4.4 Breach notification or data leaks or security compromises Data protection authorities are supposed to be notified of data breaches by data controllers. Under Zimbabwe's CDPA notification of security breach by the data controller must be notified to the DPA within 24 hours and similarly for Zambia,50 which also expects data processors to notify data controllers within a reasonable time after noticing or discovering compromise. For Eswatini section 17, Lesotho section 23 and South Africa section 22 are similarly worded requiring that the notification should be as soon as reasonable possible after discovery without compromising legitimate law enforcement needs, and this notification includes to the data protection authority, and the data subject unless if identity cannot be established. Mauritius requires notification to be within 72 hours of data breach and the communication to the data subject must be without undue delay if there is a high risk to the rights and freedoms.51 First, there are differences between the laws on how to handle notification of data compromises and breaches, including an assessment of whether risks are high for the data subject's rights and freedoms. This assessment must have established criteria to guide the data controller, and data processors, and developed by the data protection authorities. If there are standardised guidelines, the practices of DPAs in for instance when breaches occur across borders, the response protocols will be shared. In the SADC region, only South African data controllers have disclosed security breaches. 52 This is not to suggest that there are no data breaches or compromises in other countries, it could be a number of reasons, including the secretive nature of the authorities, and also their complicit in some of the data breaches. In South Africa, the IR has been proactive in requesting data controllers to provide additional information whenever there is a data breach. For example, TransUnion Credit Bureau notified a security breach in March 2022, prompting the IR to request more details on 19 March 2022 of 'the date that the security compromise occurred, the cause of the security compromise, details of investigations into the security compromise, the extent and materiality of the security compromise, interim measures put in place to prevent a recurrence of the security compromise, and security measures that TransUnion Credit Bureau has put in place to prevent a recurrence of the security compromise'. 53 TransUnion Credit Bureau had indicated that 'at least three million customers ZDPA section A data controller shall notify the Data Protection Commissioner within twenty four hours of any security breach affecting personal data processed. Mauritius Data Protection Act s and . Mail and Guardian Five massive data breaches affecting South Africans June https://mg.co.za/article/ five massive data breaches affecting south africans/ The Regulator instructs TransUnion to report in greater detail regarding their security compromise Media Statement, Information Regulator March PAGE