GDPR Data Breach Notification Checklist

Before any breach occurs, document: who is the Incident Response Manager (IRM), who makes the decision to notify the DPA, who drafts the notification, who notifies affected individuals, and who communicates externally. Include escalation paths for weekends, holidays, and when primary contacts are unavailable. The policy should specify response SLAs at each stage to ensure the 72-hour clock is met.

Most breaches are first noticed by non-privacy staff — a developer discovering an access log anomaly, a customer service agent receiving a complaint about unauthorized access, an employee noticing a lost device. Train all staff: what constitutes a personal data breach, who to report it to, and the importance of immediate reporting. A delay between discovery and internal notification is the most common reason organizations miss the 72-hour DPA notification window.

The 72-hour clock starts when the controller becomes "aware" that a personal data breach has occurred. The EDPB defines awareness as having a reasonable degree of certainty that a security incident has occurred that has led to the compromise of personal data. A single employee noticing a potential anomaly does not start the clock; confirmation that personal data has been affected does. Document your awareness determination process and the time it was triggered.

Before notifying the DPA, gather enough information to complete the initial notification. Identify: the nature of the breach (confidentiality, integrity, availability), the categories and approximate number of records affected, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach. You do not need to have complete information — Article 33(4) permits phased notification as more information becomes available.

Notification must include: a description of the breach nature; contact details of the DPO or other contact point; the likely consequences of the breach; and the measures taken or proposed to address the breach. For cross-border processing, notify the lead supervisory authority (based on your main establishment). If notification is delayed beyond 72 hours, you must explain the reasons for the delay. Submit through the DPA's official online portal (e.g., ICO online reporting, CNIL online form).

Individual notification under Article 34 is required when the breach is likely to result in high risk to the rights and freedoms of natural persons. High risk factors include: financial fraud potential, identity theft possibility, special category data involved, large number of people affected, data concerning vulnerable individuals, and severity of damage possible. Document your risk assessment for every breach, even when you conclude individual notification is not required.

The notification to affected individuals must: describe in clear and plain language the nature of the breach; provide DPO contact details; describe the likely consequences; and describe the measures taken or proposed to address the breach and mitigate its possible adverse effects. Send notifications through the most effective channel available — email if you have email addresses, post if not. Do not use the notification as an opportunity for marketing or to minimize the severity.

Article 33(5) requires controllers to document all personal data breaches, including those that do not require DPA notification. The breach register must include: the facts of the breach, its effects, and the remedial action taken. This register allows the DPA to verify compliance when it inspects. Maintain breach records for at least five years. Include a cross-reference to the DPA notification reference number where applicable.

Article 33(2) requires processors to notify the controller "without undue delay" after becoming aware of a breach — typically interpreted as within 24-48 hours to give the controller time to meet the 72-hour DPA notification deadline. Include specific breach notification timeframes in all Article 28 DPAs. If a processor fails to notify you promptly and you miss the 72-hour window as a result, document the processor's delay in your notification to the DPA.

The EDPB has stated that organizations should implement technical and organizational measures to enable prompt detection of breaches. Controllers that take weeks to discover a breach that a monitoring system would have caught in hours demonstrate inadequate security under Article 32. Implement at minimum: failed login alerting, unusual access volume monitoring, bulk export detection, and privileged account activity logging. Connect these to a 24/7 response capability.

Under the time pressure of the 72-hour clock, do not be searching for the DPA portal URL or drafting notification language from scratch. Maintain an up-to-date list of supervisory authority online reporting portals for each jurisdiction in which you operate. Pre-draft notification templates with guidance notes that can be quickly customized. Ensure DPO credentials for DPA portals are current and backed up.

Post-breach investigation must identify the root cause (phishing, misdelivery, unauthorized access, unpatched vulnerability, insider threat, etc.) and implement technical and organizational remediation. Document the root cause analysis and retain it. DPAs often request root cause documentation in follow-up inquiries. Companies that can demonstrate systematic remediation receive more favorable treatment than those that treat breaches as isolated incidents.

After the immediate response phase, update the breach register with: the final count of affected data subjects and records, the complete timeline from incident to awareness to notification, copies of all notifications sent (to DPA and individuals), the root cause finding, and the remediation actions taken with completion dates. Formal close-out creates a clean audit trail and documents that the incident was properly managed end-to-end.

Theoretical policies are not enough. Run at least one tabletop exercise per year simulating a realistic breach scenario — a ransomware attack encrypting your customer database, an employee accidentally emailing a spreadsheet of customer records to the wrong list, a processor notifying you of unauthorized access at 4pm on a Friday. Measure whether the team can meet the 72-hour clock, identify gaps, and remediate them before a real breach occurs.

EDPB and national DPA breach registers consistently identify the same top three breach types: phishing/credential theft, misdirected email (sending personal data to the wrong recipient), and unauthorized access (insider threats and hacked accounts). For phishing: MFA on all email accounts, phishing simulation training. For misdelivery: delayed send, auto-complete restrictions, large-list review gates. For unauthorized access: least-privilege access, quarterly access reviews.

Individual notification can be delayed if it would jeopardize an ongoing law enforcement investigation, or if the cost is disproportionate and a public communication is made instead. Both exceptions require documentation. If you delay individual notification, notify the DPA of the delay and the reasons in your Article 33 notification. Do not delay individual notifications for commercial reasons (e.g., protecting brand reputation) — this has been specifically cited in enforcement actions.

Breach notification costs — DPA notification, individual notification, legal fees, forensic investigation — are insurable expenses that cyber liability policies typically cover. Review your policy to confirm: notification costs are covered, the coverage limit is adequate for your breach exposure, the insurer has pre-approved the forensic investigators and counsel you plan to use, and the policy definition of "personal data" aligns with GDPR's broad definition. Notify your insurer within required timeframes after discovery.