GDPR Breach Response Checklist — Article 33/34 72-Hour Notification

The moment you become aware of a potential personal data breach, activate your incident response procedure and assign a lead investigator. Do not wait for confirmation of the full scope — the 72-hour clock starts from 'becoming aware', which courts have interpreted broadly. Awareness of a potential breach (e.g., ransomware detected on a server containing personal data) starts the clock even before the full scope is known.

A personal data breach is 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.' This covers confidentiality breaches (unauthorised disclosure), integrity breaches (alteration), and availability breaches (loss of access). A locked laptop that was not accessed is still a potential breach. An email sent to the wrong recipient is a breach.

GDPR Article 33(1) notification is required unless the breach is 'unlikely to result in a risk' to individuals. Risk factors: sensitivity of the data (health, financial, identity documents), volume of records affected, ability to reverse the breach, nature of individuals affected (children, employees, customers), and the attacker's likely intent. Document the risk assessment in detail — if you conclude no risk exists, that reasoning must withstand regulatory scrutiny.

Use the supervisory authority's official notification form (each EU member state has its own portal). Required information under Article 33(3): description of the breach (nature, categories, approximate number of records and individuals), DPO or contact point details, likely consequences of the breach, and measures taken or proposed. If the full information is not available within 72 hours, notify with what you have and indicate information will follow ('without undue delay').

Article 33(1) allows notification beyond 72 hours 'accompanied by reasons for the delay.' The justification must be specific and documented — not a general statement that the investigation was ongoing. Regulators have fined organisations for unjustified late notifications even where the breach itself caused minimal harm. Common acceptable reasons include: complex technical investigation requiring third-party forensics, difficulty identifying affected individuals, or a multi-country incident requiring coordination.

Article 34 requires notification to affected individuals when the breach is 'likely to result in a high risk to the rights and freedoms of natural persons.' High risk indicators: financial harm (account credentials, payment card data), identity theft risk (national ID numbers, passports), physical safety risk, discrimination risk (health data, racial/ethnic origin, sexual orientation). The threshold is lower than for Article 33 — 'high risk' vs. 'risk.'

Article 34(2) requires notification to include: plain language description of the breach, DPO or contact point details, likely consequences, measures taken, and recommended steps for individuals to protect themselves. Use clear, direct language. Do not minimise the breach or use legal jargon. The notification must be direct — website notices or press releases are only acceptable if direct contact is impossible.

Parallel to notification obligations, take immediate containment steps: isolate affected systems, revoke compromised credentials, suspend compromised accounts, preserve forensic evidence (do not wipe systems before imaging), and engage cybersecurity incident response if needed. Document every containment action with timestamps — regulators expect to see evidence of prompt action.

All personal data breaches must be documented in an internal breach register regardless of whether notification was required. Required elements: breach description, date/time of discovery and occurrence (if known), affected data categories and volume, identities of affected individuals, likely consequences, remediation measures, and notification decisions with justifications. Maintain records for at least 3 years (practice: match to statute of limitations).

Article 33(2) requires processors to notify controllers 'without undue delay' after becoming aware of a breach — in practice, this means processors should notify within 24-36 hours to give controllers time to meet the 72-hour obligation. Review your Article 28 processor agreements to confirm they include this requirement. If a processor fails to notify you timely, document this and include it in your supervisory authority notification.

In cross-border processing, the 'lead supervisory authority' concept under Article 60 determines which authority receives notification. The lead authority is in the Member State of the controller's EU establishment. However, affected authorities in Member States of the affected individuals must also be informed. For breaches affecting individuals in multiple Member States, the lead authority coordinates — but notify the lead authority within 72 hours and flag the cross-border nature.

Individual notification is not required if: (a) you implemented appropriate encryption or other measures that render the data unintelligible to unauthorised parties, (b) you took subsequent measures to ensure high risk to individuals is no longer likely, or (c) direct notification would involve disproportionate effort — in which case a public communication or equivalent measure suffices. Document the basis for any exemption claimed.

After containment, conduct a root cause analysis. Update your Article 30 ROPA if the breach revealed undocumented processing. Update your DPIA if one exists for the affected system. Implement remediation measures. Brief senior management and, where applicable, the board. Document all post-incident actions. Supervisory authorities routinely review whether the controller improved controls after the breach.