Loading…
A personal data breach starts a regulatory clock that doesn't stop for weekends, holidays, or executive availability. Under GDPR Article 33 you have 72 hours from awareness to notify the Supervisory Authority. DPDPA Rule 7, PDPA Section 26B, and LGPD Resolution 15/2024 set similar windows.
This playbook breaks the 72 hours into five named phases — Detection, Containment, Assessment, Documentation, Filing — with concrete deliverables at each gate. Use it as a runbook: when something is on fire you don't want to be writing process. You want to be executing it.
Article 33 says "not later than 72 hours after having become aware of it." Awareness is when the controller has reasonable degree of certainty that a security incident has occurred and that personal data is involved. It is not:
EDPB Guidelines 9/2022 on personal data breach notification permit a short investigation period to reach awareness, but that period should be brief — a matter of hours, not days.
Goal: Confirm an incident has occurred, preserve forensic evidence, activate the response team.
Deliverable at T+6h: One-page incident summary — what happened, when, what systems, what data categories may be involved, what is known unknown.
Goal: Stop the bleed, isolate affected systems, and notify time-sensitive external parties.
Deliverable at T+24h: Containment confirmation; preliminary scope statement.
Goal: Determine the magnitude and likely harm — this drives every downstream decision.
Deliverable at T+48h: Risk-of-harm assessment; notification decision matrix; draft notification template populated.
Goal: Build the artefact you'll file, lock the internal record, brief stakeholders.
Deliverable at T+72h: Filing-ready notification; complete internal record.
Goal: Notify regulators within the statutory window and communicate to data subjects where required.
Deliverable at T+72h+: Filing acknowledgement; data-subject communications dispatched (or documented decision not to communicate); post-incident review scheduled within 14 days.
| Regulator | Statutory window | Threshold |
|---|---|---|
| EU Supervisory Authority (GDPR) | 72 hours from awareness (Art. 33) | Unless unlikely to result in risk to rights and freedoms |
| ICO (UK GDPR) | 72 hours from awareness | Same risk-based threshold |
| CPPA / California AG (CCPA) | "Most expedient time possible" (Cal. Civ. Code §1798.82) | Affecting more than 500 California residents triggers AG notice |
| Data Protection Board of India (DPDPA) | Without delay; specifics in Rule 7 | All personal data breaches |
| CERT-In (India IT Act 2022 Directions) | 6 hours from noticing | Designated incident categories (ransomware, DDOS, defacement, etc.) |
| PDPC (Singapore PDPA) | 72 hours after assessment confirms a notifiable breach | Significant harm OR 500+ individuals |
| ANPD (Brazil LGPD) | 3 business days from confirmation (Res. 15/2024) | Risk or relevant damage to data subjects |
| PPC (Japan APPI) | Without delay (typically days, not weeks) | Sensitive data leak, financial loss, malicious intent, or 1,000+ records |
The most common organisational failure is unclear ownership between the DPO and General Counsel for the actual regulator filing. Settle it in advance — most teams default the DPO drafting under counsel privilege, with the DPO as the named contact in the filing itself.
Article 34 GDPR triggers data subject communication when there is a high risk to rights and freedoms. The standard is higher than the SA notification threshold. Examples warranting notification:
Article 34(3) lists three exemptions to direct communication: encryption rendering data unintelligible to unauthorised persons, measures eliminating the high risk, or a disproportionate effort that can be replaced by public communication.
Notification content (Article 34(2)): nature of the breach, name and contact of DPO, likely consequences, measures taken. In plain language.
No. Article 33 is in hours, not business days. Some regulators (LGPD, Singapore PDPA) define windows in business days; check the specific regime.
Article 33(1) permits later notification "accompanied by reasons for the delay." SAs accept this but scrutinise it. Recurring delays are an enforcement trigger.
Article 33(2) requires the processor to notify the controller "without undue delay." Your DPA likely specifies a tighter window (often 24–48 hours). Notification to the SA is the controller's obligation, but the processor must give them enough information and time to meet the 72-hour deadline.
For anything material, yes. External counsel establishes privilege over investigation work product and significantly reduces discovery exposure in later litigation. Cheap insurance.
Quarterly tabletop with a realistic injects-based scenario, time-compressed to 90 minutes simulating the 72-hour window. Capture decision-making lag at each phase transition. Use the same Article 33(3) content set you'd file for real.
RegulatoryBridge runs 24×7 breach response — incident commander, regulator filing, data-subject communication — under privilege. Activate within minutes.