How Do I Notify the ODPC About a Data Breach in Kenya: A Step-by-Step Guide for Businesses

If your organization has experienced a data breach in Kenya, understanding how do I notify the ODPC about a data breach in Kenya is critical to compliance and avoiding substantial penalties. The Office of the Data Protection Commissioner (ODPC) enforces strict breach notification requirements under the Data Protection Act 2019, mandating that organizations report incidents within 72 hours of discovery. For general businesses across all sectors—from retail and hospitality to professional services and manufacturing—this guide provides the essential procedures, timelines, and documentation needed to properly report a breach to the ODPC while protecting your organization from fines reaching KES 5 million or 2% of annual turnover.

Understanding Your Breach Notification Obligations Under Kenyan Law

The Data Protection Act 2019 establishes mandatory breach notification as a cornerstone of Kenya's data protection framework. Section 43 of the Act requires data controllers—any organization processing personal data—to notify the Data Protection Commissioner immediately upon discovering a breach, with a maximum 72-hour window from the moment awareness occurs.

The ODPC, as Kenya's independent data protection authority, enforces these requirements with significant regulatory power. Organizations that fail to notify within the prescribed timeframe face administrative fines of up to KES 5 million or 2% of the preceding financial year's annual turnover, whichever is higher. For a mid-sized business with annual revenue of KES 100 million, this penalty structure creates substantial financial exposure.

Breaches triggering notification obligations include any unauthorized or accidental access, disclosure, loss, or alteration of personal data held by your organization. This encompasses employee records, customer information, supplier details, financial records, and any other personally identifiable information (PII) your business maintains.

What Qualifies as a Reportable Data Breach?

A reportable breach under Kenyan law encompasses far more than just malicious cyberattacks. The definition includes:

  • Unauthorized access to customer or employee databases
  • Accidental disclosure of personal information through email misconfiguration
  • Physical theft of documents containing personal data
  • Loss of unencrypted devices (laptops, USB drives, mobile phones)
  • Ransomware incidents affecting personal data systems
  • Insider threats involving deliberate misuse of access credentials
  • Third-party failures where your service providers breach data security

The threshold is deliberately inclusive. A single misfiled document containing employee addresses, an email sent to the wrong recipient with client names and contact details, or a stolen computer with unencrypted customer information all constitute reportable breaches requiring ODPC notification.

The 72-Hour Timeline: How to Prepare Your Breach Notification

When staff discover a potential breach, the 72-hour clock begins immediately. This timeline is non-negotiable and applies regardless of breach severity or complexity. Understanding what "becoming aware" means legally is critical—it refers to the moment any responsible person in your organization becomes conscious of the breach, not when it occurred or when formal investigation concludes.

Phase 1: Immediate Response (Hours 0-24)

Your first actions determine whether you meet the regulatory deadline. Upon discovering a potential breach:

  1. Isolate and contain the affected systems to prevent further data exposure
  2. Assemble your incident response team, including IT personnel, management, and your Data Protection Officer if appointed
  3. Document the discovery with precise timestamps and details of who identified the breach
  4. Assess scope by determining what personal data was involved, how many individuals are affected, and the nature of exposed information
  5. Preserve evidence for later ODPC investigation by maintaining logs, access records, and system backups

For a retail business discovering unauthorized access to its customer database containing names, email addresses, and phone numbers, this phase involves immediately suspending the affected account, checking access logs to determine when exposure occurred, and counting affected customers.

Phase 2: ODPC Notification Preparation (Hours 24-72)

With initial assessment complete, you must prepare your formal notification to the ODPC. This phase requires accuracy and completeness, as incomplete submissions delay processing and may incur additional scrutiny.

Gather the following information systematically:

  • Organization registration details: Your business name, registration number, principal place of business, and sector
  • Breach description: Detailed explanation of what occurred, including discovery date/time, initial signs, and suspected cause
  • Personal data categories: Specific types of information exposed (names, ID numbers, contact details, financial information, health data, etc.)
  • Affected individual count: Approximate number of people whose data was compromised
  • Containment measures: Specific actions taken to stop ongoing exposure and prevent recurrence
  • Data Protection Officer contact: Name and direct contact details if your organization has appointed a DPO

Phase 3: Submitting Your Notification (By Hour 72)

The ODPC requires notifications through their official digital portal, accessible via their website (www.odpc.go.ke). The portal guides organizations through a structured form ensuring all required information is captured.

Required Documentation for Submission:

  • Completed breach notification form with timeline of events
  • Risk assessment demonstrating likelihood of harm to individuals
  • Technical security measures implemented (encryption status, access controls, etc.)
  • Organizational security procedures (staff training, backup protocols, incident response plans)
  • Data Protection Officer details and contact information
  • Evidence of containment measures taken within the first 24 hours

Submit documentation in English or Kiswahili. Ensure all information is accurate and current—incomplete or misleading submissions may trigger separate investigations beyond the initial breach assessment.

How Do I Notify the ODPC: The Official Notification Process

How do I notify the ODPC about a data breach in Kenya involves following their prescribed procedures exactly. The ODPC maintains a breach reporting system designed to streamline notifications while ensuring consistent, standardized information collection across all organizations.

Using the ODPC Breach Notification Portal

Access the portal through the ODPC's official website by navigating to their breach reporting section. You will need:

  1. Your organization's legal registration details
  2. Contact information for the person submitting the notification
  3. Comprehensive breach information prepared during Phase 1 and 2
  4. Supporting documentation in PDF or Word format

The portal submission creates an official record with timestamp confirmation, providing evidence of timely reporting to the ODPC. Save confirmation numbers and receipts for your organizational records.

Notification Content Requirements

Your submission must clearly explain:

  • When the breach occurred and when discovery happened
  • How the breach was discovered (monitoring alerts, customer complaints, audits, etc.)
  • What personal data categories were affected (be specific—not simply "customer information")
  • How many individuals are likely impacted
  • Who had access to the affected data
  • What caused the breach (technical failure, human error, security compromise, third-party incident, etc.)
  • What measures you've implemented to stop ongoing exposure
  • What measures you've taken to prevent similar incidents

For a small accounting firm that discovers an employee's email account was compromised for three days, exposing client tax information and financial details for 47 clients, the notification would explain: the account compromise discovery method, the three-day exposure window, the specific data categories (names, ID numbers, income details, business registration information), affected client count, actions taken to secure the account and reset credentials, and planned security improvements (multi-factor authentication rollout, email monitoring, staff security training).

Notifying Affected Individuals After Reporting to ODPC

Once you've notified the ODPC, your organization must assess whether individual notifications to affected persons are required. The legal standard is whether the breach creates "high risk" to individuals' rights and freedoms.

High-risk factors include:

  • Financial data breaches enabling fraud or identity theft
  • Health or sensitive personal information disclosure
  • Information revealing protected characteristics (race, religion, political affiliation)
  • Data affecting vulnerable populations (minors, elderly persons)
  • Large-scale breaches affecting numerous individuals

For low-risk breaches (such as non-sensitive business contact information), individual notifications may not be legally required, though many organizations choose to notify proactively for reputation management.

When individual notifications are required, communicate within 30 days of ODPC notification using clear, plain language. Include your Data Protection Officer's contact details, breach explanation, affected data categories, recommended protective actions (password changes, credit monitoring), and support resources.

Common Breach Notification Mistakes to Avoid

Organizations frequently make errors that complicate breach response:

  • Delaying ODPC notification while conducting internal investigation (start notification within 24 hours regardless of investigation completion)
  • Underestimating affected individuals through incomplete data audit
  • Providing vague breach descriptions without specific dates, data categories, or incident details
  • Failing to appoint or identify a Data Protection Officer on breach notification forms
  • Using unofficial notification channels rather than the ODPC portal
  • Delaying individual notifications beyond 30 days after ODPC notification

Establishing Breach Notification Procedures Now

Rather than improvising during a crisis, establish breach response procedures immediately:

  1. Appoint a Data Protection Officer (or designate a compliance lead for smaller organizations)
  2. Document your incident response plan specifying roles, communication chains, and decision authority
  3. Maintain personal data inventories enabling rapid assessment of breach scope
  4. Implement access logging for all personal data systems
  5. Test breach response procedures annually through simulated incidents
  6. Train staff on breach recognition and immediate escalation procedures
  7. Establish communication templates for ODPC and individual notifications

Organizations with established procedures achieve ODPC compliance far more consistently than those responding reactively.