11.4 Incident Response & Breach Notification

When a data breach happens — and in organisations of any scale, it is a matter of when, not if — the difference between a manageable incident and a catastrophic one often comes down to the quality of the response. Knowing what the law requires, and having a plan ready before an incident occurs, is not optional: it is a legal obligation under GDPR.

What is a data breach?

GDPR Article 4(12) defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."

Three types of breach flow from this definition:

• Confidentiality breach — Unauthorised access to or disclosure of personal data (e.g. an employee emailing customer records to the wrong recipient).
• Integrity breach — Unauthorised or accidental alteration of personal data.
• Availability breach — Accidental or unlawful destruction of or loss of access to personal data (e.g. ransomware encrypting medical records).

The 72-hour notification requirement

GDPR Article 33 requires controllers to notify their competent supervisory authority (DPA) of a personal data breach "without undue delay and, where feasible, not later than 72 hours after having become aware of it." If notification is sent after 72 hours, the reasons for the delay must be provided.

The notification must include: the nature of the breach (including categories and approximate number of data subjects and records affected); contact details of the Data Protection Officer or other contact point; the likely consequences of the breach; and the measures taken or proposed to address it.

When must data subjects also be notified?

GDPR Article 34 requires direct notification to affected individuals when a breach is "likely to result in a high risk to the rights and freedoms of natural persons." High risk includes exposure of sensitive data (health, financial, biometric), large-scale breaches, or breaches affecting vulnerable populations. If the data was effectively protected by encryption and the key was not compromised, notification to individuals may not be required.

A practical incident response workflow

1. Detect — Identify the breach through monitoring, alerts, or reports. Document the time of discovery.
2. Contain — Immediately limit the spread: revoke compromised credentials, isolate affected systems, stop ongoing exfiltration.
3. Assess — Determine what data was affected, how many people are involved, and whether there is likely high risk to individuals.
4. Notify — Report to the DPA within 72 hours of awareness. Notify affected individuals if high risk is established.
5. Remediate — Fix the underlying vulnerability, restore affected systems, and recover from backup where needed.
6. Learn — Conduct a post-incident review. Update incident response plans, security controls, and staff training based on what was learned.

The cost of delayed notification

Delaying notification compounds penalties. Under GDPR, an Art. 33 violation for failing to notify within 72 hours can attract fines up to €10 million or 2% of global annual turnover, whichever is higher. Combined with Art. 83(5) fines for the underlying security failures, a poorly managed breach can quickly reach eight figures.

Breach notification in the United States

The US has no single federal breach notification law but all 50 states have enacted their own. California's SB-1386, enacted in 2003, was the first — it required notification to California residents when their unencrypted personal information was accessed by unauthorised parties. State laws vary significantly in scope, timelines, and exemptions. Federal sector-specific laws (HIPAA for health data, GLBA for financial data) have their own notification requirements.

Your takeaway

Incident response preparedness is not just good security practice — it is a legal obligation. Organisations that invest in detection capabilities, a documented response plan, and clear DPA communication channels are far better positioned to meet the 72-hour window than those who improvise under pressure.