ProductsData PrivacyBreach Management

Kenya DPA 2019 - s.43 - Notification of Data Breaches

You have 72 hours to report to the ODPC. The ODPC clock starts the moment you know.

From breach discovery to ODPC notification in one guided workflow. Immutable breach log, phased disclosure workflow, subject notification templates, and the 72-hour countdown front and centre.

Start free trial →Book a demo

Why this matters

Built for your compliance outcomes

72h countdown on intake

Never lose track of where you stand

Clock starts from breach discovery
Prominent dashboard countdown
Team escalation at 48h and 60h
Critical alert as the deadline nears

Phased disclosure workflow

Initial, interim, and final notifications

Initial ODPC notification within 72h
Interim update as facts emerge
Final notification on resolution
ODPC-format notification templates

Subject notification at scale

Notify affected individuals efficiently

Bulk notification to affected subjects
Personalised templated messages
Email delivery at scale
Delivery confirmation tracking

Immutable breach record

Tamper-proof for ODPC inspection

Immutable log from first entry
Action history with timestamps
Cannot be deleted or altered
ODPC-format breach register export

Features

Everything you need, nothing you don't

Breach Intake Wizard

Guided intake form captures breach details, affected systems, data categories, subject count estimates, and discovery timeline.

72h Countdown Timer

Prominent countdown from the moment of documented discovery. Escalation alerts fire automatically at configurable thresholds.

ODPC Notification Drafter

ODPC-format notification template pre-populated from your breach intake data. Review, edit, and export for submission.

Subject Notification

Bulk, personalised subject notification at scale. Email delivery with confirmation tracking and audit log.

Breach Impact Assessment

Assess severity, risk level, and regulatory threshold to determine ODPC notification and subject notification obligations.

Breach Register

Immutable, tamper-proof register of all breach records. ODPC-format export for inspections and annual submissions.

DPA alignment

Every feature maps to a DPA section

Dira is built from the Act, not retrofitted to it. Here's exactly how each capability addresses your Kenya DPA 2019 obligations.

Product Feature	DPA 2019 Section	What it fulfils
72-hour countdown timer	s.43(1)	Notify ODPC without undue delay and within 72 hours of becoming aware of the breach
ODPC notification content	s.43(5)	Captures all required information: breach nature, categories affected, estimated numbers, DPO contacts, consequences, remedial measures
Subject notification workflow	s.43(4)	Notify affected data subjects when breach is likely to result in high risk to their rights and freedoms
Breach register	s.43	Maintains records of all personal data breaches, including facts, effects, and remedial action taken
Impact assessment	s.43(1)	Determines whether the breach triggers notification obligations based on severity and risk threshold
Phased notifications	s.43(7)	Supports iterative disclosure as more facts become available, compliant with the phased notification regime

How it works

Step-by-step workflow

Log the breach

Complete the breach intake wizard. The 72-hour countdown starts immediately from the documented time of discovery.

Assess scope and severity

Use Dira's impact assessment to determine affected systems, data categories, estimated subject count, and risk level.

Draft and submit ODPC notification

Dira pre-populates the ODPC notification format from your intake data. Review, finalise, and track submission.

Notify affected subjects

Configure and send bulk subject notifications. Track delivery. Log all communications in the immutable breach record.

Close and learn

Document remedial actions, close the breach record, and generate the ODPC closure report. Add to your breach register.

FAQ

Common questions

When must I notify the ODPC of a breach?

Under s.43(1) of the DPA 2019, you must notify the ODPC without undue delay and within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects.

What must the ODPC notification include?

Section 43(5) requires: description of the breach, categories and approximate number of data subjects affected, categories and approximate number of records involved, DPO contact details, likely consequences of the breach, and measures taken or proposed to address it.

Do I always need to notify data subjects?

No. Subject notification is required only when the breach is likely to result in a high risk to the rights and freedoms of data subjects (s.43(4)). Dira's impact assessment tool helps you make this determination in a documented, defensible way.

What if I cannot provide all details within 72 hours?

You can provide information in phases. The initial notification should include what is known. You can supplement with further details as the investigation progresses. Dira's phased notification workflow supports this approach and timestamps each phase for the ODPC record.

Start using Breach Management today

30-day free trial. No credit card required. Full access to all Data Privacy products from day one.

Start free trial →Book a demo

30-day free trial No credit card Cancel anytime