Breach Notification Process
Guides compliance with GDPR breach notification requirements under Articles 33 (supervisory authority) and 34 (data subjects).
Arguments
$1 - Breach severity (optional: low, moderate, high, critical)
$2 - Process phase (optional: detection, assessment, notification, documentation)
Definition of Personal Data Breach
Article 4(12): "A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed."
Three Types of Breach
-
Confidentiality Breach
- Unauthorized or accidental disclosure
- Unauthorized access
- Examples: Hacking, lost laptop, email to wrong recipient
-
Integrity Breach
- Unauthorized or accidental alteration
- Data corruption or modification
- Examples: Ransomware, database manipulation, accidental deletion
-
Availability Breach
- Accidental or unauthorized loss of access
- Destruction of data
- Examples: Ransomware, DDoS, system failure, natural disaster
Note: A single incident can involve multiple breach types
The 72-Hour Rule (Article 33)
Notification to Supervisory Authority
Obligation:
- Notify supervisory authority without undue delay
- Within 72 hours of becoming aware (where feasible)
- If >72 hours, must explain delay
"Becoming Aware":
- When reasonable degree of certainty breach occurred
- Not when initially suspected
- Clock starts when controller has information to conclude breach likely
- Ongoing investigation does not pause clock
When Notification NOT Required
Exception (Article 33(1)):
- Breach is unlikely to result in a risk to rights and freedoms of individuals
Risk Assessment Factors:
- Type and volume of data
- Ease of identification
- Severity and likelihood of consequences
- Special characteristics of data subject (vulnerable individuals)
- Special characteristics of controller (healthcare, financial)
- Number of affected individuals
Notification Content (Article 33(3))
Minimum Required Information:
-
Nature of breach
- Categories of data subjects affected
- Approximate number of data subjects
- Categories of personal data records
- Approximate number of records
-
Contact point
- Name and contact details of DPO or other contact
- Where more information can be obtained
-
Likely consequences
- Describe likely consequences of breach
- Potential adverse effects on individuals
-
Measures taken/proposed
- Measures taken to address breach
- Measures to mitigate adverse effects
- Remediation steps
Phased Notification
Article 33(4): If information not available within 72 hours:
- Provide initial notification with available information
- Provide additional information in phases "without undue further delay"
- Explain reasons for delay
Typical Phased Approach:
- Initial (<72h): Breach type, approximate scope, contact point
- Update 1 (1-2 weeks): Confirmed numbers, detailed consequences
- Final (ongoing): Remediation complete, lessons learned
Notification to Data Subjects (Article 34)
When Required
Mandatory notification if:
- Breach likely to result in high risk to rights and freedoms
High Risk Factors:
- Special category data (health, biometric, racial, etc.)
- Financial data (credit cards, bank details)
- Credentials (passwords, especially if not hashed)
- Large-scale breach
- Vulnerable data subjects (children)
- Significant adverse effects (discrimination, identity theft, financial loss, reputational damage)
Notification Content
Communicate in clear and plain language:
- Nature of breach: What happened
- Contact point: DPO or contact for more information
- Likely consequences: Potential impacts on individuals
- Measures taken/proposed: Steps to mitigate
- Recommended actions: What individuals should do (change passwords, monitor accounts, etc.)
Timing
- Without undue delay
- No specific deadline (unlike 72-hour rule for authority)
- As soon as possible after discovery
- May notify authority first to seek guidance
When Notification NOT Required
Exceptions (Article 34(3)):
-
Appropriate safeguards applied (Article 34(3)(a))
- Encryption or pseudonymization rendered data unintelligible
- Example: Stolen encrypted laptop with strong encryption
-
Subsequent measures taken (Article 34(3)(b))
- Controller took measures ensuring high risk no longer likely
- Example: Deleted data before unauthorized party accessed it
-
Disproportionate effort (Article 34(3)(c))
- Public communication or similar measure
- Equally effective
- Example: Cannot identify/contact affected individuals, public notice instead
Methods of Communication
Direct Individual Notification:
- Email (preferred if available)
- Mail (postal)
- Phone
- SMS
- In-app notification
Public Communication (if disproportionate):
- Press release
- Website notice (prominent)
- Social media
- Paid advertising
Breach Response Process
Phase 1: Detection and Containment (Hours 0-4)
Immediate Actions:
- Detect and verify breach occurred
- Contain breach (stop ongoing unauthorized access)
- Preserve evidence (logs, forensic data)
- Assemble response team (IT, security, legal, DPO, communications)
- Initial assessment of scope and severity
Key Questions:
- What happened?
- When did it occur?
- Is it ongoing?
- What systems/data affected?
- How many individuals potentially affected?
Phase 2: Assessment (Hours 4-24)
Detailed Investigation:
- Root cause analysis: How did breach occur?
- Scope determination: What data accessed/lost/altered?
- Impact assessment: What are consequences for individuals?
- Risk assessment: Likelihood and severity of adverse effects
- Count affected individuals: Exact or approximate numbers
- Identify data categories: Personal data, special categories, credentials
Risk Assessment:
- Low: Minimal impact, unlikely adverse effects
- Moderate: Some potential for harm
- High: Significant adverse effects likely
- Critical: Severe consequences (special categories, credentials, large scale)
Phase 3: Notification Decision (Hours 24-48)
Determine Notification Obligations:
Supervisory Authority (Article 33):
- Is risk unlikely? → No notification required
- Is risk possible/likely? → Notification required (<72h)
Data Subjects (Article 34):
- Is risk high? → Notification required (without undue delay)
- Are exceptions applicable? → May not be required
Consult DPO:
- DPO must be involved in breach response
- Seek advice on notification decisions
- Document DPO recommendations
Phase 4: Notification (Hours 48-72)
To Supervisory Authority (if required):
- Prepare notification with Article 33(3) content
- Submit to lead supervisory authority
- Online portal (if available)
- Email or designated contact
- Specify if phased notification planned
- Confirm receipt and note case reference
- Cooperate with authority investigation
To Data Subjects (if required):
- Prepare communications in clear language
- Identify affected individuals and contact methods
- Coordinate messaging (avoid panic, provide guidance)
- Send notifications via appropriate channels
- Set up helpline/FAQ for inquiries
- Monitor for questions and concerns
Phase 5: Remediation (Ongoing)
Immediate Remediation:
- Close security gaps that caused breach
- Reset credentials if compromised
- Restore data from backups if lost
- Implement additional safeguards
Short-Term Actions:
- Monitoring for signs of data misuse
- Support for affected individuals (credit monitoring, ID theft services)
- Updates to authority and individuals as investigation progresses
Long-Term Actions:
- Root cause remediation (fix underlying issues)
- Policy/procedure updates (prevent recurrence)
- Staff training (address human factors)
- Security improvements (defense in depth)
- Lessons learned exercise
Phase 6: Documentation (Ongoing)
Record of Breach (Article 33(5)):
- Document all breaches (even those not notified)
- Facts of breach
- Effects of breach
- Remedial action taken
Purpose:
- Demonstrate compliance
- Supervisory authority can verify compliance
- Learn from incidents
Breach Register Should Include:
- Date/time of breach
- Date/time became aware
- Description of breach (type, cause)
- Categories and volume of data
- Number of individuals affected
- Consequences and likely adverse effects
- Measures taken to address breach
- Whether authority notified (date, reference)
- Whether individuals notified (date, method)
- Reasoning if not notified
- Communications and decisions
- DPO involvement
- Lessons learned and preventive measures
Special Considerations
Processor Breaches (Article 33(2))
Processor obligations:
- Notify controller without undue delay after becoming aware
- No specific timeframe (unlike controller's 72 hours)
- Controller then has notification obligations
Processor should provide:
- Detailed breach information
- Affected clients/controllers
- Scope and impact assessment
- Remediation steps
Data Processing Agreement should specify:
- Breach notification procedures
- Timeframes (recommend <24 hours)
- Information to be provided
- Cooperation with controller
Cross-Border Breaches
Lead Supervisory Authority (Article 56):
- Notify lead authority (main establishment)
- Lead authority coordinates with other concerned authorities
- One-stop-shop mechanism
Concerned Authorities:
- Lead authority may inform other authorities
- Cooperation through mutual assistance
- Consistent approach across Member States
Third-Country Transfers
Breach involving data transferred outside EU:
- Same notification requirements apply
- Complexity in identifying individuals
- May need to notify multiple authorities
- Consider local breach notification laws (e.g., US state laws)
Ransomware
Unique considerations:
- Availability breach (minimum)
- Likely confidentiality breach (assume data exfiltrated)
- Do NOT pay ransom before assessment
- Notify authority even if ransom paid
- Cannot assume data not accessed/disclosed
Supervisory Authority Responses
Possible Actions:
- Request additional information
- Investigation/audit
- Corrective measures (improve security, notify individuals)
- Warnings or reprimands
- Temporary/permanent processing ban
- Administrative fines
Cooperation:
- Respond promptly to authority requests
- Provide requested evidence
- Implement recommended measures
- Maintain open communication
Penalties for Non-Compliance
Failure to notify (Article 83):
- Up to €10M or 2% of global annual turnover (whichever higher)
- Factors: Intentional or negligent, cooperation, previous infringements
Related violations (higher fines):
- Up to €20M or 4% if breach caused by failure to implement security (Article 32)
Breach Notification Tools
Breach Assessment Questionnaire
- What type of breach occurred? (confidentiality, integrity, availability)
- What personal data categories affected?
- Any special category data?
- How many individuals affected?
- What are potential consequences for individuals?
- What safeguards were in place? (encryption, etc.)
- What immediate actions taken?
- Can breach be contained?
Risk Matrix
| Data Type | Volume | Safeguards | Risk Level | Notify Authority? | Notify Individuals? |
|---|
| Contact info | <100 | None | Low | No | No |
| Contact info | >1000 | None | Moderate | Yes | No |
| Financial | Any | None | High | Yes | Yes |
| Health/Biometric | Any | None | Critical | Yes | Yes |
| Any | Any | Encrypted | Low | Assess | Likely No |
Notification Timeline Template
| Milestone | Deadline | Responsible | Status |
|---|
| Breach detected | T+0 | IT/Security | |
| Response team assembled | T+2h | Incident Manager | |
| Scope assessed | T+24h | Investigation Team | |
| Notification decision | T+48h | DPO + Legal | |
| Authority notification | T+72h | DPO | |
| Individual notification | T+96h | Communications | |
| Initial remediation | T+1 week | IT/Security | |
Examples
# Guide breach response for critical severity breach
/gdpr:breach-process critical
# Assess notification requirements for moderate breach
/gdpr:breach-process moderate assessment
# Document breach that has been detected
/gdpr:breach-process high detection
# Prepare notifications for high-risk breach
/gdpr:breach-process high notification
# Review overall breach response procedures
/gdpr:breach-process
# Low severity breach documentation
/gdpr:breach-process low documentation
Common Mistakes to Avoid
- Waiting for complete information: Notify within 72h even if incomplete, update later
- Delaying while investigating: Clock starts when "becoming aware" (reasonable certainty)
- Not documenting non-notified breaches: Article 33(5) requires all breaches documented
- Generic notifications: Be specific about breach, consequences, actions
- Not involving DPO: DPO must advise on breach response
- Ignoring processor breaches: Processors must notify controllers promptly
- No breach response plan: Plan and test breach procedures in advance
- Focusing only on notification: Remediation and prevention equally important
- Not training staff: Employees must know how to recognize and report breaches
- Underestimating risk: When in doubt, notify (better safe than fined)
Breach Preparedness
Incident Response Plan
Include:
- Breach definition and examples
- Reporting procedures (internal)
- Response team roles (IT, security, legal, DPO, communications, management)
- Containment procedures
- Investigation checklists
- Assessment criteria (risk levels)
- Notification decision trees
- Communication templates
- Contact lists (supervisory authority, affected parties, vendors)
- Escalation procedures
- Training and testing schedule
Regular Testing
Exercises:
- Tabletop exercises (quarterly)
- Simulated breaches (annually)
- Update procedures based on lessons learned
- Test notification procedures (without sending)
- Validate contact lists
Staff Training
All Staff:
- Recognize and report potential breaches
- Don't delay reporting
- Preserve evidence
Response Team:
- Detailed procedures
- Roles and responsibilities
- Tools and systems
- Communication protocols
- Legal obligations
Management:
- Oversight and approval
- Resource allocation
- Authority engagement
- Public communications