Venvera incident management with DORA ITS reporting timelines
Incident management with regulatory reporting clocks — shown with sample data.

Section 40 of the NDPA requires organisations to notify the NDPC of personal data breaches. The Breach Register helps you document, track, and manage breach notifications.

72-Hour Notification

The NDPA requires notification to the NDPC within 72 hours of becoming aware of a breach that is likely to result in risk to individuals. The system tracks this deadline with a visual SLA indicator.

Breach Workflow

  1. Detected — Breach identified
  2. Investigating — Assessing scope and impact
  3. Contained — Immediate measures taken to limit damage
  4. Resolved — Root cause addressed, remediation complete
  5. Closed — Post-incident review completed

Duty of Care

The NDPA introduces a duty of care obligation requiring controllers to assess and document the care owed to affected data subjects. Record this assessment in the dedicated field for each breach.

Notification Tracking

  • NDPC Notification — Track whether and when the NDPC was notified, with reference numbers
  • Data Subject Notification — Track communication to affected individuals when the breach poses high risk