Key highlights
Convened C-suite and senior leaders in Mauritius
Two executive panels + live incident simulation
Strong engagement from audience
Media coverage secured across multiple outlets
Event snapshot
86%
Of audience were manager level or above
74%
Attendance from approved registrants
4.88/5
Overall value score from audience
4.94/5
of attendees would recommend
How the event unfolded
Summary
The inaugural forum brought together senior leaders, regulators and specialists to focus on the executive decisions that shape resilience before, during and after a cyber incident.
-
Cyber resilience was positioned as a leadership and governance issue, not a technical checklist
-
The strongest post-event signal remained practical action: exercising leadership teams, reviewing incident plans and improving board-level oversight.
-
The national threat context showed why executive attention is needed now, especially for scams, impersonation, ransomware and fraud-driven crime.
CRLF 2026 in the press
Online articles
In other countries, there are a growing number of cases involving organisations being sued for negligence in data protection. How about Mauritius?
In several jurisdictions, there has been a growing trend of organisations being subject to legal action for negligence in data protection. In Mauritius, there has been a notable increase in complaints lodged with the Data Protection Office (DPO), reflecting heightened public awareness and more active regulatory oversight.
During the period January to December 2025, the DPO received two hundred forty-four (244) new complaints regarding investigations on the below subjects among others:
-
Unauthorised use of CCTV camera
-
Unlawful disclosure of personal data
-
Processing of biometric data (such as fingerprint and facial recognition)
-
Access to data subject
Out of the total number of cases, one hundred eighty-four (184) cases (representing 88%) pertained to CCTV. Furthermore, 90 enforcement notices were issued to private companies requiring them to register as controllers and/or processors.
The legal framework established under the Data Protection Act 2017 (DPA) provides clear and structured mechanisms for redress and enforcement. In this respect, pursuant to section 51, any person aggrieved by a decision of the Data Protection Commissioner may, within 21 days from the date the decision is communicated, lodge an appeal before the Tribunal. Under section 52, the Tribunal is vested with special jurisdiction to hear and determine such appeals and to dispose of matters arising under the Act.
In addition to the formal appeal process, the Data Protection Office actively exercises its regulatory mandate through a range of robust enforcement measures. These include the issuance of enforcement notices to address non-compliance, the conduct of compliance audits and inspections as well as the performance of security checks and technical assessments of systems involved in the processing of personal data.
In the year 2025, from a judicial standpoint, the Data Protection office was involved in proceedings across various levels of the court system. Before the Supreme Court of Mauritius, the Office, represented by the State Law Office acted as co-defendant/respondent in two cases. Before the Intermediate Court, the office appeared as a witness in two CCTV-related cases which are currently ongoing. Similarly, before the Industrial Court, the office appeared as a witness in one CCTV-related matter.
Looking ahead, the proposed amendments to the Data Protection Act are expected to further strengthen the enforcement framework by empowering the Data Protection Commissioner to impose administrative fines. This represents a significant shift towards a more proactive and efficient regulatory regime, enabling timely intervention without sole reliance on judicial proceedings.
In this evolving landscape, organisations in Mauritius are expected to adopt a proactive and structured approach to compliance. The Data Protection Office is reinforcing its enforcement capacity through the establishment of a Digital Forensics Laboratory and the recruitment of specialised personnel to investigate data breaches in accordance with high evidentiary standards. In parallel, enhanced regulatory oversight is being introduced through forthcoming regulations governing Data Protection Officers.
You will agree that organisations can have a very conservative risk assessment. Why do our laws not clearly and explicitly state the requirements?
The Data Protection Act intentionally moves away from a prescriptive, "check-the-box" regulatory style in favor of a principle-based framework. By enshrining high-level objectives such as transparency, data minimisation and accountability—the law ensures it remains resilient against the rapid pace of technological change and applicable across diverse economic sectors. This approach recognizes that risk is not static; it requires organisations to take active ownership of their data processing activities. Entities are empowered to implement "Privacy by Design" through measures that are proportionate to their specific scale and the sensitivity of the data they handle.
Pursuant to section 34 of the DPA, where processing is likely to result in a high risk to the rights and freedoms of individuals, controllers and processors are required to conduct a Data Protection Impact Assessment (DPIA) prior to such processing. In practical terms, this entails identifying and assessing risks to individuals by evaluating both the likelihood and severity of harm and implementing appropriate technical and organisational measures to mitigate those risks and reduce any residual risk to an acceptable level. This structured approach ensures that risks are systematically analysed, documented and addressed, thereby reinforcing accountability and supporting effective regulatory oversight.
-
Can you share statistics on reporting of data breaches from companies in Mauritius?
Based on records from the Data Protection Office, the number of data breach notifications received is as follows:
-
Year 2024: 105 reported breaches
-
Year 2025: 95 reported breaches
An analysis of these incidents indicates that unlawful disclosure and email misuse, including the transmission of emails to incorrect recipients remain the primary causes of reported breaches. These trends underscore the critical need for organisations to strengthen staff awareness and implement regular, targeted training programmes, ensuring that employees clearly understand their obligations in handling personal data and adopt appropriate safeguards to minimise the risk of human error.
What needs to be done to protect confidentiality of companies and individuals to encourage them to report cyber-attacks?
To encourage a culture of transparency and proactive disclosure, it is essential that the regulatory environment is perceived not as punitive, but as a trusted partner in resilience and risk management. The following measures are key to protecting confidentiality and fostering trust:
-
Statutory Confidentiality Assurances: The Data Protection Office treats all sensitive commercial and security-related information submitted during a breach notification with strict confidentiality. Our internal protocols ensure that technical details are used solely for regulatory oversight and are never disclosed in a manner that could further jeopardize an organisation’s security or reputation.
-
Safe Reporting Frameworks: The office promotes a shift from a culture of blame to one of accountability and transparency. The reporting of cyber incidents is recognised as an essential component of responsible data governance. Clear and standardised reporting mechanisms are maintained to facilitate timely and secure disclosures.
-
Proportionate and Risk-Based Enforcement: The office adopts a measured and proportionate approach to enforcement, taking into account whether organisations have acted in good faith through timely notification and full cooperation. Emphasis is placed on remediation and compliance rather than punitive action where there is demonstrable transparency.
-
Anonymised Intelligence Sharing: To benefit the wider ecosystem without exposing specific victims, the office focuses on publishing aggregated, anonymized information in our annual report and decision summaries. This allows us to share "lessons learned" and emerging threat patterns across the industry while maintaining the absolute anonymity of the reporting entities.
-
Strategic Capacity Building: The office continues to support organisations through the provision of guidance materials, templates and practical tools. By enhancing understanding of legal obligations and best practices, this reduces uncertainty and encourages timely reporting.
-
Has the Data Protection Office been working closely with CertMU and other regulatory bodies to ensure timely reporting in cases of data leakage or misuse?
Yes, the Data Protection Office works in close collaboration with CERT-MU and other relevant regulatory bodies in the discharge of its statutory functions, particularly in ensuring timely reporting and a coordinated response in cases of data leakage or misuse.
To formalise and strengthen this cooperation, the office has entered into Memoranda of Understanding (MoUs) with key stakeholders, including the Bank of Mauritius, CERT-MU and the Police. These MoUs provide a structured framework for information sharing, joint operations and capacity building, including collaboration on the establishment of a Digital Forensics Laboratory to enhance investigative and technical capabilities.
Questions addressed to the DPO
Drudeisha Madhub
Data Protection Commissioner, DPO
Event gallery
Cyber Incident Simulation: “Crisis at 09:00 - Decisions That Define Resilience”
A realistic scenario illustrating the first minutes of a breach, centred on board-level decision-making (not technical deep-dives).
Lead
Hitesh Gooriah
Head of Operations, STORM Guidance
Supporting Partner Insight: “Enable success through People & Technology” - FRCI
Panel 2: The Specialism Required for Effective Incident Response
Moderator
Jotish Gopaul
Solutions Engineer, TrendAI
Panellists
Lekha Seebaluck
MD, Blast BCW
Clarel Constance
CEO, FRCI
Lylah Joorawon
Managing Assoc. / Barrister, Dentons (Mauritius) LLP
Neil Hare-Brown
CEO, STORM Guidance
Independent Insight: “Executive Decisions That Shape Resilience” – STORM Guidance
Speaker
Neil Hare-Brown
CEO, STORM Guidance
Welcome & Opening Remarks - Chief Guest
Opening: Why Cyber Risk Demands Executive Attention
Key messages: economic & threat uncertainty; early-year vulnerabilities; escalating regulatory pressure; Mauritius-specific risks; readiness before incidents.
Speaker
Neil Hare-Brown
CEO, STORM Guidance
Cyber Threats That Will Matter Most in 2026
Speaker
Dr. Kaleem Usmani
Officer in charge, CERT-MU
Panel 1: “National Resilience & Executive Readiness for 2026”
Moderator
Farha Jhumka
CEO, Bluefox SAS
Panellists
Daniel Essoo
CEO, Mauritius Bankers Association
Dr. Kaleem Usmani
Officer in charge, CERT-MU
Drudeisha Madhub
Data Protection Commissioner, DPO
Dr. Sheeba Armoogum
Associate Prof., Head of Cybersecurity, UOM
Strategic Partner Insight: “From reactive to proactive resilience” - TrendAI
The Agenda
In collaboration with:
Strategic Partner
Supporting Partner
Neil Hare-Brown
CEO, STORM Guidance
Dr. Kaleem Ahmed Usmani
Officer in charge, CERT-MU
Farha Jhumka
CEO, Bluefox SAS
Daniel Essoo
CEO, MBA
Drudeisha Madhub
Data Protection Commissioner, DPO
Jotish Gopaul
Solutions Engineer, TrendAI
Lekha Seebaluck
MD, Blast BURSON
Clarel Constance
CEO, FRCI
Dr. Sheeba Armoogum
Associate Prof., Head of Cybersecurity, UOM
Lylah Joorawon
Managing Assoc. / Barrister, Dentons (Mauritius) LLP
Speakers, Panellists & Moderators
Learn more about the event contributors
Secure your seat for CRLF 2027
If you would like to be considered for CRLF 2027, contact us using the form or by emailing contact@stormguidance.com
If you attended CRLF 2026 and would like to provide feedback, please use this link.