As technology evolves, so too do the risks associated with the vast data collected through it.
If not addressed urgently, these risks could significantly damage reputations for organisations and threaten even greater harm for ordinary citizens whose personal information is increasingly stored across platforms.
South Africa is already seeing the consequences. Data breaches are on the rise across the public and private sectors.
In 2025, a government department fell victim to ransomware. More recently, Liberty Life suffered a cyber compromise. This week, Statistics South Africa reported a breach affecting its human resources division, following closely on the heels of an incident involving the Gauteng government.
These incidents point to a troubling reality. Cybercriminals may already possess sensitive citizen data. This raises a critical question, are South Africans’ personal details truly safe? The urgency of this question becomes even clearer as global technology players eye expansion into African markets.
Regulation alone is not enough if implementation and oversight fall short. A key vulnerability lies in where data is stored. Much of South Africa’s data resides in servers located in foreign data centres.
A prominent example is Starlink, the satellite internet service operated by SpaceX. Designed to deliver high-speed, low-latency connectivity, particularly in remote and underserved areas, such services rely heavily on user data. As these technologies enter local markets, South Africa must ask whether it has sufficient safeguards to ensure that citizen data remains protected and governed within its own regulatory framework.
Cybercrime is surging across the African continent. When data is compromised, it often ends up for sale on the dark web, ranging from ID numbers to contact details and financial information. The consequences are not abstract. Imagine searching your name online and finding your personal data exposed, information you once trusted organisations to protect.
From a regulatory standpoint, South Africa is not without defence. The Protection of Personal Information Act (Popia) provides a strong legal framework governing how organisations collect, store and process personal data, enforced by the Information Regulator.
However, regulation alone is not enough if implementation and oversight fall short. A key vulnerability lies in where data is stored. Much of South Africa’s data resides in servers located in foreign data centres. For some organisations, this contravenes internal policies and raises serious concerns about control, jurisdiction and exposure.
It also presents a missed opportunity. South Africa has the land, the potential and the need to invest in local data infrastructure. Developing data centres within our borders would not only strengthen data sovereignty but also stimulate economic growth and create much-needed jobs.
Public-private partnerships could play a vital role in building this capacity. Beyond economics, there is a national security imperative. Housing data locally ensures greater control and reduces the risk of foreign exploitation, particularly in times of geopolitical uncertainty. Data sovereignty is no longer a luxury. It is a necessity. Ultimately, safeguarding data within our shores is about protecting the interests of society.
Popia provides a solid foundation, but it must be matched by decisive action, investment and accountability. Without this, South Africa risks falling behind in an increasingly digital world, one where data is as valuable and as vulnerable, as any natural resource. The question is no longer whether we can afford to act. It is whether we can afford not to.
Muvhango Livhusha is Isaca SA (Information Systems Audit and Control Association) vice president, a PhD candidate in digital transformation and a part-time lecturer
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.