How to Respond to a Data Breach – A DPO Guide

Responding to a data breach requires swift, structured action to minimise harm and ensure compliance. We asked Certified Data Protection Officer Fiona Kiely to outline the key steps an EU-based organisation should take when a personal data breach occurs. Here's her guidance.

Eight Critical Steps in Data Breach Response

When you discover a security incident that could involve a personal data breach, consider these eight essential steps. Whilst we've presented them in sequence, the initial response phase often requires parallel actions rather than a strictly linear approach.

1. Be Prepared

Effective breach response begins long before an incident occurs. You should understand what personal data your business processes involve, including where data is stored, how it's used, who accesses it and how it's protected.

This information typically sits in your Register of Processing Activity (RoPA). Even if your organisation is exempt from maintaining a RoPA, you should still have this information readily available.

Additionally, maintain a robust data security framework, keep an exercised breach response plan in place, and ensure your people receive training to recognise and report potential breaches appropriately.

2. Act Quickly

Once you've identified or been notified of a potential breach, escalate it immediately to the responsible person internally. If you're a data processor, notify the data controller straight away.

Determine whether a breach has actually occurred, mobilise your breach response team and work to contain the incident.

3. Communicate with Relevant Internal Stakeholders

Engage your Data Protection Officer (where designated) for advice, information and to serve as the point of contact for the Data Protection Authority and affected individuals. Involve relevant management team members who own the affected processes, and notify third-party processors where necessary.

4. Establish the Facts

Conduct a preliminary investigation to assess the situation. Determine what assets and data have been compromised, and classify the breach type. Has confidentiality, integrity, availability or some combination been compromised?

If personal data is involved, remember that under GDPR Article 33.1, the data controller has 72 hours from becoming aware of the breach to notify the relevant Data Protection Authority (DPA). The European Data Protection Board considers that you become "aware" when you've established with reasonable certainty that a security incident has occurred that led to personal data being compromised.

Where your breach affects individuals in multiple EU/EEA countries, the One Stop Shop mechanism means you only need to notify your Lead DPA. However, if the breach affects individuals in countries outside the EU/EEA, you may have notification obligations in one or more of those jurisdictions.

5. Assess the Risks

Conduct an objective assessment of the breach's impact on the rights and freedoms of data subjects. Consider both the likelihood and severity of potential harm. This risk assessment will inform your decisions about notification requirements.

6. Communicate with External Stakeholders

Notify the DPA if the breach is likely to result in a risk to individuals' rights and freedoms (GDPR Article 33.1). Your notification may be phased if you don't have all information within the 72-hour window.

Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34.1). Not every breach requires individual notification - your risk assessment will guide this decision.

7. Document Everything

Keep comprehensive records of the breach, its effects, your investigation, the risk assessment, communications and any corrective or preventive actions taken or planned (GDPR Article 33.5). Track all decisions made throughout the process.

Maintain these records even if you establish that no notifiable breach occurred. Good documentation demonstrates compliance and supports learning from incidents.

8. Fulfil Other Obligations

Beyond GDPR, you may have additional breach notification duties under other legal, medical, professional or regulatory frameworks (such as NIS2). Identify these obligations in advance and include them in your breach response plan, so you're not scrambling to identify requirements during an actual incident.

Final Thoughts

Responding to a data breach can be complex and stressful. Professional advice helps ensure you understand the full scope of your obligations and remain compliant with all applicable contracts, laws and regulations in your home jurisdiction and any others that may be relevant.

Never claim lack of legal expertise as an excuse for non-compliance, but do recognise when specialist guidance is needed to navigate the complexity of data protection law and breach response requirements.