Personal Data Breach Response Procedure

This Personal Data Breach Response Procedure establishes how [companyName] identifies, assesses, contains, and reports personal data breaches in accordance with Articles 33 and 34 GDPR. It applies to all personal data processed by [companyName] and to all employees, contractors, and service providers who handle such data. A personal data breach is defined in Article 4(12) GDPR as 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data'. This procedure is effective as of 2026-04-26.

The following roles are defined for breach response: Incident Commander: [incidentCommander] — leads the response, coordinates teams, and makes escalation decisions. Data Protection Officer: [dpoName] ([dpoEmail]) — assesses risk to data subjects, manages communication with the supervisory authority, and advises on GDPR obligations. Escalation Contact: [escalationContact] — available 24/7 to receive breach reports and initiate response. All employees and contractors are responsible for reporting suspected breaches to the Escalation Contact within one hour of discovery. Failure to report in good faith may result in disciplinary action.

Potential breaches may be detected through: (a) automated security monitoring and alerting systems; (b) employee reports; (c) customer, data subject, or third-party notifications; (d) internal or external audit findings; (e) law enforcement or regulator notifications. Any person who becomes aware of a suspected breach must immediately contact [escalationContact] and provide: the time of discovery, the systems or data affected, and any observed indicators of compromise. No remediation action should be taken that may destroy forensic evidence, unless the breach is actively ongoing and containment is urgent.

Within four (4) hours of breach confirmation, the Data Protection Officer, together with the Incident Commander, shall assess: (a) the nature of the breach (confidentiality, integrity, availability); (b) the categories and approximate number of data subjects affected; (c) the categories and approximate volume of personal data records affected; (d) the likely consequences and severity of impact on data subjects; (e) whether special categories of data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR) are involved. The assessment determines whether the breach is likely to result in a risk to data subjects (triggering Article 33 notification) or a high risk (triggering Article 34 communication).

Immediate containment actions may include: (a) isolating affected systems from networks; (b) revoking compromised credentials and session tokens; (c) blocking unauthorised access points; (d) recovering or deleting exposed data where feasible; (e) engaging law enforcement or external forensic experts where appropriate. Recovery shall restore affected systems and data from known-clean backups only after the root cause is identified and mitigated. All actions taken during containment are logged with timestamps and the responsible person, for inclusion in the incident record and supervisory authority notification.

Following initial containment, a full investigation is conducted to determine: (a) how the breach occurred; (b) whether the breach was malicious, accidental, or due to a systemic vulnerability; (c) the full scope of data and systems affected; (d) any remaining risk to data subjects; (e) any regulatory or contractual obligations triggered beyond the GDPR. Evidence is preserved using forensically sound methods where criminal activity is suspected or likely. The root cause analysis identifies technical, organisational, or human factors and informs the remediation plan. External expertise is engaged where the complexity or impact exceeds internal capability.

Where a breach is likely to result in a risk to the rights and freedoms of natural persons, the Data Protection Officer shall notify the competent supervisory authority ([supervisoryAuthority]) without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification shall describe: (a) the nature of the breach, categories and approximate number of data subjects and records concerned; (b) the name and contact details of the Data Protection Officer or other point of contact; (c) the likely consequences of the breach; (d) the measures taken or proposed to address the breach and mitigate its effects. If notification cannot be made within 72 hours, the reasons for the delay shall be communicated alongside the notification, and information may be provided in phases.

Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, [companyName] shall communicate the breach to the affected data subjects without undue delay. The communication shall be written in clear and plain language and include: (a) the nature of the breach; (b) the name and contact details of the Data Protection Officer; (c) the likely consequences; (d) the measures taken or proposed to mitigate the effects; (e) recommended steps data subjects can take to protect themselves. Individual communication is not required if: (i) appropriate technical measures (such as strong encryption) render the data unintelligible; (ii) subsequent measures have eliminated the high risk; or (iii) individual communication would involve disproportionate effort, in which case a public communication or equivalent equally effective measure shall be made.

All personal data breaches, including those not notifiable to the supervisory authority, are recorded in the breach register maintained at [breachRegisterLocation]. Each record includes: (a) the facts relating to the breach; (b) its effects; (c) the remedial action taken; (d) the rationale for notification or non-notification decisions; (e) copies of notifications sent to the supervisory authority and data subjects. The breach register is retained for a minimum of five (5) years and made available to the supervisory authority on request. Records of breaches inform ongoing security risk assessments and are reviewed during annual compliance reviews.

Within thirty (30) days of closing an incident, the Incident Commander and Data Protection Officer conduct a post-incident review covering: (a) effectiveness of detection and response; (b) adequacy of containment actions; (c) compliance with notification deadlines; (d) quality of internal and external communications; (e) remediation of root causes; (f) proposed updates to this procedure, training materials, or technical controls. Findings are shared with relevant stakeholders and incorporated into the next review cycle of [companyName]'s security and privacy programme. This procedure is reviewed at least annually and updated as required by evolving threats, regulatory guidance, or organisational change.