Can You Prove What Happened After An Incident?

When something goes wrong with information - a suspected breach, an accidental disclosure, a suspicious access event - the first question from regulators, clients and insurers is: what happened, and what did you do about it? Most organisations cannot answer clearly.

What This Looks Like In Practice

"A client contacts your business to report that they have received phishing emails referencing details only your firm should have. They believe their information may have been compromised through you. Your management team begins investigating - and within an hour it is clear there are no access logs, no audit trail, and no way to determine what happened to that client's file over the past twelve months."

Potential Consequences

Unable to fulfil the obligation to notify the Information Regulator accurately

Client complaint proceeds without an adequate management response

Reputational damage from the appearance of being unprepared or indifferent

Legal and management costs of responding to the Regulator without supporting evidence

Risk of a compliance finding that 'reasonable safeguards' were not in place

Questions Management Should Ask

If a client claimed their information was compromised today, could you tell them what happened, when and who was involved?

Do any of your business systems keep a log of who accessed which files or records?

Is there a process for preserving records when a concern is raised - before they are accidentally overwritten?

Have you ever tested your ability to reconstruct events after an information-related incident?

The Technical Side

POPIA's security safeguards condition and the Regulator's Conditions of Lawful Processing require organisations to document information security incidents and demonstrate a reasonable response. Audit logging - recording who accessed, modified or shared specific records, and when - is the technical foundation of incident response capability. Most enterprise platforms (Microsoft 365, Google Workspace, modern CRM and accounting systems) include audit log functionality as a standard feature that must be explicitly enabled. Forensic capability - the ability to reconstruct a timeline of events - depends on log retention periods being configured appropriately: typically 90-365 days for SME environments. Without logs, the organisation cannot distinguish between 'nothing happened' and 'something happened that we cannot detect.'

Practical Steps to Improve Visibility

Enable audit logging in all business systems that hold personal or confidential information - this is typically a settings change, not a purchase

Set log retention to at least 90 days; 180+ days is recommended for regulatory defence purposes

Create a basic incident response procedure: who is notified internally, what records are preserved, what the Regulator requires

Identify your most sensitive information repositories and confirm logging is specifically active for those

Run a tabletop exercise once a year: present a hypothetical incident to your management team and walk through exactly how you would respond

Section 7 - Assessment

Find Out Where Your Business Stands

ComplyBar helps businesses identify hidden risks in how information, AI tools, email, documents and cloud systems are used.

Built for POPIA support, AI governance, data leak prevention, employee risk awareness, information governance and audit evidence.

Start Your Risk Assessment Download Free Checklist

From R750 • Delivered online • No commitment required

Related Risks

Information Visibility

Would You Know If Sensitive Information Left Your Business?

Human Risk

Could One Employee Mistake Create A Serious Problem?

AI Tool Risk

Are Employees Using ChatGPT With Confidential Information?

← View all common business risks