Agnes follows a clear step-by-step process after discovering a data breach

Data Breach Discovered? Here's Your GDPR Step-by-Step Response Plan

GDPR, Compliance, SMB

Discovered a data breach? Here is what you do now

Your colleague calls: "I accidentally sent a customer list to the wrong email address." Or your IT provider reports that there has been unauthorised access to a server. Or an employee loses a laptop with unencrypted files on it.

These situations feel like a fire drill you never practised for. But with a clear plan, they do not have to turn into chaos.

In this article, we walk through exactly what to do when you discover a data breach. Step by step, according to GDPR.

Want to refresh your understanding of what counts as a data breach first? Read that article before continuing.

What counts as a data breach?

In short: a data breach is any situation where personal data is exposed, lost, altered, or made accessible to someone who should not have had access.

It does not have to be a hack. A few common examples:

  • An email with personal data sent to the wrong recipient
  • Losing a USB stick with customer files
  • An employee who has access to systems that are not relevant to their role
  • A ransomware attack that encrypts files
  • A cloud folder that was accidentally set to "public"

It does not matter whether it was intentional. If personal data is involved and something goes wrong with its confidentiality, integrity, or availability, it is a data breach.

The 72-hour rule: what GDPR requires

GDPR (Article 33) is very clear on this: if a data breach is likely to result in a risk to the rights and freedoms of individuals, you must report it to the supervisory authority within 72 hours.

Two important points:

  1. The clock starts at discovery. Not at the moment the breach itself happened. If the breach occurred on Monday but you discovered it on Wednesday, you have until Saturday.
  2. 72 hours includes weekends. Discover it on Friday afternoon? You have until Monday afternoon. The supervisory authority does not expect you to have all the answers, but they do expect you to file the notification on time.

If you do not have all the information after 72 hours, you can supplement the notification later. But the initial report must be on time.

Step 1: Stop the cause and limit the damage

Before you start reporting, first limit the damage. That is common sense, and the supervisory authority expects it too.

What this looks like in practice depends on the type of incident. For an email sent to the wrong address: ask the recipient to delete the message and get confirmation. For unauthorised access: block the account and change passwords. A lost device? Try to wipe it remotely if possible. For a vulnerability in a system: disable it temporarily or restrict access until it is resolved.

The point: prevent the breach from getting bigger. Do what you can, and write down what you did.

If the data was encrypted, that is good news. Encryption can remove the obligation to notify affected individuals, because the data is unreadable to the recipient.

Step 2: Determine whether you must notify the supervisory authority

Not every data breach needs to be reported to the supervisory authority. The question is: is the breach likely to result in a risk to the rights and freedoms of the affected individuals?

Rules of thumb:

| Situation | Report to authority? | |-----------|---------------------| | Email with names sent to wrong colleague, immediately deleted | Probably not | | Customer list with contact details sent to external party | Probably yes | | Laptop lost with encrypted hard drive | Probably not (data unreadable) | | Laptop lost with unencrypted customer data | Yes | | Ransomware attack on server with personal data | Yes | | Employee viewed a file they should not have had access to | Depends on the type of data |

When in doubt: report. The supervisory authority prefers a notification that turns out to have been unnecessary over a missed breach.

Step 3: Report to the supervisory authority

You file the notification through the online form on your supervisory authority's website. The form asks for a description of what happened, which personal data was involved (names, addresses, financial data, etc.), how many individuals are affected (an estimate is sufficient), what the possible consequences are, what measures you have taken, and the contact details of your privacy officer or Data Protection Officer.

You do not need to have everything complete in one go. You can supplement the notification later. But the initial report must be filed within 72 hours.

Step 4: Determine whether affected individuals must be informed

After reporting to the supervisory authority, there is a second question: do the individuals whose data was breached need to be informed personally?

That is required when the breach is likely to result in a high risk to them. Think of:

  • Financial data that could be misused
  • Medical records that have become public
  • Login credentials that give access to other services
  • National ID numbers or identity documents

Inform affected individuals in plain language. Tell them:

  • What happened
  • Which data was involved
  • What they can do themselves (change passwords, watch out for phishing)
  • Where they can go with questions

Step 5: Document everything (even when you do not report)

This is the part that often gets forgotten, but GDPR requires you to document every data breach. Even if you do not report it to the supervisory authority.

Your documentation should include:

  • Date and time of discovery
  • Description of the incident
  • Which data and how many individuals were involved
  • Risk assessment (and why you did or did not report)
  • Measures taken
  • Date of notification to supervisory authority (if applicable)
  • Date of notification to affected individuals (if applicable)

You must be able to show this dossier during an audit or inspection. Not reconstructed from memory three weeks later, but recorded immediately while the details are still fresh.

How to prepare so this does not become chaos

The best way to handle a data breach well? Be prepared before it happens. A few things you can set up right now:

Create an incident response process. That sounds formal, but it comes down to three questions: who gets called when a breach is discovered? Who assesses whether reporting is needed? And who does the actual reporting? Write this down so people do not have to think during the moment.

Keep an incident register. Not just for actual data breaches, but also for near-misses. That helps you spot patterns.

Train your team. It does not need to be a full-day session. Fifteen minutes explaining what a data breach is, and a clear contact point for reporting, is already enough.

And test your process once a year. Walk through a fictional scenario, not as a bureaucratic exercise, but to check whether your process actually works in practice.

Also read: the GDPR checklist for tech SMBs for a broader overview of your compliance baseline.

No panic, but do take action

A data breach is unpleasant. But it does not have to be a disaster if you know what to do. GDPR does not expect perfection. It expects you to be prepared, act quickly, and honestly document what happened.

The biggest mistake companies make is not the data breach itself. It is not having a process to handle it properly.

ComplianceHive helps you keep the basics in order: processing register, vendor management, and GDPR documentation in one overview. Try it free for 30 days.

Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free