Data Breach Response Plan

The 72-hour clock

The 72-hour notification window starts from when you become aware of the breach — not when it occurred. If you cannot provide full details within 72 hours, you can notify in phases, providing further information as it becomes available. Document why a delay occurred if you notify after 72 hours.

Step-by-step response

1. Hour 0–1: Contain and assess. Isolate affected systems. Identify what data was accessed, exfiltrated, or destroyed. Determine the number of individuals affected and data categories involved.
2. Hour 1–24: Decide on notification. Assess risk level. Is there a likely risk to rights and freedoms? If yes, prepare supervisory authority notification. If high risk, prepare individual notification.
3. Hour 24–72: Notify supervisory authority. Submit notification to the ICO (UK) or relevant EU DPA. Include: nature of breach, categories and approximate number of individuals, data categories, likely consequences, and measures taken or planned.
4. Ongoing: Document everything. Whether or not you notify, record all breaches in your breach register — including your reasoning for not notifying where applicable.

When to notify individuals

Individual notification is required when the breach is likely to result in a high risk to the rights and freedoms of individuals. Examples of high-risk breaches: financial data exposed, health data compromised, data of vulnerable individuals affected, identity theft likely. Notifications to individuals must be in clear, plain language — avoid legal jargon. State what happened, what data was affected, likely consequences, and what you are doing to address it.