Protecting Your Business, Your Customers, and Your Reputation

In today’s data-driven world, no business is immune to the threat of a data breach. Whether caused by cyberattacks, internal errors, or third-party vulnerabilities, breaches can result in the exposure of sensitive personal data—putting your customers, partners, and your business reputation at risk. If your organization suffers a data breach, a timely and structured response can significantly reduce legal exposure, rebuild trust, and demonstrate your commitment to data protection.

This article provides a comprehensive guide on what steps to take when you experience a data breach, based on regulatory requirements and best practices under Kenya’s Data Protection Act, 2019 and global standards.

1. Stay Calm and Contain the Breach

Your first instinct might be to panic—but staying calm and acting quickly is crucial. Once a breach is suspected or identified:

• Isolate the incident: Disconnect affected systems from the network to prevent further unauthorized access or data leakage.
• Engage IT/security teams immediately: Ensure your technical teams start assessing the breach source, scope, and impact.
• Do not delete or tamper with evidence: Preserve system logs, emails, or devices for further forensic investigation.

Containment is about stopping the breach from getting worse while gathering facts to support your next steps.

2. Initiate Your Data Breach Response Plan

Every organization should have a data breach response plan in place before a breach occurs. This plan typically includes:

• Roles and responsibilities: Who is leading the response? Who is communicating with affected individuals, the regulator, or the public?
• Communication workflows: How will the breach be communicated internally and externally?
• Escalation protocols: When should senior management and legal counsel be brought in?

If you don’t have a plan yet, this breach is your wake-up call to create one urgently—but in the meantime, document every step of your response for accountability.

3. Assess the Breach Thoroughly

A breach assessment is vital for determining your legal obligations and deciding whether notification is required. Your assessment should include:

• What data was compromised? Personal data such as names, ID numbers, financial details, health records, passwords?
• How many individuals are affected? The more people affected, the higher the risk.
• Was the data encrypted or anonymized? Encrypted data may reduce the severity of the breach.
• What harm could result? Could the breach lead to identity theft, financial loss, or reputational damage?

This evaluation should guide all subsequent actions, especially your reporting obligations.

4. Notify the Office of the Data Protection Commissioner (ODPC)

In Kenya, under the Data Protection Act, 2019, organizations are legally required to report notifiable data breaches to the ODPC within 72 hours of becoming aware of them.

Your notification should include:

• A description of the nature of the breach
• The categories and number of individuals affected
• The type of personal data involved
• Potential consequences of the breach
• Measures taken or proposed to address the breach
• Contact details of your Data Protection Officer (if appointed)

Failing to notify the ODPC in time can result in administrative penalties, especially if the breach later becomes public.

5. Inform Affected Individuals (When Required)

If the breach is likely to result in a high risk to the rights and freedoms of the affected individuals—such as identity theft, financial fraud, or reputational harm—you must notify them as soon as possible.

Your communication should be clear, direct, and empathetic. Include:

• What happened and when
• What type of data was compromised
• What steps are being taken to contain and investigate the breach
• What actions individuals can take to protect themselves
• Contact information for further support

Transparency builds trust. Trying to hide a breach only worsens the fallout if the information leaks from another source.

6. Investigate the Root Cause

After containing the incident and reporting it, conduct a full forensic investigation to understand how the breach occurred and how it can be prevented in the future.

Common root causes include:

• Weak passwords or lack of multifactor authentication
• Unpatched software vulnerabilities
• Insider threats or employee negligence
• Misconfigured databases or cloud storage
• Third-party vendor breaches

Document your findings thoroughly. This documentation may be requested by the ODPC or other oversight bodies and will also guide your remediation efforts.

7. Remediate and Prevent Future Breaches

Fixing the breach is only half the work—you must ensure it doesn’t happen again. Based on your findings:

• Patch system vulnerabilities and update software
• Review and enhance security protocols (e.g., firewalls, access controls)
• Train employees on data protection awareness and cyber hygiene
• Review third-party vendor contracts and data handling procedures
• Consider conducting a Data Protection Impact Assessment (DPIA) for high-risk processing activities

If you don’t already have one, implement a data governance framework to ensure ongoing data security and compliance.

8. Review and Update Internal Policies

A breach often exposes gaps in internal data protection policies, procedures, or training. Post-breach, it’s critical to:

• Update your incident response and data protection policies
• Review your data retention schedule—are you holding unnecessary data?
• Ensure your privacy notice and internal privacy policy reflect current practices
• Develop or revise your Data Sharing Agreements, DPAs, and Terms of Service

This is also a good time to register or renew your status with the ODPC if you’re a data controller or processor and haven’t done so.

9. Monitor for Further Risks and Support Affected Individuals

Breaches can have long-term consequences, so continue monitoring:

• Unauthorized attempts to access your systems
• Online chatter about the incident
• Feedback from affected individuals or partners

Offer support to affected individuals where possible. For example:

• Provide credit monitoring if financial data was exposed
• Offer a dedicated hotline or email for support queries
• Continue updating individuals on new developments

Maintaining open lines of communication can help repair trust and reduce reputational damage.

10. Consider Legal and PR Implications

Depending on the scale and severity of the breach, you may need to involve:

• Legal advisors to navigate regulatory risks, litigation threats, and contractual obligations
• Public relations professionals to manage media inquiries and protect your brand’s reputation
• Insurance providers if you have cyber insurance coverage

A well-managed public statement can prevent panic, reassure stakeholders, and demonstrate that you are handling the situation responsibly.

Why Working with a Data Protection Expert Matters

Data breaches are complex and high-stakes events. At Bostium, we provide tailored support to businesses in breach response, including:

• Rapid assessment of the incident and notification obligations
• Drafting reports to the ODPC and affected individuals
• Legal and regulatory advisory
• Post-breach risk assessments and mitigation strategies
• Comprehensive training for your staff to avoid future breaches

We are your partner in navigating the toughest moments in data protection with confidence and compliance.

Conclusion: Be Prepared, Not Just Reactive

A data breach doesn’t have to be the end of your business or reputation. By responding quickly, transparently, and strategically, you can contain the damage, fulfill your obligations, and even emerge stronger.

The best defense against future breaches is preparation. Invest in the right policies, procedures, and partners now—so you don’t have to learn the hard way later.