INC-005 Incident Reporting and Regulatory Notification
Description
Internal incident reporting requirements and timelines are defined for all severity levels. For incidents involving personal data, breaches are notified to the relevant supervisory authority within 72 hours of becoming aware, in accordance with GDPR Article 33. Where the breach poses a high risk to individuals, data subjects are notified without undue delay. All notifications include required content: nature of the breach, estimated data subject count, likely consequences, and remedial measures taken.
Rationale
Regulatory breach notification is a legal obligation with defined timelines and content requirements. Failure to notify on time — or notifying incomplete content — creates material regulatory exposure. Dual coverage of internal and external reporting in one control reflects the operational reality that both are triggered by the same event.
Framework Mappings (7)
| SEF-08 | Security Breach Notification | full |
| EU-AI-Art.26.4 | Deployer Obligations — Operational Monitoring and Incident Notification | partial |
| GDPR-Art.33.1 | Breach Notification to Supervisory Authority — 72-Hour Requirement | full |
| GDPR-Art.33.3 | Breach Notification Content Requirements | full |
| GDPR-Art.34.1 | Breach Communication to Data Subjects | full |
| IR-6 | Incident Reporting | partial |
| P6.5 | Notification of Privacy Breaches | full |
Evidence (2)
Incident reporting and breach notification procedure defining internal reporting timelines, GDPR 72-hour notification requirements, data subject notification triggers, and required notification content.
Example: Breach Notification Procedure or IRP section on regulatory notification (version-controlled, approved by legal/DPO, dated within the last 12 months) with notification timelines, required content checklist, and DPA contact details
Test: Request the breach notification procedure. Verify: (1) internal reporting timelines are defined for all severity levels; (2) the 72-hour GDPR Art.33 notification obligation is explicitly stated; (3) Art.33(3) content requirements are listed as a checklist; (4) data subject notification trigger criteria (high risk to individuals) are defined; (5) current DPA and supervisory authority contact details are included.
Breach notification records demonstrating GDPR-compliant notifications were made within 72 hours for applicable incidents, with required content and documentation of the notification.
Example: DPA notification submission confirmation (e.g., ICO online submission receipt), data subject notification record, or internal breach register entry (GDPR Art.33(5)) showing notification date, submitted content, and responsible DPO — or a documented justification if no notifications were required in the review period
Test: Request the breach register and notification records for the last 12 months. Verify: (1) all incidents assessed as personal data breaches appear in the Art.33(5) breach register; (2) supervisory authority notifications were submitted within 72 hours of becoming aware; (3) notification content addresses Art.33(3) requirements; (4) where notification was not made, the documented rationale is proportionate and records the decision-maker.
Questions (2)
Are internal incident reporting requirements and timelines defined for all severity levels, and is there a documented process for notifying the relevant supervisory authority within 72 hours in the event of a personal data breach, as required by GDPR Article 33?
The breach notification procedure must explicitly state the 72-hour GDPR Art.33 obligation and include GDPR Art.33(3) content requirements as a checklist. The procedure should be approved by the DPO or legal team.
Which elements are included in your breach notification procedure?
All six elements are required for a GDPR-compliant breach notification procedure. Missing Art.33(3) content requirements or a defined trigger for data subject notification are common gaps.