Notification Of Data Breach

30 August 2021

3 minute read

Notification of Data Breach
One of the distinct changes made to the way we handle and perceive personal data relates to responding to a breach of personal data. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This may include data breaches that are the result of both accidental and deliberate causes, and also means that a breach is more than just about losing personal data. The Data Protection Act, 2019 (the DPA) touches on this, requiring the notification or communication of breach where personal data has been accessed or acquired by an unauthorized person, and there is a real risk of harm to the data subject whose personal data has been a subject of the unauthorized access. This means that a data collector and/or data processor on becoming aware of a breach, should contain it and assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen. Some personal data breaches may only lead to possible inconvenience to those who need the data, while others can significantly affect individuals whose personal data has been compromised. It is therefore necessary to assess the potential adverse consequences of the breach based on how serious or substantial they may be, and how likely they are to happen. The Office of the Data Protection Commissioner recently published the proposed Data Protection (General) Regulations, 2021, which attempt to provide further clarity to the DPA including providing for the nature of a data breach that would amount to notifiable data breach. This would assist in assessing the risk involved in notifying the Data Protection Commissioner of a personal data breach detected. However, the proposed regulations are yet to be in force. Timelines for notification? Where such a personal data breach with is a real risk of harm to the data subject has been detected, a data controller shall:
  • notify the Data Commissioner without delay, within seventy-two (72) hours of becoming aware of such breach; and
  • communicate to the data subject in writing within a reasonably practical period, unless the identity of the data subject cannot be established.
Where the notification to the Data Commissioner is not made within seventy-two (72) hours, such notification shall be accompanied by reasons for the delay above the specified duration.
The data controller may also delay or restrict communication referred to above as necessary and proportionate for purposes of prevention, detection or investigation of an offence by the concerned relevant body. In the alternative, where a data processor becomes aware of a personal data breach, the data processor shall notify the data controller without delay and where reasonably practicable, within forty-eight (48) hours of becoming aware of such breach. Information to be included in the notification Such notification and communication to be made in the event of a personal data breach is required to provide sufficient information to allow the data subject to take protective measures against the potential consequences, including but not limited to the following:
  • description of the nature of the data breach;
  • description of the measures that the data controller or data processor intends to take or has taken to address the data breach;
  • recommendation on the measures to be taken by the data subject to mitigate the adverse effects of the security compromise;
  • where applicable, the identity of the unauthorized person who may have accessed or acquired the personal data; and
  • the name and contact details of the data protection officer where applicable or other contact point from whom more information could be obtained.
The impact of implementing this requirement under the DPA would be to increase transparency in the handling of personal data, while continuously improving the measures taken to safeguard any personal data held. Although the proposed regulations also provide for more guidance on the nature of risk to be considered notifiable breach as well as other information to be included in a notification, we are yet to see the full effect of this requirement as the implementation of the DPA is still underway and as a result, the enforcement of the same is yet to be sufficiently tested. For now, they provide much needed guidance on dealing with personal data breaches, with the backing of the law to ensure our standards are at par with international best practice.

+254 716 209 673

Contact the team

Subscribe to blog RSS feed

Related blogs & news

What you need to know about the Data Protection Act, 2019

For a long time, Kenya has lacked a comprehensive personal data protection legislation which has been quite necessary in this age of digital use and access. This has exposed citizens to the risk of their personal data being misused. ...

Read more ...

The Data Protection Act: A Series

The Data Protection Act, No. 24 of 2019 (the DPA) was enacted into law on 11 November 2019 through Gazette Supplement Number 181. The provisions of the DPA gives life to Article 31 (c) and (d) of the Constitution of Kenya which guarantees the right to privacy including the right of a person not to have information relating to their family or private affairs unnecessarily required or revealed and the right not to have the privacy of their communications infringed....

Read more ...

Data Subject - What you need to know

The Data Protection Act, No. 24 of 2019 (the DPA), introduced various concepts and principles aimed at bringing to life the right to privacy enshrined under our Constitution. ...

Read more ...

Data Security Today

Technology has so strongly been synced to our everyday lives and as a result, data security is both personal and a corporate consideration. Personal computer and mobile phone users are faced with concerns on the accessibility of their devices and the data contained in the same way that businesses are concerned with customer data....

Read more ...

Data Protection in M&A What You Need to Know

Any context requiring or necessitating the use of personal data requires taking steps to comply with the Data Protection Act, 2019 (the Act), including where personal data is to be shared or processed within a transactional context. ...

Read more ...

Subscribe

Subscribe to our newsletter to receive exclusive webinars, news and updates.

section separator logo

Let us take it from here.

+254 716 209673

law@cmadvocates.com

Skip to contentHomeAbout UsInsightsServicesContactAccessibility