Section 40 of the NDPA requires organisations to notify the NDPC of personal data breaches. The Breach Register helps you document, track, and manage breach notifications.
72-Hour Notification
The NDPA requires notification to the NDPC within 72 hours of becoming aware of a breach that is likely to result in risk to individuals. The system tracks this deadline with a visual SLA indicator.
Breach Workflow
- Detected — Breach identified
- Investigating — Assessing scope and impact
- Contained — Immediate measures taken to limit damage
- Resolved — Root cause addressed, remediation complete
- Closed — Post-incident review completed
Duty of Care
The NDPA introduces a duty of care obligation requiring controllers to assess and document the care owed to affected data subjects. Record this assessment in the dedicated field for each breach.
Notification Tracking
- NDPC Notification — Track whether and when the NDPC was notified, with reference numbers
- Data Subject Notification — Track communication to affected individuals when the breach poses high risk