How to Handle a GDPR Data Breach Notification — Step-by-Step
The 72-Hour Clock — What GDPR Requires After a Breach
When a personal data breach occurs, GDPR Article 33 gives you exactly 72 hours to notify your supervisory authority (the Data Protection Authority in the EU country where you are established). This clock starts from the moment you become 'aware' of the breach — not when you finish investigating it.
'Aware' means a reasonable degree of certainty that a security incident has resulted in personal data being compromised. You do not need to know the full scope — but you do need to act.
If the breach is 'unlikely to result in a risk to the rights and freedoms of natural persons,' notification is not required. But this exception is narrow. If customer names, emails, addresses, financial data, or health data were potentially exposed, you must notify. When in doubt, notify — late notification carries heavier fines than over-reporting.
Additionally, under Article 34, if the breach poses a 'high risk' to individuals, you must also notify those individuals directly — not just the DPA. High risk means identity theft potential, financial loss, discrimination, or other significant harm.
Fines for non-notification can reach EUR 10 million or 2% of annual turnover. Multiple businesses have been fined specifically for late notification — even when the breach itself was relatively minor. The regulators view notification compliance as a litmus test for your overall data protection maturity.
Step 1 — Contain the Breach Immediately
Before you worry about notifications, stop the bleeding. The first hours should focus on containment and evidence preservation, in parallel:
Containment actions (do these right now):
- Isolate affected systems — take compromised servers offline or disconnect them from the network. Do not shut them down completely as this may destroy forensic evidence.
- Reset credentials — change passwords and revoke access tokens for any compromised accounts. Force password resets for affected users if customer accounts were breached.
- Block attack vectors — if the breach came through a known vulnerability, patch it. If through a compromised account, disable it. If through a phishing email, block the sender and warn your team.
- Disable affected features — if a form, API endpoint, or integration was the entry point, take it offline until secured.
Evidence preservation (do these simultaneously):
- Take screenshots and system logs before making any changes where possible.
- Document the timeline: when was the breach detected, by whom, and what was the first response?
- Preserve server logs, access logs, and email headers related to the incident.
- If you use a hosting provider, contact their security team immediately — they may have additional logs and can assist with containment.
Assign one person as the incident coordinator. This person manages the timeline, delegates tasks, and ensures nothing falls through the cracks. In a small business, this is usually the owner or CTO.
Step 2 — Assess the Scope and Impact
With the breach contained, you need to answer four questions as quickly as possible. Your DPA notification depends on these answers:
- What data was compromised? Be specific: names, emails, passwords (hashed or plaintext?), addresses, payment info, health data, ID numbers. The type of data determines the risk level.
- How many individuals are affected? Exact number or best estimate. If you cannot determine the exact number within 72 hours, provide an estimate and update later.
- What is the likely impact on those individuals? Could they face identity theft? Fraud? Spam? Embarrassment? Physical danger? This determines whether you must notify individuals directly.
- Was the data encrypted? If compromised data was properly encrypted and the encryption keys were not exposed, the risk to individuals may be low enough to avoid notification requirements.
Risk assessment matrix:
| Data Type | Risk Level | DPA Notification | Individual Notification |
|---|---|---|---|
| Email addresses only | Low-Medium | Usually yes | Usually no |
| Names + emails + addresses | Medium | Yes | Likely yes |
| Payment card data | High | Yes | Yes |
| Passwords (hashed + salted) | Medium | Yes | Yes — advise password change |
| Passwords (plaintext) | Very High | Yes | Yes — urgent |
| Health or biometric data | Very High | Yes | Yes |
| Encrypted data (keys safe) | Low | May be exempt | Usually no |
Document everything as you assess. Your DPA notification must include the nature of the breach, categories and approximate numbers of individuals affected, likely consequences, and measures taken.
Step 3 — Notify the Supervisory Authority
You now have (what remains of) 72 hours to file your notification with the relevant Data Protection Authority. Here is exactly what to include — this follows the structure most DPAs expect:
Required notification content (Article 33(3)):
- Nature of the breach: What happened, what categories of data were affected, and approximate number of data subjects and data records involved.
- DPO or contact point: Name and contact details of your Data Protection Officer or the person handling the response.
- Likely consequences: Your assessment of the probable impact on affected individuals.
- Measures taken: What you have done or propose to do to address the breach and mitigate its effects.
How to submit: Most EU DPAs have online notification forms. Find yours at the EDPB's list of supervisory authorities (edpb.europa.eu). Some accept email notifications, but the online forms ensure you cover all required fields.
If you cannot complete the investigation in 72 hours: Submit what you know with a note that additional information will follow. GDPR explicitly allows phased notifications — it is better to send a partial notification on time than a complete one late.
Multi-country breach: If affected individuals are in multiple EU countries, you notify the DPA in the country of your main establishment. That DPA then coordinates with other affected DPAs through the consistency mechanism. You do not need to file separately in each country.
Keep a copy of everything you submit, including timestamps. Take screenshots of the submission confirmation. This is your proof of timely notification.
Step 4 — Notify Affected Individuals (When Required)
If your risk assessment determined that the breach poses a high risk to individuals, you must notify them directly. This notification must be in clear, plain language and include:
- A description of what happened, in terms a non-technical person can understand.
- What specific data of theirs was compromised.
- What you are doing about it.
- What they should do to protect themselves (change passwords, monitor accounts, etc.).
- Your contact details for further questions.
Notification template (adapt to your situation):
Subject: Important Security Notice — Action Required
Dear [Customer Name],
We are writing to inform you of a security incident that may have affected your personal data. On [date], we discovered that [brief description]. The data potentially affected includes [specific data types].
What we have done: [containment measures, investigation, DPA notification]. What you should do: [change password, monitor bank statements, enable 2FA, etc.]. If you have questions: [contact email/phone].
We take the security of your data seriously and are implementing [measures] to prevent similar incidents.
Exceptions to individual notification: You may not need to notify individuals if (a) the data was encrypted, (b) you have taken measures that render the data unintelligible to the attacker, or (c) individual notification would require disproportionate effort — in which case you must make a public communication instead (website notice, press release).
Do not delay individual notification to avoid bad PR. Regulators view delayed notification as an aggravating factor, and the reputational damage is worse when customers learn about a breach from the news rather than from you.
Step 5 — Document, Remediate, and Prevent Recurrence
GDPR Article 33(5) requires you to document every breach — even ones that do not require notification. This documentation must include the facts of the breach, its effects, and the remedial actions taken. The DPA can request this record at any time.
Post-breach documentation should include:
- Complete incident timeline from detection to resolution.
- Root cause analysis — what vulnerability or failure allowed the breach?
- Scope assessment — final numbers on affected individuals and data types.
- All notifications sent (DPA submission, individual communications) with dates.
- Remediation actions taken and their completion dates.
- Preventive measures implemented to avoid recurrence.
Common remediation actions:
- Patching the vulnerability that was exploited.
- Implementing or upgrading monitoring tools to detect similar incidents faster.
- Reviewing and tightening access controls.
- Adding MFA to systems that lacked it.
- Encrypting data that was stored in plaintext.
- Training staff on the specific attack vector (phishing, social engineering, etc.).
Conducting a formal post-mortem meeting within 2 weeks of the incident is essential. Include everyone involved in the response. Focus on systemic improvements rather than blame — the goal is to make a repeat incident significantly harder.
Building a Breach Response Plan Before You Need It
The worst time to figure out your breach response process is during an actual breach. Every business that handles personal data should have a written Incident Response Plan ready to execute. Here is a template structure:
- Roles and responsibilities: Who is the incident coordinator? Who handles technical containment? Who handles DPA communication? Who communicates with affected individuals? Who handles press inquiries?
- Contact list: Internal team members, DPA notification portal URL, legal counsel, IT security provider, hosting provider security contact, cyber insurance provider claim number.
- Classification criteria: How do you determine severity? What thresholds trigger DPA notification vs. individual notification?
- Step-by-step procedures: Containment checklist, assessment checklist, notification templates (DPA and individual), communication templates (internal and external).
- Post-incident procedures: Documentation requirements, post-mortem process, remediation tracking.
Test this plan annually with a tabletop exercise — walk through a hypothetical breach scenario and verify that everyone knows their role. Update the plan whenever you change tools, team members, or systems.
Having a robust incident response plan — and proving you followed it — is one of the strongest mitigating factors when DPAs decide on penalties. Businesses with documented plans and rapid, transparent responses consistently receive lower fines than those caught scrambling. The investment of a few hours in preparation can save you thousands in penalties.
Fastest path
Need one tool for consent, privacy policy, and DSAR handling?
Clym is the strongest fit when you want to get compliant without stitching together three separate tools.
- Best for small teams that need GDPR basics covered quickly
- One implementation instead of separate banner + policy + request workflow
- Useful when you want a practical setup, not an enterprise project
Frequently Asked Questions
Do small businesses really need to comply with GDPR?
Yes. GDPR applies to any business that processes personal data of EU residents, regardless of business size. Fines have been issued to companies with as few as 1-10 employees.
What's the fastest way to make my website GDPR compliant?
The fastest approach is using an all-in-one compliance tool like Clym that handles cookie consent, privacy policy, and data requests in a single integration.
How much do GDPR fines cost for small businesses?
Fines can reach up to 4% of annual turnover or 20 million euros, whichever is higher. In practice, small business fines typically range from 5,000 to 100,000 euros.