When data is lost, stolen or misused, two things happen at the same moment: a compliance clock starts, and a potential dispute begins. The GDPR gives you 72 hours to notify the supervisory authority of a notifiable personal data breach, and in parallel you may need to act against whoever caused or exploited the incident. Handling both well, under pressure and on a tight timeline, is what protects the business from a bad situation becoming a worse one.
Most organisations discover their breach process is inadequate only once they need it. The difference between a contained incident and a damaging one is usually decided in the first hours, by whether there is a plan, a team and a clear sequence to follow.
The regulatory response is a defined sequence run against the clock. You assess what happened and what data is affected, contain the incident to stop it spreading, and decide whether the breach is notifiable, which turns on the risk to the individuals concerned. If it is, you notify the supervisory authority within 72 hours of becoming aware of it, and you notify affected individuals where the risk to them is high. Every step has to be documented, because the regulator will expect to see not just the notification but the reasoning and the timeline behind it. A breach that is handled and documented well is treated very differently from one that is not.
The compliance obligation is only half the picture. A breach is also frequently a wrong done to you: confidential data taken by a departing employee, a database extracted by a competitor, credentials misused, or a leak exploited by a third party. The enforcement side is about identifying the source, stopping the ongoing harm, and pursuing the responsible party where the loss is serious enough to justify it. This runs in parallel with the compliance response and has to be coordinated with it from the first hour, because steps taken for one purpose, such as preserving evidence, often serve the other.
The single biggest determinant of how a breach goes is whether you prepared for it. A response plan that names the team, sets the decision points, and has notification templates ready turns a chaotic scramble into a controlled process. We put that framework in place before anything goes wrong, so the 72-hour clock is something you are ready for rather than something that catches you out.
Breach response sits in the Enforce stage of our 360 method. It is the enforcement counterpart to the Protect-stage work in DPO as a Service and data and database rights protection, and it shares the enforcement mindset of our online brand enforcement and domain disputes work on the IP side. The background sits in the Knowledge Base on the 72-hour breach countdown and data subject access requests, and the response itself is run through our Breach Response Workflow technology, with a lawyer approving every notification.
We run the breach response end to end: the initial assessment, the notifiability decision, the drafting of the staged notifications, liaison with the supervisory authority, and the enforcement or recovery action against the source of the breach where that is warranted. Where you do not yet have a plan, we build one before you need it.
No. Only a breach that is likely to result in a risk to the rights and freedoms of individuals is notifiable to the supervisory authority, and only a high risk triggers notification of the individuals themselves. Assessing which category a breach falls into, and documenting that assessment, is a core part of the response.
From the moment you become aware of the breach, not from when it occurred or when you finish investigating it. That is why the early assessment has to move quickly and why a prepared process matters so much.
Often, yes. Depending on the source, that can mean action for breach of confidence, infringement of database rights, breach of contract, or misuse of data, run in parallel with the compliance response. We coordinate the two.
Then the priority is to build one before an incident, naming the response team, the decision points and the notification templates. It is far cheaper and far less stressful than improvising under a 72-hour deadline.
%402x.svg){kind=icon}
%402x.svg){kind=icon}
%402x.svg){kind=small}