GDPR Data Breach Response Template

Step-by-step incident response procedure for personal data breaches, covering the 72-hour supervisory authority notification and individual communication requirements.

Quick Answer

GDPR Article 33 requires notification of personal data breaches to the supervisory authority within 72 hours if there is a risk to individuals, and direct notification to affected individuals if the risk is high — with all breaches documented in an internal register.

Compliance Checklist (8 items)

Detect and contain the breach — isolate affected systems immediately
Assess: nature of data, volume of records, categories of individuals, likely consequences
Determine if the breach is "likely to result in a risk to individuals" — if yes, notify DPA
Notify supervisory authority within 72 hours of becoming aware (Article 33)
If high risk to individuals: notify affected individuals without undue delay (Article 34)
Document all breaches in the internal breach register regardless of notification obligation
Appoint an incident lead and establish communication protocols (legal, PR, exec)
Conduct post-incident review and update security measures to prevent recurrence

Penalty if not compliant

Up to €20 million or 4% of global annual turnover; failure to notify a notifiable breach is itself a separate GDPR violation.

Frequently Asked Questions

What information must be included in a 72-hour breach notification to the DPA?

The notification must include: nature of the breach and approximate number of records/individuals affected, likely consequences, measures taken or proposed to address the breach, and contact details of the DPO or breach lead.

What if I cannot complete the breach notification within 72 hours?

You can submit a partial notification within 72 hours and provide the remaining information in phases "without undue further delay", explaining why the information was not available at the time.

Do accidental internal disclosures count as GDPR breaches?

Yes. Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data is a breach — including sending data to the wrong email recipient or accidental deletion.

Need this turned into a real document?

Our compliance sprint service delivers production-ready documents tailored to your organisation in 5–15 business days. A senior compliance specialist reviews every document before delivery.

Get Expert Help →Browse All Templates

data breachGDPR Article 33breach notification72 hoursincident response