The 72-Hour Countdown Checklist
Don't panic. Follow this timeline to ensure you meet your Article 33 obligations.
1
Hour 0-24: Triage & Containment
- Confirm it is actually a personal data breach.
- Activate the Incident Response Team.
- Isolate affected systems to stop the leak.
- Start a "Breach Log" to document every decision (crucial for defensibility).
2
Hour 24-48: Assessment
- Determine scope: What data? How many people?
- Perform Risk Assessment (see tool below).
- Consult Legal/DPO: Is notification required?
- Draft notification to DPA if risk is found.
3
Hour 48-72: Notification
- Submit notification to DPA (Supervisory Authority).
- Prepare communication for affected individuals (if High Risk).
- Update Breach Log with submission receipt.
Risk Assessment Tool
Not every breach needs to be reported. Use this matrix to determine your obligation.
Low Risk
Unlikely to harm individuals.
- ✅ Data is encrypted & key is safe
- ✅ Internal email sent to wrong colleague (and deleted)
- ✅ Lost device is remotely wiped immediately
Action:
Document in internal log.
No notification needed.
Document in internal log.
No notification needed.
Risk
Possible harm to individuals.
- ⚠️ Unencrypted email with customer list
- ⚠️ Ransomware (with no exfiltration)
- ⚠️ Accidental publication of non-sensitive data
Action:
Notify DPA (Regulator).
No individual notice.
Notify DPA (Regulator).
No individual notice.
High Risk
Probable severe harm.
- 🚨 Health data / Financial data leaked
- 🚨 Passwords leaked in cleartext
- 🚨 Identity theft highly likely
Action:
Notify DPA (Regulator).
Notify Individuals ASAP.
Notify DPA (Regulator).
Notify Individuals ASAP.
Who is my Lead Supervisory Authority?
Under the "One-Stop-Shop" mechanism, you generally report to the DPA where your "main establishment" (HQ) is located in the EU.
*UK is post-Brexit but follows UK GDPR (very similar).
Need a DPO or Legal Counsel?
GDPR is complex. If you are unsure about your risk level, consult a privacy lawyer immediately. The fines for getting this wrong are massive.