Case workspace

Build, save and export this legal workflow

This workspace turns the incident notice readiness result into a reusable matter note, dashboard item and gated PDF checklist. Use the app first, then save the evidence trail.

Matter or project Country or regime Target date Status

Evidence checked

Risk flags

Private notes

Open dashboard

Continue workflow

DPIA Tool DPA Generator Cross-Border Data

Competitor check - 28 April 2026

What stronger tools teach this app

Benchmarked against Termly, OneTrust and enterprise consent platforms. The goal is not to copy them; it is to bring the useful workflow pattern into an Africa-first tool with official-source caution and local evidence capture.

Observed feature pattern

Mature privacy tools scan or map real processing activity, then connect policies, cookie choices, DSARs, consent logs and regulator evidence.
They preserve an audit trail instead of leaving users with a static policy that drifts away from the product.
They route high-risk processing into DPIA, breach and processor-contract workflows before launch or vendor onboarding.

Implemented on this app

This page now asks for matter, country or regime, date, status, evidence and risk flags before the user exports a note.
The app-specific checklist is not generic: it starts with "Record discovery time, containment time and decision time separately".
Saved workflows can be resumed from the dashboard and handed off to DPIA Tool when the matter naturally continues.
The PDF/export moment is a value-after-result gate, so users can still use the tool first and only share email when saving the report.

Best next move

Whether the incident is a reportable personal data breach
Record discovery time, containment time and decision time separately
Waiting for perfect forensic certainty before making a time-sensitive notification

Reviewed 28 April 2026 · 16 core privacy regimes

Incident notice readiness

Breach notifications are judged by clarity and speed. The useful output is a regulator-ready account of what happened, whose data was affected, what risk exists, what you did, and what people should do now.

Decisions this clarifies

Whether the incident is a reportable personal data breach
Which regulator, data subjects, police, partner, or customer must be notified
Whether 72-hour reporting, confidentiality, attachments, or follow-up notices apply

Before you rely on it

Record discovery time, containment time and decision time separately
Describe affected data categories and groups without speculation
Add immediate, medium-term and long-term remediation steps

Red flags

Waiting for perfect forensic certainty before making a time-sensitive notification
Notifying customers before containment messaging is ready
Blaming a vendor without checking processor contract duties

Primary checks

Kenya ODPC breach reporting NDPC services South Africa Information Regulator

Next best tools

DPIA Tool DPA Generator Cross-Border Data

Review pack

Save the incident notice readiness trail

Before filing, signing, publishing, or sending anything, keep a short record that links the app result to evidence and official-source checks.

Capture

Save the country or regime, parties, dates, amounts, selected options, and final output. Add why this matters: Whether the incident is a reportable personal data breach.

Attach

Record discovery time, containment time and decision time separately. Also keep the strongest supporting document, receipt, portal reference, ID, contract, policy, or court file beside the generated result.

Escalate

If you see this risk, pause and get qualified help: Waiting for perfect forensic certainty before making a time-sensitive notification.

Copyable review note

Incident notice readiness action pack
Tool: breach-notification
Coverage: 16 core privacy regimes

Result to save:
- Country or regime selected, parties involved, dates, amounts, and the generated output from the app.
- The reason this output was prepared: Whether the incident is a reportable personal data breach.

Evidence to attach:
- Record discovery time, containment time and decision time separately
- Describe affected data categories and groups without speculation
- Add immediate, medium-term and long-term remediation steps

Escalate before filing or signing if:
- Waiting for perfect forensic certainty before making a time-sensitive notification
- Notifying customers before containment messaging is ready
- Blaming a vendor without checking processor contract duties

Primary checks:
- Kenya ODPC breach reporting: https://www.odpc.go.ke/report-a-data-breach/
- NDPC services: https://www.ndpc.gov.ng/
- South Africa Information Regulator: https://inforegulator.org.za/

Reviewed by AfroTools workflow on 28 April 2026. Informational only, not legal advice.

Paste this into your matter file, compliance folder, board pack, or lawyer handoff.

Data Breach Notification Requirements in Africa

When a personal data breach occurs, most African data protection laws require organisations to notify the relevant regulatory authority within a specified timeframe. Nigeria's NDPA 2023 and Kenya's DPA 2019 both specify 72-hour notification timelines matching the EU GDPR. South Africa's POPIA requires notification "as soon as reasonably possible" without specifying a fixed number of hours.

A regulatory notification must typically include: description of the breach, categories and approximate numbers of affected data subjects, categories of data affected, likely consequences, and measures taken to address the breach.

Nigeria (NDPA): Notify the NDPC within 72 hours of becoming aware of a breach. Notify affected data subjects without undue delay where the breach is likely to result in high risk.
South Africa (POPIA): Notify the Information Regulator and affected data subjects as soon as reasonably possible after discovering a breach.
Kenya (DPA 2019): Notify the ODPC within 72 hours. Notify data subjects promptly where the breach is likely to cause harm.

Data Breach Notification Template Generator

Breach Details

Generated Notification Letters