POPIA meets post-quantum reality: what “reasonable safeguards” means in 2026
- Johan Steyn
- 15 hours ago
- 4 min read
Quantum-safe encryption is moving from theory to boardroom risk, and leaders should act now to protect trust, data, and long-term value.
Audio summary: https://youtu.be/dd5r3U2tXto
Follow me on LinkedIn: https://www.linkedin.com/in/johanosteyn/
If you work in banking, insurance, telecoms, healthcare, education, retail, or government, there is a quiet security shift you can’t ignore: quantum computing is moving from “one day” to “sooner than our planning cycles can comfortably handle”. The practical issue isn’t that quantum computers are already breaking encryption at scale; it’s that adversaries can copy sensitive data today and keep it until they can decrypt it later. That changes how we should think about long-lived records, especially children’s data such as health files, school records, behavioural profiles, and identity documentation. In South Africa, where trust is fragile and cyber risk is persistent, “quantum-safe” should be treated as a forward-looking safety upgrade with immediate governance implications.
CONTEXT AND BACKGROUND
Quantum computing is advancing fast enough that mainstream tech and security conversations have shifted from curiosity to preparedness. In South Africa, ITWeb recently framed quantum as a technology that is accelerating, with direct implications for cybersecurity and national capability-building.
At the same time, the “why now” argument has become more concrete in public reporting: the goal of post-quantum cryptography is to keep data secure even when quantum machines become powerful enough to threaten today’s widely used encryption methods. LiveScience recently explained why cryptographers are racing to deploy quantum-resistant approaches and why organisations should start preparing rather than waiting for a dramatic “quantum breakthrough” headline.
South Africa is also not watching from the sidelines. Polity republished an explainer on the South Africa–China quantum communication link and why it is considered historic, underscoring that quantum isn’t only about computing power, but also about ultra-secure communications and strategic digital infrastructure.
INSIGHT AND ANALYSIS
Here is the uncomfortable board-level reality: security is not only about preventing attacks, but about reducing the value of stolen data. “Harvest now, decrypt later” turns encryption into a time-sensitive asset. If your organisation stores data that must remain confidential for 10–20 years, you cannot treat quantum as a 2036 problem. Children’s data is the clearest example: medical histories, learning support assessments, biometric identifiers, and family contact data can follow a child into adulthood. If those records are compromised later, the harm is not merely financial; it’s reputational, personal, and potentially lifelong.
The second reality is that organisational readiness is not where it should be. ITPro recently covered research suggesting a large portion of enterprises are still unprepared for quantum-era threats, even as guidance and timelines are becoming more explicit. This gap matters in South Africa because we often inherit global technology stacks and vendor decisions. If your core systems, cloud services, payment rails, or identity providers move to quantum-safe standards on their timelines, you will be dragged along—either in a controlled way or in a crisis.
Third, quantum-safe encryption isn’t one product you can “buy and install”. It’s a migration programme. It involves inventorying where cryptography is used, updating protocols and certificates, managing performance trade-offs, and making sure you can rotate algorithms without rebuilding everything. Even consumer-facing services are beginning to signal this shift. TechRadar recently covered a VPN provider adding quantum-resistant encryption options, illustrating how “quantum-safe” is moving into real product roadmaps, not just academic papers.
IMPLICATIONS
For business leaders, the immediate action is governance, not jargon. Put “quantum-safe readiness” on the risk register alongside cyber, POPIA compliance, vendor risk, and business continuity. Ask four basic questions: Where do we use encryption? Which systems protect long-lived sensitive data (especially children’s data)? Which vendors control the cryptography choices? What is our timeline to become “crypto-agile” so we can swap algorithms without chaos?
For security and technology leaders, prioritise systems that will be hardest to change later: identity and access, customer authentication, PKI/certificates, legacy systems, and any data stores holding high-sensitivity records for many years. Build a transition roadmap that is realistic, phased, and vendor-driven where appropriate, but not vendor-dependent.
For society, including parents and schools, the message is simple: the safest data is the data you never collect. If we reduce the unnecessary collection of children’s data today, we reduce future exposure tomorrow. Quantum-safe encryption is essential, but data minimisation is the other half of the protection story.
CLOSING TAKEAWAY
Quantum computing is not a headline you wait for; it’s a trajectory you plan for. The smart move for South African organisations is to treat post-quantum cryptography as a multi-year resilience upgrade that starts with visibility, governance, and vendor pressure now. This is especially urgent where children’s data is involved, because the confidentiality window is long and the harm of later exposure is deep. If we want a future where technology expands opportunity without eroding trust, then “quantum-safe” must become part of responsible leadership, not a niche security conversation.
Author Bio: Johan Steyn is a prominent AI thought leader, speaker, and author with a deep understanding of artificial intelligence’s impact on business and society. He is passionate about ethical AI development and its role in shaping a better future. Find out more about Johan’s work at https://www.aiforbusiness.net