How-to guide: How to deal with a GDPR data breach (EU)

Updated as of: 02 March 2025

Introduction

This guide will assist in-house counsel, private practice lawyers and risk and compliance teams with the steps their organisation should take when dealing with a data breach involving personal data.

This guide covers the following:

  1. Overview – legal framework
  2. What steps should you take in the first 24 hours of your data breach response?
  3. What steps should you take in the next 24 to 72 hours?
  4. What should you do in the following period?
  5. When do you have to notify the relevant supervisory authorities?
  6. When do you have to inform affected individuals?
  7. What records do you need to keep?

Organisations should take all necessary steps to try to minimise the risk of a data breach.

See How-to guide: How to reduce the risk of a data breach for further guidance about what a personal data breach is, the risks and obligations facing your organisation, the risks for affected data subjects and preventative measures.

However, even with preventative measures in place, data breaches can still happen. When a breach does occur, you need to be prepared to act swiftly to mitigate the damage caused.

Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’, ‘personal data breach’ and ‘processing’, are further explained in How-to guide: Understanding key data protection definitions.

This guide can be used in conjunction with How-to guides: How to ensure compliance with the GDPR and How to reduce the risk of a GDPR data breach and Checklist: GDPR compliance self-assessment audit.

Section 1 – Overview – legal framework

The guide covers the requirements under:

Sector-specific rules may also impose additional breach notification requirements for organisations operating in certain industries, such as healthcare, energy, telecommunications and financial services. These are only touched on briefly in this guide.

Section 2 – What steps should you take in the first 24 hours of your data breach response?

When dealing with a data breach, time is critical. In the first 24 hours you should:

  • identify the potential breach – data breaches may be detected by internal mechanisms or you may be contacted by hackers or the public;
  • record the potential breach including:
    • the date and time the breach was discovered;
    • how it was discovered;
    • who discovered or reported it (and to whom);
    • who is aware of it;
    • date and time the response begins (ie, when the response team is mobilised); and
    • as much other information as you know about the potential breach;
  • mobilise the response team – your data protection officer (DPO) (if you have one) will play a key role, as will your legal advisers (internal or external) and IT security lead;
  • initiate your data breach response plan – this may require external advisers, such as forensic IT specialists;
  • make an initial assessment, including the nature and circumstances of the breach (eg, what was lost, stolen or accessed, including the categories of data subjects and data affected and numbers of data subjects affected), how it happened, what systems are impacted etc, and whether this is a ‘personal data breach’;
  • take initial steps to mitigate data loss (eg, secure premises, take affected systems offline, change passwords, close system backdoors, remotely disable or wipe lost or stolen devices);
  • be careful to preserve any evidence;
  • be careful to preserve legal professional privilege;
  • carry out interviews with relevant parties;
  • follow protocols about disclosing information about the breach in the early stages – this should be on a strict need-to-know basis;
  • if necessary, notify law enforcement, after consulting legal counsel and senior management;
  • if relevant, notify insurers (if, for instance, this is a condition of being able to claim under a cyber-risk insurance policy);
  • consider if a preliminary notification should be made to the relevant supervisory authorities – this can always be revised later; and
  • notify any regulators specific to your industry (where notification must be done within 24 hours), if required; and
  • if you are the processor or a joint controller under a contract with the controller to process their personal data or other joint controller, check the terms of the contract to see what the notification periods are.

Section 3 – What steps should you take in the next 24 to 72 hours?

In the next 24 to 72 hours you should:

  • make a further assessment, including about the nature and circumstances of the breach;
  • update your records of the breach to include any new information;
  • continue to liaise with your data breach response team, including any external advisers, specialists and law enforcement;
  • continue to follow your data breach response plan;
  • take further steps to mitigate data loss based on what you know;
  • if required, notify the relevant supervisory authorities (see section 5 below);
  • if required, notify any other regulators specific to your industry (where notification can be done after 24 hours), if required (see section 5); and
  • if required, inform affected individuals (see section 6).

Section 4 – What should you do in the following period?

In the following period you should:

  • continue to cooperate with supervisory authorities;
  • continue to liaise with law enforcement;
  • continue to deal with insurers;
  • provide support to affected individuals (eg, set up helplines, provide information on your website); and
  • manage public relations in relation to the breach and contractual relationships.

Some of these measures, such as data subject and customer support and your PR response, may need to be brought forward depending on the nature and severity of the breach.

Once the breach has been addressed in line with the above, you should:

  • take measures to prevent or mitigate the risk of a similar breach happening again;
  • finalise your records of the breach, including the facts related to the breach, its effects and the remedial action taken (article 33(5), EU GDPR);
  • update internal policies, procedures and processes to address any deficiencies;
  • build lessons learned into training and ensure the organisation maintains high awareness of cybersecurity;
  • deal with any compensation claims, ex gratia compensation or other litigation; and
  • comply with any orders or enforcement action from regulators.

Section 5 – How soon must you notify the relevant supervisory authorities?

5.1 When does the controller notify the relevant supervisory authorities?

Controllers are responsible for notifying a regulator of a data breach. If your organisation is a controller, it must report a personal data breach to the relevant supervisory authority ‘without undue delay’ and, where feasible, not later than 72 hours after having become aware of it ‘unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons’ (article 33(1), EU GDPR).

5.1.1 Has there been a ‘personal data breach’?

Only ‘personal data breaches’ are reportable to the relevant supervisory authority – this means that the breach must involve:

  • ‘personal data’; and
  • a ‘breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (article 4(12) EU GDPR).

If the breach meets the criteria for a personal data breach, you need to carry out a risk assessment on the likelihood of it resulting in adverse effects for data subjects if unaddressed. This must be assessed case by case and you will need to be able to justify your decision to report a breach (or not) to the relevant supervisory authority.

There is a lower threshold for reporting to the regulator than there is for informing affected data subjects (see section 6 below).

The EDPB data breach examples guidance provides examples of when an organisation is and is not required to notify the data protection regulator, some of which is summarised in Figure 1 below. Every scenario is fact-specific, so a slightly different fact pattern may produce a different outcome in terms of breach notification.

Figure 1: Selected summary of (i) EDPB guidance; and (ii) guidance provided by the National Cyber Security Centre on potential types of personal data breaches, leading to a higher risk of the requirement to notify a regulator and/or a data subject:

1 – Ransomware attack

Where a type of malware infiltrates the target’s systems, typically encrypting their data files and preventing them from accessing those files. A criminal group may then demand a ransom in exchange for decryption.  This is typically used where e.g. an employee of the target company clicks on an unknown link or visits a website and downloads the malware.   The potential impact on the data subject depends on the categories of data stolen, but examples include; their personal data being sold to other bad actors, personal data being made public or their accounts being unlawfully accessed.

Increased risk

  • Weak / no encryption
  • Decryption key compromised
  • Evidence of non-availability of data (eg, access to data denied and a ‘ransom note’ is present)
  • No back-up 
  • Delays in detection of breach
  • Special category data or children’s or vulnerable adult’s personal data
  • No regular training for staff on data protection and security awareness

Decreased risk

  • Strong, state-of-the-art encryption
  • Decryption key not compromised
  • No evidence of exfiltration
  • Use of appropriate software and tools to eg, detect files that are downloaded for the internet, detect malicious software/files embedded in emails
  • Proper back-up and restore facilities
  • Regular training for staff on data protection and security awareness

When to notify regulators

Where the confidentiality, integrity or availability of personal data is impacted, you will likely have to notify. There is no need to notify if the confidentiality, integrity or availability of personal data were all restored in good time, so that there was not permanent loss and/or potential harm caused to the relevant data subjects.  However, the targets should be aware that if the regulator becomes aware of the attack later on, they may want to investigate how the target complies with Art 32 GDPR generally 

When to notify data subjects

Where the confidentiality, integrity or availability of personal data is impacted, you will likely have to notify. If special category data is involved, or the data subjects are children or vulnerable adults, this will increase the risk to individuals. 

There is no need to notify if the confidentiality, integrity or availability of personal data were all restored in good time, so that there was no permanent loss and/or potential harm caused to the relevant data subjects.  However, the targets should be aware that if the regulator becomes aware of the attack later on, they may want to investigate how the target complies with Art 32 GDPR generally.

2 – Exfiltration attacks

A form of data theft that occurs when malware is installed and/or a malicious actor carries out an unauthorised data transfer (manually or automated) from an IT asset and to an external destination.  This may be a malicious insider, such as a disgruntled employee (rare), an external criminal (more common) or a careless authorised person who inadvertently exposes the data through human error, poor judgment, or ignorance of security controls (also common). The potential impact on the data subject depends on the categories of data stolen, but examples include; their personal data being sold to other bad actors, personal data being made public or their accounts being unlawfully accessed.

Increased risk

  • Evidence of exfiltration (eg, the data is not present or appears corrupted)
  • Evidence of the data being sent to a single external email address
  • Inadequate logging and protective monitoring 
  • Delays in detection of breach
  • No back-up 
  • Special category data or children’s or vulnerable adults’ personal data
  • No regular training for staff on data protection and security awareness

Decreased risk

  • Good identity and access management
  • Use of appropriate software and tools to eg, detect files that are downloaded for the internet, detect malicious software/files embedded in emails and data loss prevention (DLP)
  • Adequate logging and protective monitoring
  • Breach detected quickly
  • Proper back-up and restore
  • No special category data
  • Regular training for staff on data protection and security awareness

When to notify regulators

Where the confidentiality, integrity or availability of personal data is impacted, you will likely have to notify. There is no need to notify if the confidentiality, integrity or availability of personal data were all restored in good time, so that there was not permanent loss and/or potential harm caused to the relevant data subjects.  However, the targets should be aware that if the regulator becomes aware of the attack later on, they may want to investigate how the target complies with Art 32 GDPR generally.

When to notify data subjects

Where the confidentiality, integrity or availability of personal data is impacted, you will likely have to notify. If special category data is involved, or the data subjects are children or vulnerable adults, this will increase the risk to individuals. 

There is no need to notify if the confidentiality, integrity or availability of personal data were all restored in good time, so that there was no permanent loss and/or potential harm caused to the relevant data subjects.  However, the targets should be aware that if the regulator becomes aware of the attack later on, they may want to investigate how the target complies with Art 32 GDPR generally.

3 – Credential stuffing attack

A method where attackers steal credentials from one system (or purchase those from other bad actors) to try and access accounts on another unrelated system, taking advantage of any reuse of username and password combinations (as often individuals use the same credentials for multiple accounts). Actors will often also use ‘brute force’ automated attack tools using such credentials to then access other multiple accounts and often these bad actors then resell those credentials to other bad actors for misuse. The potential impact on the data subject may include; their credentials being sold to other bad actors, and/or their accounts being unlawfully accessed (including false accounts being set up in their name).

Increased risk

  • Weak or faulty authentication/access controls
  • Evidence of exfiltration
  • Inadequate logging and security monitoring as well as unauthorised log-in attempts not detected quickly
  • Inadequate staff access controls and procedures
  • No regular training for staff on data protection and security awareness
  • Unauthorised bank account transactions made
  • Access to compromised website not stopped
  • Users not forced/asked to reset passwords

Decreased risk

  • Two factor authentication/strong user authentication
  • No evidence of exfiltration
  • No financial details or other sensitive information compromised
  • Unauthorised log-in attempts detected quickly
  • Adequate staff access controls and procedures
  • Regular training for staff on data protection and security awareness
  • No unauthorised bank account transactions made
  • Access to compromised website stopped 
  • Users forced/asked to reset passwords

When to notify regulators

Where the confidentiality, integrity or availability of personal data is impacted, you will likely have to notify. There is no need to notify if the confidentiality, integrity or availability of personal data were all restored in good time, so that there was not permanent loss and/or potential harm caused to the relevant data subjects.  However, the targets should be aware that if the regulator becomes aware of the attack later on, they may want to investigate how the target complies with Art 32 GDPR generally.

When to notify data subjects

Where the confidentiality, integrity or availability of personal data is impacted, you will likely have to notify. If special category data is involved, or the data subjects are children or vulnerable adults, this will increase the risk to individuals. 

There is no need to notify if the confidentiality, integrity or availability of personal data were all restored in good time, so that there was no permanent loss and/or potential harm caused to the relevant data subjects.  However, the targets should be aware that if the regulator becomes aware of the attack later on, they may want to investigate how the target complies with Art 32 GDPR generally.

4 – Accidental transmission of data to the wrong recipient

Increased risk

  • Unauthorised access, by multiple recipients (especially if it includes personal data and involves large scale numbers of individuals)
  • Third party is not a trusted recipient (ie, not subject to professional duties to keep the data confidential)
  • Controller was not quickly informed of mistake
  • Controller does not issue corrected file promptly
  • Controller does not ask recipient to permanently delete message sent in error and confirm by return compliance with such request
  • Recipient does not confirm permanent deletion in a written statement
  • Special category data or children’s or vulnerable adult’s personal data

Decreased risk

  • No evidence of unauthorised access or access only by a very small number of recipients 
  • Third party is a trusted recipient (ie, subject to professional duties to keep the data confidential)
  • Controller was quickly informed of mistake
  • Controller issues corrected file promptly
  • Controller asks recipient to delete message sent in error and recipient confirms deletion in a written statement
  • No special category data or children’s or vulnerable adults’ personal data

When to notify regulators

Where the confidentiality, integrity or availability of personal data is impacted, you will likely have to notify. 

There is no need to notify if the confidentiality, integrity or availability of personal data were all restored in good time, so that there was not permanent loss and/or potential harm caused to the relevant data subjects.  However, the targets should be aware that if the regulator becomes aware of the attack later on, they may want to investigate how the target complies with Art 32 GDPR generally.

When to notify data subjects

Where the confidentiality, integrity or availability of personal data is impacted, you will likely have to notify. If special category data is involved, or the data subjects are children or vulnerable adults, this will increase the risk to individuals. 

There is no need to notify if the confidentiality, integrity or availability of personal data were all restored in good time, so that there was no permanent loss and/or potential harm caused to the relevant data subjects.  However, the targets should be aware that if the regulator becomes aware of the attack later on, they may want to investigate how the target complies with Art 32 GDPR generally.

5.1.2 When does the 72-hour time limit start and end?

An organisation ‘becomes aware’ of a data breach when it has a ‘reasonable degree of certainty’ that a security incident has happened and resulted in personal data being compromised. Sometimes this may be obvious (eg, when a processor has informed the controller of a breach), but in other cases it may take time to establish what has happened. You may carry out a short investigation for this purpose. However, you must always act promptly and without delay.

The hour in which the controller becomes aware of the breach is not counted. The 72 hours begins from the start of real-time ‘Hour 2’ and ends 72 hours after that. It applies 24 hours a day, 365 days a year.

5.1.3 What happens if you notify late or fail to notify?

If your notification is late, you need to include reasons for the delay when you notify.

Failing to comply with the breach notification obligations under article 33, EU GDPR, attracts fines of up to the higher of €10 million, or 2% of global annual turnover in the preceding financial year.

5.2 What information must the breach report contain?

Under article 33(3), EU GDPR, the notification to the regulator must include as a minimum:

  • details of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects and the categories and approximate number of personal data records concerned;
  • the name and contact details of your DPO or other contact point for further information;
  • a description of the likely consequences of the personal data breach; and
  • details of the measures taken or proposed to be taken to address the breach, including, where appropriate, the measures taken to mitigate its possible adverse effects.

To the extent that it is not possible to provide the information at the same time, you may provide this in stages without undue further delay.

5.3 What obligations do processors have regarding personal data breaches?

If your organisation is a processor, it must notify the controller without undue delay after becoming aware of a personal data breach (article 33(2), EU GDPR) (ie, the requirement to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk). 

The processor will need to assist the controller with reporting the data breach to the relevant regulators, communicating with affected individuals and taking appropriate security measures (article 28(3)(f), EU GDPR).

In addition, processors must comply with the security requirements under article 32, GDPR (ie, the requirement to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk).

Failing to comply with any of the above provisions attracts fines of up to the higher of €10 million, or 2% of global annual turnover in the preceding financial year, and potentially other enforcement action.

5.4 When must you notify other data protection regulators?

If the personal data breach involves data or affects data subjects across multiple countries, the breach may fall within the jurisdiction of and need to be reported to multiple supervisory authorities or regulators. A breach affecting individuals in EEA countries will mean that the EU GDPR applies. In addition, other countries outside the EEA may have their own breach reporting requirements.

Under the EU GDPR, there are cooperation mechanisms that mean that an organisation with multiple EEA establishments can appoint a lead authority to deal with in relation to data breach notifications and other matters (articles 56 and 50, EU GDPR). If your organisation has multiple EEA establishments, you will need to know which EEA supervisory authority will be your lead authority for the processing activities affected by the breach.

Each supervisory authority has its own breach reporting processes that will need to be followed.

Example

Company A has establishments in Ireland, Belgium, Spain and New Zealand. The Irish Data Protection Commission (DPC) is its lead authority under EU GDPR. If there is a data breach affecting processing operations in all these places, Company A would need to notify the data protection regulators in Ireland (under EU GDPR, in respect of processing in Ireland, Belgium and Spain) and New Zealand (under local laws).

5.5 When must you notify industry regulators?

The industry sector in which your organisation operates may have additional breach notification obligations under specific rules that regulate the industry. For example:

  • for certain public communications networks and service providers – EU member state ePrivacy laws which are derived from the EU Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive); 
  • for financial services institutions regulated in their relevant member state (eg, Central Bank of Ireland (CBI) for Ireland, the Dutch Central Bank (DNB) for the Netherlands, and the Commission de Surveillance du Secteur Financier (CSSF) in Luxembourg);
  • there are specific obligations for financial institutions under the Digital Operations Resilience Act (DORA) for reporting ICT security related incidents.

The time limits for notification will vary and may in some instances be shorter than under the EU GDPR. Check the relevant rules for more detailed guidance, including the numbers to call and forms to use for breach notifications.

Section 6 – When do you have to inform affected individuals?

6.1 When must you communicate a data breach to affected data subjects under EU GDPR?

If your organisation is a controller, it must communicate the data breach to affected data subjects without undue delay ‘when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons’ (article 34, EU GDPR).

6.1.1 What types of breaches need to be communicated?

Only ‘personal data breaches’ need to be communicated – this means that the breach must involve:

  • ‘personal data’; and
  • a ‘breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (article 4(12) EU GDPR).

Additionally, the communication shall not be required if any of the following conditions are met:

  • the organisation had applied appropriate technical and organisational protection measures to the personal data affected by the personal data breach, in particular encryption or other measures that make the personal data unintelligible to unauthorised persons;
  • the organisation has taken subsequent measures ensuring that the high risk to data subjects is no longer likely to materialise; and
  • it would involve disproportionate effort to individually notify people – instead you would need to make a public communication or similar measure informing the affected individuals in an equally effective way.

If the incident meets the criteria for a personal data breach that may need to be communicated, you must conduct a risk assessment as to the likelihood of the breach resulting in adverse effects for the data subjects and other individuals if unaddressed. This must be done case by case and you must be able to justify your decision to communicate a breach (or not) to the relevant supervisory authority.

The EDPB data breach examples guidance sets out some scenarios of when you are and are not required to communicate with affected individuals.

6.1.2 What is the required timing of the notification?

Acting ‘without undue delay’ is key. You must take action promptly, particularly if you are asking individuals to take measures that could help reduce the harm they may suffer as a result of the data breach.

If you need to notify affected data subjects, you will also have had to report the breach to the data protection regulators. It may be that the relevant supervisory authority has ordered or directed you to contact people, or you may have already decided to do this on your own initiative.

6.1.3 What happens if you notify late or fail to notify?

If you are late with the notification, you should be prepared to justify the reasons for the delay to the relevant supervisory authority.

Failing to comply with the breach notification obligations under article 34, EU GDPR, attracts fines of up to the higher of €10 million, or 2% of global annual turnover in the preceding financial year.

6.2 When must you communicate a data breach to affected data subjects under industry regulations?

The industry sector in which your organisation operates may have additional breach notification obligations under sector-specific rules. For example:

  • for certain public communications networks and service providers; and
  • for regulated financial services institutions.

Check the relevant rules for more detailed industry-sector guidance, including when to notify affected individuals and what information to tell them.

6.3 What information must you include in the communication?

When informing affected data subjects about a breach, you must include as a minimum:

  • details of the nature of the personal data breach;
  • the name and contact details of your DPO, or other contact point for further information;
  • a description of the likely consequences of the personal data breach; and
  • details of the measures taken or proposed to deal with the breach and, where appropriate, the measures taken to mitigate any possible adverse effects.

This information should be expressed in clear and plain language. If possible, give specific and clear advice to people on the steps they can take to protect themselves (eg, reporting suspicious activity), and what you are prepared to offer by way of assistance (eg, forcing password resets, offering to pay for fraud-detection checks).

Section 7 – What records do you need to keep?

You must keep a record of all personal data breaches (not only reportable ones) in a data breach log. This requirement is set out in article 33(5), EU GDPR, and is part of an organisation’s accountability obligations. These records must include as a minimum:

  • the facts related to the breach;
  • the effects of the breach; and
  • the remedial action taken.

It is also good practice to keep a record of any near misses and your reasons for not reporting any breaches. Be prepared to produce these records to the data protection regulators if there is an incident or an investigation.

Additional resources

European Agency for Cyber Security (einsa)

Related Lexology Pro content

How-to guides:

Understanding key data protection definitions 
How to comply with data processing principles under the GDPR
How to ensure compliance with the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the European Economic Area 
How to reduce the risk of a GDPR data breach 
How to deal with a supervisory authority dawn raid 

Checklists:

GDPR compliance self-assessment audit 
Assessing whether an organisation is a controller or processor under the GDPR 
Lawful processing of personal data under the GDPR 
Obtaining and managing consent under the GDPR 
Processor due diligence (data protection and cybersecurity) 
Making an international transfer of personal data under the GDPR 
Data subject access rights under the GDPR 
What to include in your organisation’s privacy notice 
When and how to appoint a data protection officer 
Complying with cookie requirements under the ePrivacy Directive and the GDPR 

 

Reliance on information posted:

While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.

Filed under

Topics

Laws