GDPR

How to Respond to a Data Breach Under GDPR

5 min readUpdated 27 May 2026

A data breach under GDPR triggers a strict 72-hour notification requirement to your supervisory authority, and potentially a notification obligation to affected individuals. Most companies know the 72-hour rule. Few have a documented breach response procedure ready before the breach happens.

This article covers what constitutes a breach, what the notification requirements are, and the step-by-step response process.

What Is a Personal Data Breach?

GDPR Article 4(12) defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data."

This covers:

  • Confidentiality breaches: Unauthorised access or disclosure — a hacker gaining access to a database, an email sent to the wrong person, a file shared incorrectly
  • Integrity breaches: Unauthorised or accidental alteration of personal data
  • Availability breaches: Loss of access to personal data — ransomware encryption, accidental deletion, hardware failure

It does not require malicious intent. An employee accidentally emailing a spreadsheet of customer data to the wrong address is a breach. A misconfigured S3 bucket exposing data is a breach.

The Decision Tree: Do You Need to Notify?

Not every breach requires notification. GDPR Article 33 requires supervisory authority notification unless "the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons."

Work through this decision tree:

Step 1: Has a breach occurred? A security event has led to accidental or unlawful access, disclosure, loss, or destruction of personal data. If yes → proceed.

Step 2: Is there any risk to individuals? Could the breach cause any harm to the individuals whose data was involved? Harm includes: identity theft, financial loss, discrimination, reputational damage, physical harm, loss of confidentiality.

If no risk: Document internally but no notification required.

Step 3: Is the risk high? Is the risk to individuals likely to be high? Consider:

  • Type of data (health data, financial data, and special category data almost always = high risk)
  • Number of individuals affected
  • Severity of likely consequences
  • Whether the data enables identity theft or financial fraud
  • Whether vulnerable populations (children, elderly) are affected

If low to medium risk: Notify the supervisory authority within 72 hours, but individual notification may not be required.

If high risk: Notify the supervisory authority within 72 hours AND notify affected individuals "without undue delay."

Step-by-Step Breach Response

Hour 1–4: Contain the Breach

  • Stop the bleeding: Revoke compromised credentials, disable vulnerable endpoints, isolate affected systems
  • Preserve evidence: Do not delete logs. Forensic preservation matters for both internal investigation and regulatory response
  • Assemble the response team: Incident lead, legal/DPO, IT security, communications

Hours 4–24: Assess and Investigate

  • What data was involved? Determine the categories of personal data affected
  • How many individuals? Estimate the number of people affected
  • How did it happen? Root cause analysis begins
  • Who had access? Identify who may have seen or obtained the data
  • Can the breach be contained? Assess whether the exposed data can be recovered or access can be blocked

Document all findings as you go. The documentation will be needed for the supervisory authority notification.

Hour 24–48: Risk Assessment

Conduct a structured risk assessment covering:

  • Likelihood that the breach leads to harm
  • Severity of potential harm
  • Specific risks for affected individuals (identity theft, financial fraud, discrimination)
  • Any mitigating factors (encryption rendered data unreadable, breach quickly contained)

This risk assessment drives the notification decision.

Hour 48–72: Notification Decision and Execution

Supervisory authority notification (Article 33): Notify your lead supervisory authority within 72 hours of becoming aware of the breach. The notification must include:

  • Nature of the breach
  • Categories and approximate number of individuals affected
  • Categories and approximate number of records affected
  • DPO contact details
  • Likely consequences
  • Measures taken or proposed

If you cannot include all information within 72 hours, notify what you know and provide the rest in a follow-up notification as soon as possible.

Individual notification (Article 34): Required where the breach is likely to result in high risk. Must:

  • Be in clear and plain language
  • Describe the nature of the breach
  • Provide DPO or contact person details
  • Explain likely consequences
  • Describe the measures taken

Do not give generic breach notifications — be specific about what data was involved and what the individual should do.

Documenting the Breach

Article 33(5) requires all breaches to be documented, even those that do not require notification. The documentation must cover:

  • Date and time of breach (and of discovery)
  • Nature of the breach
  • Data involved
  • Risk assessment
  • Response actions taken
  • Notification decisions and rationale

This documentation forms part of your accountability evidence. Keep it for at least 3–5 years.

Common Breach Response Failures

Not notifying within 72 hours. The clock starts when you become "aware" of the breach — not when you complete the investigation. Notify with what you know, supplement later.

Underestimating breach scope. Initial assessments often undercount affected individuals. Be conservative in your estimates; errors in disclosure are more costly than comprehensive notifications.

No individual notification when required. Companies frequently notify regulators but fail to notify affected individuals when the risk is high enough to require it.

No post-breach review. The breach response must end with a review: what controls failed, what changes are needed. Document the lesson learned.

ComplyOne generates your GDPR documentation — RoPA, DPA, privacy notices, and gap assessment — in one workflow.

Run your GDPR gap check →

Related guides

Do You Need a DPO? GDPR Decision Tree for SMEs

Most SaaS companies don't need a Data Protection Officer — but the mandatory appointment criteria are broader than many founders realise. This guide explains when a DPO is required, what the role involves, and what to do instead.

GDPR Article 28 Explained for Startup Founders

Article 28 governs controller-processor relationships under GDPR. This guide explains what a Data Processing Agreement must contain, who needs one, and the common mistakes that cause compliance failures in enterprise deals.

GDPR Cookie Compliance in Germany (2026 Guide)

Germany has the strictest cookie compliance requirements in the EU. This guide covers the GDPR and TTDSG framework, what valid consent looks like, cookie banner requirements, and practical steps to comply.

View all guides in this module