EU/GDPR Breach Response Checklist

A structured 72-hour checklist for GDPR-regulated organisations. Work through it on screen during an incident, or print it empty for your incident response binder. Based on GDPR Articles 33 and 34, EDPB Guidelines on breach notification, and operational best practice.

Last updated: April 2026 Jurisdiction: EU / EEA / GDPR See also: US Checklist
0 of 32 tasks completed 0%

First 4 Hours: Containment and Triage

Phase 1 Hour 0–4: Containment & Triage
Art. 33(5): “The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.”

Hours 4–24: Scope and Assessment

Phase 2 Hour 4–24: Scope & Assessment

Hours 24–48: Art. 33 Notification Preparation

Phase 3 Hour 24–48: Notification Preparation

Hours 48–72: Execute DPA and Individual Notifications

Phase 4 Hour 48–72: Execute Notifications

Post-72 Hours: Remediation and Review

Phase 5 Post-72 Hours: Remediation & Review
Incident Notes

GDPR breach notification — FAQ

Do I have to report a data breach within 72 hours under GDPR?

Yes. Article 33 requires notifying your supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach. The clock starts at awareness, not at full investigation. If you cannot provide every detail within 72 hours, you may notify in phases, but the initial notification should still be made on time with the information available.

When is a data breach reportable to the supervisory authority?

A breach must be reported when it is likely to result in a risk to the rights and freedoms of individuals. Only breaches unlikely to pose any such risk are exempt, and that risk assessment must be documented either way. A breach of strongly encrypted data where the key was not compromised may not require notification, but the reasoning must be recorded.

When must I notify the affected individuals, not just the regulator?

Article 34 requires notifying affected data subjects when the breach is likely to result in a high risk to their rights and freedoms, a higher threshold than regulator notification. The communication must be in clear, plain language and describe the likely consequences and the measures taken. Direct notice can be avoided where the data was encrypted, where the risk has since been neutralised, or where individual contact would involve disproportionate effort, in which case a public communication is used instead.

What information must a GDPR breach notification contain?

Article 33(3) requires the nature of the breach, including the categories and approximate number of individuals and records affected; the contact point for more information; the likely consequences; and the measures taken or proposed to address the breach and mitigate harm. Where the information is not all available at once, it may be provided in phases without undue further delay.

What happens if I miss the 72-hour deadline?

Notification after 72 hours is still required, but it must be accompanied by reasons for the delay. A late or missing notification is itself a compliance failure a supervisory authority can act on, separately from the breach. Documenting why a deadline was missed is part of demonstrating accountability under Article 5(2).

This checklist is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for your specific situation. Your checklist data is stored locally in your browser and is never transmitted to our servers.

US Breach Response Checklist →