Checklist Legal/Compliance GDPR

GDPR Breach Response Checklist

This checklist provides a systematic approach to GDPR breach response and notification obligations. Organizations must act swiftly upon discovery of a personal data breach to comply with notification timelines, documentation requirements, and investigative obligations under the GDPR. Each item references specific regulatory sections and includes concrete verification criteria to ensure compliance and minimize regulatory penalties.

  • Confirm breach classification (GDPR Article 4(12)): Verify that the incident meets the definition of a personal data breach by documenting how unauthorized processing, accidental disclosure, or loss of confidentiality/integrity occurred. Obtain written confirmation from IT and security teams.
  • Notify Data Protection Authority within 72 hours (GDPR Article 33(1)): Submit formal breach notification to the relevant DPA before the 72-hour deadline, including the nature of the breach, affected data categories, and remedial measures. Maintain timestamped records of submission.
  • Document the breach discovery date and time (GDPR Article 33(5)): Create a dated log entry specifying when the breach was discovered, by whom, and through what means (automated alert, user report, etc.). This establishes the starting point for the 72-hour clock.
  • Conduct preliminary impact assessment (GDPR Article 33(3)(b)): Assess and document the likely consequences for affected data subjects, including risk level (high/medium/low) and factors such as data sensitivity and number of individuals impacted.
  • Identify affected individuals and data categories (GDPR Article 33(3)(a)): Create a detailed inventory listing the number of affected data subjects, their geographic locations, and the specific personal data categories compromised (e.g., names, email addresses, payment information).
  • Preserve all evidence and forensic data (GDPR Article 5(1)(f)): Implement immediate data preservation protocols to maintain all breach-related logs, system files, and communications. Engage forensic specialists and document the chain of custody for all preserved materials.
  • Notify affected individuals if high risk (GDPR Article 34(1)): Determine if special categories or large-scale processing requires individual notification to data subjects. If required, send clear, plain-language notifications within reasonable timeframes with breach details and remedial actions.
  • Assess necessity of supervisory authority consultation (GDPR Article 36): Evaluate whether a Data Protection Impact Assessment (DPIA) is required and whether the DPA must be consulted prior to processing. Document the reasoning for consultation or non-consultation decisions.
  • Prepare DPA breach notification form (GDPR Article 33(3)): Complete the mandated breach notification report including: nature and scope of the breach, controller/processor contact details, likely consequences, and measures taken or proposed to address the breach.
  • Document remedial and mitigating measures (GDPR Article 33(3)(b)): Create a comprehensive record of all corrective actions taken post-breach, including system patches, access restrictions, encryption deployment, or security training implemented to prevent recurrence.
  • Establish breach register entry (GDPR Article 33(5)): Document the breach in your internal breach register with: date discovered, description, number of individuals affected, likely consequences, and actions taken. Maintain this register for supervisory authority inspection.
  • Issue public communication if required (GDPR Article 34(4)): Determine if the breach requires public disclosure or media notification. If mandated, prepare and issue communications that comply with transparency requirements without undermining security measures.
  • Conduct root cause analysis (GDPR Article 32(1)(d)): Complete a thorough investigation documenting how the breach occurred, identify systemic vulnerabilities, and prepare a written root cause analysis report within 30 days of discovery.
  • Review and update security measures (GDPR Article 32): Reassess organizational security controls (technical and organizational measures) and document all enhancements implemented, including staff training updates and policy revisions.
  • Verify processor notification (GDPR Article 33(2)): If applicable, confirm that all data processors were notified of the breach without undue delay. Obtain written acknowledgments of notification and any information provided by processors regarding the incident.
  • Assess regulatory penalties exposure (GDPR Article 83): Evaluate potential fines based on breach severity, intentionality, mitigation factors, and prior compliance history. Consult with external counsel to assess exposure under Article 83(4) or 83(5).
  • Create incident timeline document (GDPR Article 33(1)): Develop a detailed chronological record of all actions taken from breach discovery through notification completion, including decision-makers, approvals, and supporting communications.
  • Complete post-breach review meeting (GDPR Article 32(1)(d)): Schedule a formal debriefing within 15 days with legal, IT, security, and operations teams to discuss breach circumstances, response effectiveness, and required procedural improvements.