GDPR data breach checklist

The two deadlines

The GDPR sets two separate breach-notification duties. Know both before anything happens:

• Authority (Article 33): notify the competent supervisory authority within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to individuals.
• Individuals (Article 34): tell affected people without undue delay when the breach is likely to result in a high risk to their rights.

The first 72 hours, step by step

1. Contain it. Stop the breach from continuing — revoke access, isolate systems, reset credentials.
2. Record the time you became aware. The 72-hour clock starts then, not when the breach occurred.
3. Assess scope. What data, how many people, which categories (any special-category data?), and what could happen to those people.
4. Decide on notifications. Is a risk likely (authority)? Is a high risk likely (individuals)? Document the reasoning either way.
5. Notify the authority within 72 hours if required — even a partial notification on time beats a complete one that is late.
6. Inform affected individuals in clear language where the high-risk threshold is met.
7. Record everything in your internal breach register — facts, effects and remedial action — whether or not you notified.

What to include in an authority notification

• The nature of the breach and, where possible, the categories and number of people and records affected
• The name and contact details of your DPO or other contact point
• The likely consequences of the breach
• The measures taken or proposed to address it and mitigate harm

Where your EU representative fits

The controller makes the notification, but your EU representative is the reachable EU contact point throughout — authorities and affected individuals can address it, which matters when communications are time-critical. See also data breach handling.

This checklist is general guidance, not legal advice. For a specific incident, involve qualified counsel.