The 72-Hour Playbook: Handling a Personal Data Breach

A personal data breach is not only a cyber-attack. It is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data — including a lost laptop, a mis-sent email or a misconfigured database. The GDPR's response clock is unforgiving: where a breach is likely to risk people's rights and freedoms, you must notify the supervisory authority within 72 hours of becoming aware of it.

Hour 0–4: Contain and assess

Stop the bleeding, preserve evidence and convene your response team. Establish what data is involved, how many people are affected, and what harm could follow.

Hour 4–24: Decide on notification

• Is the breach likely to result in a risk to individuals? If yes, the authority must be notified.
• Is it likely to result in a high risk? If yes, affected individuals must also be told, without undue delay.
• If you are a processor, notify your controller without undue delay — they hold the reporting duty.

Hour 24–72: Notify and document

Notify the supervisory authority within the 72-hour window — a phased notification is allowed if you do not yet have all the facts. Crucially, document every breach, even those you decide not to report, and your reasoning. Regulators routinely ask to see that log.

After 72 hours: Learn

Conduct a post-incident review and fix the root cause. A breach handled transparently and followed by genuine remediation is treated very differently from one that was hidden or repeated.

The 72 hours run from awareness, not from when it is convenient. The time to write the plan is now — not at 2am during the incident.

We help organisations build and rehearse breach-response plans, and we act as calm counsel when a real incident strikes.