DAT-014 Personal Data Breach Notification
Description
A documented personal data breach response procedure exists. Confirmed breaches affecting personal data are notified to the relevant supervisory authority within 72 hours of awareness where required. Affected individuals are notified without undue delay where the breach is likely to result in high risk to their rights. All breaches are documented internally regardless of notification threshold.
Rationale
The 72-hour notification window under GDPR is tight. Lack of a pre-defined procedure leads to late notifications, which are themselves violations and attract higher fines.
Framework Mappings (7)
| GDPR-Art.33.1 | Breach Notification to Supervisory Authority — 72-Hour Requirement | full |
| GDPR-Art.33.3 | Breach Notification Content Requirements | full |
| GDPR-Art.33.5 | Internal Breach Documentation | full |
| GDPR-Art.34.1 | Breach Communication to Data Subjects | full |
| GDPR-Art.34.3 | Exemptions from Data Subject Breach Notification | partial |
| P6.5 | Notification of Privacy Breaches | partial |
| P6.6 | Remediation of Privacy Breaches | partial |
Evidence (2)
Personal data breach response procedure defining roles, notification timelines, internal escalation steps, and documentation requirements.
Example: Personal Data Breach Response Procedure (Confluence / runbook), approved by DPO and CISO, containing: breach identification and triage checklist, 72-hour supervisory authority notification workflow, individual notification decision tree, internal breach log template, and named incident response roles
Test: Request the breach response procedure. Verify: (1) explicitly references the 72-hour supervisory authority notification window, (2) includes a severity assessment to determine notification obligation, (3) defines individual notification criteria (high risk to rights and freedoms), (4) specifies a named DPO or privacy lead as the decision authority, (5) document is approved and dated within 12 months.
Internal breach register documenting all personal data incidents regardless of reporting threshold, with key fields including discovery date, notification date, and outcome.
Example: Personal Data Breach Register (OneTrust / Confluence / spreadsheet) — listing all incidents from the last 24 months with: incident date, discovery date, breach type, data categories affected, approximate number of data subjects, risk assessment outcome, notification decision (with justification if not notified), SA notification date (if applicable), and remediation actions
Test: Request the breach register for the last 24 months. Verify: (1) all incidents include a discovery date and notification decision with documented rationale, (2) for any reported incidents, notification to the SA occurred within 72 hours of awareness (or a late notification is documented with explanation), (3) all entries show a remediation action, (4) register is maintained regardless of notification threshold.
Questions (2)
Does your organisation have a documented personal data breach response procedure that includes a process for notifying the supervisory authority within 72 hours of becoming aware of a qualifying breach?
The procedure must define the 72-hour notification window, include a severity assessment to determine notification obligations, specify the decision authority (DPO), and require an internal breach log for all incidents regardless of threshold.
What does your internal breach register capture for each personal data incident?
A complete breach register is required for GDPR accountability. All incidents should be logged regardless of notification threshold. The register must capture the notification decision with documented justification.