If you have discovered a personal data breach, the next 72 hours determine whether this becomes a minor incident or a major regulatory and reputational event. This page is the practical guide for what to do, in order, starting now.
If you need help immediately, contact Engage Compliance. We provide 24/7 breach response support for clients and can engage on emergency basis for non-clients.
Key takeaways
- Under GDPR Article 33, controllers must notify the competent supervisory authority without undue delay and where feasible within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to rights and freedoms.
- The 72-hour clock starts when you become aware, meaning reasonable certainty that a security incident has compromised personal data, not certainty of the full scope.
- Contain the breach first, document everything from the start, and assemble a response team of DPO, IT/security, legal counsel, and a senior decision-maker.
- If you lack full information at 72 hours, file the initial notification with what you know, since Article 33(4) explicitly permits phased notification.
- We provide 24/7 breach response support for clients on retainer and engage on emergency basis for non-clients in active breach.
What counts as a personal data breach
Under GDPR Article 4(12), a personal data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. The threshold is low. Examples include lost laptops, ransomware encrypting personal data, emails sent to wrong recipients, unauthorized access to databases, accidental publication of customer data, and physical theft of files.
You do not need to be certain a breach occurred to start the clock. The 72-hour notification clock starts when you become aware of the breach. Awareness means reasonable certainty that a security incident has compromised personal data, not certainty of the full scope.
Hour 0 to 4: Contain and assess
The first priority is containment. Stop the breach from continuing or expanding. This may mean disconnecting affected systems, revoking credentials, locking down accounts, or removing publicly accessible files.
Document everything from the start. Note the time you became aware, who told you, what system or process is affected, what data appears to be involved, and what containment actions you have taken. This documentation becomes the foundation of your regulator notification and is the first thing requested in any subsequent investigation.
Assemble your response team immediately. At minimum: your DPO, your IT/security lead, your legal counsel, and your CEO or relevant senior decision-maker. If you do not have a DPO, this is the moment you need one.
Hour 4 to 24: Investigate and quantify
Determine the scope. How many data subjects are affected? What categories of data? How sensitive is the data? Was the data encrypted or otherwise protected? Has the data been exfiltrated or only accessed?
Determine the cause. Was this a malicious external actor? An internal mistake? A vendor compromise? A system vulnerability? The cause affects both your regulatory notification content and your remediation plan.
Begin preserving evidence. Logs, system snapshots, communications, and any artifacts from the incident must be preserved for the investigation. Modern attackers often try to delete logs; back them up immediately if you have not already.
If a vendor or third-party processor caused or contributed to the breach, notify them in writing immediately. Your data processing agreement should specify their obligations. If you are the processor, notify your controller immediately.
Hour 24 to 72: Notify the supervisory authority
Under GDPR Article 33, controllers must notify the competent supervisory authority of a personal data breach without undue delay and where feasible not later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
The notification should include the nature of the breach, categories and approximate number of data subjects and records affected, contact details of the DPO or other contact point, likely consequences, and measures taken or proposed.
If you do not have full information at 72 hours, file the initial notification with what you know and follow up with supplementary information as it becomes available. Article 33(4) explicitly permits phased notification.
Identify the right supervisory authority. For companies based in one EU member state, this is typically the lead supervisory authority of that state. For multinational controllers, the lead authority is determined under the GDPR one-stop-shop mechanism. Common authorities:
- Netherlands: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl)
- Ireland: Data Protection Commission (dataprotection.ie)
- UK: Information Commissioner’s Office (ico.org.uk)
- France: CNIL (cnil.fr)
- Germany: BfDI or relevant Land authority
If you are a non-EU controller without an EU Representative under Article 27, you must still notify the authority of the affected data subjects.
Notifying data subjects
Under GDPR Article 34, if the breach is likely to result in a high risk to the rights and freedoms of natural persons, you must communicate the breach to the affected data subjects without undue delay.
Communications to data subjects must use clear and plain language, describe the nature of the breach, provide contact information for further information, and describe the likely consequences and measures taken.
Decide on data subject notification only after careful risk assessment. Notification is required when the risk is high. Notification is not required if encryption or other protective measures render the data unintelligible to unauthorized parties, if subsequent measures eliminate the high risk, or if individual notification would involve disproportionate effort.
Hour 72 to 7 days: Document, remediate, and prevent recurrence
After the immediate notification clock has passed, focus shifts to remediation and prevention.
Complete your internal incident report. Include timeline, scope, cause, immediate actions, notifications made, remediation taken, and proposed prevention measures. This document is the basis for your defense if the supervisory authority opens an investigation.
Update your breach register. GDPR Article 33(5) requires controllers to maintain a register of all personal data breaches. The register should include all breaches, not only those that triggered notification.
Implement remediation. Patch vulnerabilities, revoke compromised credentials permanently, retrain affected personnel, update vendor contracts, and adjust security controls to prevent recurrence.
Prepare for follow-up regulator correspondence. After your initial notification, the supervisory authority may request additional information, propose corrective measures, or open a formal investigation. Respond promptly and through your DPO.
Common mistakes to avoid
Do not delay notification while trying to investigate fully. The 72-hour clock is firm. File initial notification with what you know.
Do not assume your DPO or IT team can handle a serious breach without dedicated breach response expertise. Major breaches typically require coordinated effort across legal, technical, communications, and regulatory work.
Do not communicate with affected data subjects before notifying the supervisory authority unless there is an immediate safety reason. Premature data subject communication can complicate the regulator interaction.
Do not destroy evidence. Even if it shows the company at fault, evidence preservation is required and destruction can elevate the matter to obstruction.
Do not assume your insurance covers breach response. Cyber insurance has specific notification and process requirements that must be followed to maintain coverage. Notify your insurer immediately.
How Engage Compliance helps
We provide 24/7 breach response support for clients on retainer. This includes immediate assessment, notification preparation, supervisory authority correspondence, data subject communication drafting, and coordination with cyber insurance, forensics, and legal counsel.
For non-clients in active breach, we engage on emergency basis. The earlier we are involved, the more we can help. Most companies that engage us in hour one through twenty-four end up significantly better positioned than those who engage at hour sixty.
This page is general information, not legal advice.