When a personal data breach occurs at your organisation, a clock starts. Under section 43 of the Kenya Data Protection Act 2019, you have 72 hours from the moment you become aware of the breach to notify the Office of the Data Protection Commissioner (ODPC). Not 72 hours from when you investigate it. Not 72 hours from when you decide it is serious. From the moment of awareness.
This guide explains exactly what the law requires, what the ODPC expects in your notification, and how to structure your incident response so the 72-hour window is manageable rather than a crisis.
What Counts as a Personal Data Breach?
The Kenya DPA 2019 does not define "data breach" directly, but the context of section 43 makes clear that it covers any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
This includes:
- A ransomware attack that encrypts customer records
- An employee emailing a customer list to the wrong recipient
- A cloud misconfiguration that exposes a database to the public
- A physical theft of a laptop containing unencrypted personal data
- An insider leaking customer data to a competitor
This does not include:
- A failed login attempt or blocked intrusion where no data was accessed
- A phishing email that no one clicked
- Internal access by authorised employees within the scope of their role
The key question is always: was personal data actually compromised?
When Does the 72-Hour Clock Start?
Section 43(1) uses the phrase "on becoming aware." This is the critical trigger. The clock starts when your organisation - meaning any employee, officer, or agent acting within their role - becomes aware that a breach has occurred.
You do not need to have confirmed the full scope. You do not need to have completed an investigation. Awareness of a likely breach is sufficient.
Practical implication: If a developer notices anomalous database access at 09:00 on Monday but does not escalate to the DPO until Thursday, the ODPC may treat Monday as the awareness date. Internal escalation pathways must be fast and clearly documented.
Is Notification Always Required?
No. Section 43(1) includes a threshold: notification is required unless the breach "is unlikely to result in a risk to the rights and freedoms of a data subject."
This means you must assess the risk. A low-risk breach - for example, a limited number of non-sensitive records briefly accessible due to a misconfiguration that was immediately remediated with no evidence of actual access - may not require ODPC notification if you can document the risk assessment with evidence.
However, the threshold favours notification. If you are uncertain, notify. Failing to notify when notification was required is a more serious compliance failure than over-notifying.
What Must the ODPC Notification Include?
Section 43(5) sets out the six required elements of the notification:
- Description of the breach - the nature of the incident, how it occurred, and when it was discovered
- Categories and approximate number of data subjects affected
- Categories and approximate number of records involved
- DPO contact details - name and contact information of your Data Protection Officer or designated point of contact
- Likely consequences of the breach for affected data subjects
- Measures taken or proposed to address the breach and mitigate its effects
If you cannot provide all of this within 72 hours, you can submit in phases. The initial notification should include what you know. Supplement it as the investigation progresses. The ODPC expects transparency about what you do not yet know - silence is not acceptable.
When Must You Notify Affected Data Subjects?
Section 43(4) requires you to notify affected data subjects when the breach "is likely to result in a high risk to the rights and freedoms" of those individuals. This is a higher threshold than ODPC notification - but it applies independently.
A high-risk breach typically involves:
- Exposure of sensitive personal data (health records, financial data, biometrics)
- Data that could enable identity theft or fraud
- A large number of affected individuals
- Exposure to malicious actors rather than accidental disclosure
When in doubt, notify subjects. The reputational cost of proactive subject notification is usually lower than the damage caused by subjects discovering a breach from another source.
The Breach Register
Section 43 also requires you to maintain records of all personal data breaches - including those that did not meet the ODPC notification threshold. This register must document:
- The facts of the breach
- Its effects on data subjects
- The remedial action taken
The breach register is one of the first documents the ODPC requests during a compliance audit or investigation. It must be complete, accurate, and demonstrably maintained - not reconstructed after the fact.
What Happens If You Miss the 72-Hour Window?
Missing the notification deadline is a breach of section 43 and exposes your organisation to ODPC enforcement action, which may include:
- A compliance notice requiring remediation
- An enforcement notice ordering specific action
- A financial penalty of up to KES 5 million or 1% of annual turnover, whichever is lower, under sections 62-63
The ODPC also has powers to conduct compliance audits and investigations under Part VI of the Act. A missed notification that later comes to light - through a data subject complaint, a press report, or a third-party disclosure - will attract significantly more scrutiny than a timely but imperfect notification.
Building a 72-Hour-Ready Incident Response Process
The organisations that consistently meet the 72-hour window share four characteristics:
1. A documented breach response policy. Who is notified internally when a potential breach is identified? What is the escalation path to the DPO? What is the threshold for triggering the notification workflow?
2. A nominated breach response team. The DPO, IT/security lead, legal counsel, and communications - all with defined roles and backup contacts for out-of-hours incidents.
3. Pre-prepared notification templates. A pre-populated ODPC notification template reduces the time to submission under pressure. It also ensures no required section 43(5) field is missed.
4. A maintained breach register. An up-to-date register means you are never reconstructing records during an active incident.
The 72-hour window is tight. For most organisations handling it for the first time, without a structured process, it is not manageable. With preparation, it is.
Your s.43 Obligations at a Glance
Use this as a quick-check reference when an incident occurs. Every row maps to a specific statutory obligation under section 43 of the Kenya DPA 2019.
| What | The Rule |
|---|---|
| When the clock starts | The moment any employee or agent becomes aware of the breach |
| Deadline to notify ODPC | 72 hours - no extensions for ongoing investigation |
| When notification can be skipped | Only if the breach is unlikely to risk data subjects' rights - and you must document that assessment |
| Who to notify | Office of the Data Protection Commissioner (ODPC) |
| What the notification must cover | Six elements under s.43(5): breach description, subjects affected, records involved, DPO contact, likely consequences, remedial measures |
| When to notify data subjects | When the breach is likely to result in high risk to individuals' rights and freedoms (s.43(4)) |
| Breach register | Mandatory for every breach - including those below the ODPC notification threshold (s.43) |
| Maximum penalty for non-compliance | KES 5 million or 1% of annual turnover, whichever is lower (ss.62-63) |
The 72-hour rule is unforgiving. The organisations that consistently meet it don't improvise - they prepare. Build your incident response process now, not during an active breach.