticated tools. They are the ones who knew what they had before the incident happened.

That knowledge comes from doing the unglamorous work upfront – classifying content, building retention schedules, mapping information flows and establishing clear accountability. It also comes from having the right platform to operationalise those decisions at scale. As an OpenText Platinum Partner, Faranani DocTec works with tools purpose-built for exactly this challenge: enterprise-grade content management and governance that makes the invisible visible and keeps it that way.

The Information Regulator's response to recent breaches outlines precisely what any responsible organisation should be asking of itself right now.

Are your access controls adequate? Does strong authentication protect sensitive personal information? Is that information encrypted at rest and in transit? Do you have an effective intrusion detection system? Are you monitoring and logging access? And, critically – have you properly identified and mitigated the foreseeable risks to the personal information you process?

These are not technical questions dressed up in regulatory language. They are governance questions. They require an organisation to have a clear picture of its data landscape before it can answer them honestly.

A data breach is not just a security incident. Under POPIA, it triggers mandatory notification to the Information Regulator and to affected data subjects; it can result in enforcement action; and it carries the reputational cost of clients receiving a letter telling them their personal information was accessed without their consent. For JSE-listed companies, research indicates cyber incidents can cost up to 30% of share value. For any organisation operating in a trust-based relationship with its clients, the damage is harder to quantify and longer to repair.

When organisations decide to take data governance seriously, they often anticipate a long, complex and expensive process that will take years to show results. The reality, when approached correctly, is different.

Discovery – understanding what personal and sensitive information you actually hold – can begin producing actionable insights quickly. From there, a governance framework is built on what actually exists in your environment, not on what an ideal-state template suggests should exist. Retention policies get teeth. Access controls get applied to real content categories. Accountability gets assigned to specific roles, not to "the IT department" as a general catchment.

The work is not glamorous. But it is protective. And in an environment where the Information Regulator is actively probing, where attack volumes are rising and where clients are increasingly alert to how their information is handled, it is also good business.

On 3 June 2026, Faranani DocTec is hosting a Data Governance in Practice client session – a focused half-day for executives and data governance professionals who want to move beyond theory and into implementation. The company will be covering real-world use cases, live demonstrations from OpenText specialists and the kind of frank discussion about what works – and what does not – that you rarely get in a vendor-led setting.

If your organisation is at the point where the question is no longer "should we take data governance seriously?" but "where do we actually start?” this session is built for you. Seating is limited.

To find out more or to reserve your place, contact Ben van Niekerk directly at ben.vanniekerk@faranani.com.

The organisations that get ahead of this are not the ones waiting for a breach to force the conversation. They are the ones already having it.

Ben van Niekerk is Business Development Executive – Cybersecurity at Faranani DocTec, an OpenText Platinum Partner specialising in enterprise content management and data governance solutions. Visit www.farananidoctec.com for more information.