GDPR Breach Response Checklist — 72-Hour Tool

Phase 1 Hour 0–4: Containment & Triage

Activate Crisis Management Team (CMT) — legal counsel, HR, communications, privacy lead. Not IT alone.

Establish out-of-band communications — move sensitive discussions to Signal, ProtonMail, or equivalent. Assume corporate channels may be compromised.

Verify the incident is real — confirm before escalating. Use severity tiering (Sev 1–4). Rule out false alarms.

Preserve evidence — do NOT wipe, reimage, or “clean up” systems. Isolate from network but keep powered on.

Pause scheduled communications — halt all pre-scheduled social media posts and marketing emails immediately.

Notify insurer — D&O and cyber insurance contacts within first hours. Late notification can void coverage.

Identify lead supervisory authority — determine which DPA has jurisdiction under GDPR one-stop-shop mechanism.

Confirm DPO availability — Art. 33(3)(b) requires DPO name and contact in the notification.

Begin breach documentation — Art. 33(5) requires documenting all breaches: facts, effects, remedial actions. Start now, regardless of whether you notify.

Art. 33(5): “The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.”

Phase 2 Hour 4–24: Scope & Assessment

Determine data categories affected — which types of personal data? Special categories (Art. 9)? Financial data?

Estimate number of data subjects — approximate count for Art. 33(3)(a) notification requirement.

Determine affected jurisdictions — which EU/EEA member states? Cross-border implications?

Assess ongoing vs contained — is the breach still active? Is exfiltration continuing?

Invalidate sessions globally — revoke all session tokens and OAuth grants for affected accounts. Password resets alone are insufficient.

Conduct risk assessment for individuals — Art. 33(1): is the breach “unlikely to result in a risk to the rights and freedoms of natural persons”? Document your assessment and reasoning.

Assess Art. 34 threshold — does the breach pose “high risk” to individuals? If yes, direct notification to individuals is required.

Evaluate technical protection measures — were affected data encrypted or otherwise rendered unintelligible? This may affect Art. 34 obligation.

Draft internal “what we know” memo — brief board and staff before media learns. Prevents rumours and aligns messaging.

Begin preparing Art. 33(3) notification elements — (a) nature of breach, (b) DPO contact, (c) likely consequences, (d) measures taken or proposed.

Phase 3 Hour 24–48: Notification Preparation

Finalise DPA notification — Art. 33(3) requires: nature of breach, categories + approximate numbers of subjects and records, DPO contact, likely consequences, remedial measures.

Prepare phased disclosure if needed — Art. 33(4): information may be provided in phases “without undue further delay” if not all available at once.

Draft Art. 34 individual notifications — clear, plain language describing what happened, what data was affected, and what individuals should do.

Identify DPA filing portal — AP (Netherlands), CNIL (France), BfDI (Germany), ICO (UK), etc. Most have dedicated online breach notification portals.

Assess cross-border filing requirements — one-stop-shop mechanism: file with lead DPA, which coordinates with concerned DPAs.

Prepare holding statement — 100-word public statement: acknowledge event, express concern, designate single contact point. Legal reviews before release.

Processor notification check — if a processor discovered the breach, they must notify the controller “without undue delay” (Art. 33(2)). Confirm this has happened and document the timeline.

Phase 4 Hour 48–72: Execute Notifications

File with supervisory authority — if not within 72 hours, Art. 33(1) requires reasons for the delay. Clock starts at “awareness,” not conclusion of investigation.

Execute individual notifications — if Art. 34 applies. Be direct — people who have been exposed deserve clarity, not corporate hedging.

Document the notification timeline — record exact submission times, confirmation numbers, and any phased disclosures for audit trail.

Issue holding statement if media aware — coordinate with legal. Public statements must not contradict regulatory filing.

Phase 5 Post-72 Hours: Remediation & Review

Update notification as scope evolves — EDPB expects controllers to provide updated information as new details emerge. Plan for scope to expand.

Complete Art. 33(5) documentation — finalise breach record: facts, effects, remedial actions taken. Must enable supervisory authority to verify compliance.

Incident Notes

EU/GDPR Breach Response Checklist

Key Legal References

EU/GDPR Breach Response Checklist

First 4 Hours: Containment and Triage

Hours 4–24: Scope and Assessment

Hours 24–48: Art. 33 Notification Preparation

Hours 48–72: Execute DPA and Individual Notifications

Post-72 Hours: Remediation and Review

Key Legal References

Key Legal References