Organizations collect, process, and store vast amounts of personal data. With this comes the responsibility of ensuring that the data is secure and protected from breaches. A data breach can result in severe consequences, including legal liabilities, reputational damage, and financial loss.
In Kenya, the Data Protection Act, 2019 (DPA) provides the legal framework for protecting personal data and stipulates strict requirements for organizations in the event of a data breach. This blog will provide compliance professionals with a comprehensive understanding of how the DPA addresses data breaches and how organizations can meet their obligations.
Under the Data Protection Act, 2019, a data breach is defined as an event where there is unauthorized access, disclosure, alteration, or destruction of personal data, or when personal data is lost or becomes unavailable for use. Simply put, a data breach occurs when there is any event that compromises the confidentiality, integrity, or availability of personal data.
Data breaches can happen in various ways, and organizations must be prepared to respond swiftly and effectively to mitigate potential harm.
The Data Protection Act, 2019 requires that data controllers (the entities responsible for determining the purposes and means of processing personal data) and processors (the entities that process data on behalf of data controllers) notify both the Data Commissioner and affected individuals in the event of a data breach.
Section 62 of the DPA mandates that a data breach is reported to the Office of the Data Protection Commissioner (ODPC) within 72 hours of the breach being discovered. If the breach is likely to result in high risks to the rights and freedoms of data subjects (e.g., individuals whose personal data has been compromised), the organization must also inform the affected individuals without undue delay.
In the event of a data breach, data controllers must submit the following information to the Data Commissioner as part of the breach notification: