HomeKnowledge base › Reporting a data breach in 72 hours
Data breach

Reporting a data breach within 72 hours: the complete step-by-step plan

· 8 min read · DeSnipperaar

A stolen laptop, a misdirected email, an archive box that disappears en route, a hacked database. A data breach can happen to any organisation, and the clock starts ticking the moment you become aware. Article 33 GDPR gives 72 hours to inform the Autoriteit Persoonsgegevens. Article 34 covers when you must also inform the data subjects. This article is a working step-by-step plan for the first three days after discovery.

Audience: DPOs, CISOs, privacy coordinators and anyone who becomes directly involved in incidents.

What is a data breach under the GDPR?

Article 4(12) defines it as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.

That means: not every information-security incident is automatically a data breach. Personal data must be at stake. A DDoS attack without data loss: not a data breach. A stolen laptop with encrypted data and a strong password: doubtful, but often not a data breach because the data is unreadable.

Hour 0 to 4: establish and isolate

  1. Receive the report (from employee, customer, supplier, supervisor, media).
  2. Record time and source. This is your T-0.
  3. Activate the incident response team (DPO, IT, communications, legal).
  4. Assess in outline: are personal data involved?
  5. Isolate the breach. Block accounts, disconnect network connections, seal off physical locations.
  6. Preserve evidence. Make forensic copies or images as soon as possible.
The clock starts at ‘awareness’, not at ‘full clarity’. Waiting until everything is clear is a costly mistake.

Hour 4 to 24: determine impact

  1. Which personal data are involved? Names, addresses, BSN, medical, financial?
  2. How many data subjects? Estimate broadly at the start, refine later.
  3. Which special categories (GDPR art. 9) are affected?
  4. Which consequences are conceivable for data subjects? Identity fraud, blackmail, discrimination, financial loss, defamation?
  5. Is the data encrypted or otherwise protected? That may lead to the conclusion that no notification is required.
  6. Inform internal stakeholders (management, supervisory board, audit).

Hour 24 to 48: decide and draft

Now comes the core decision: notify the AP or not?

In the notification you state:

  1. Nature of the breach (theft, transmission, hack, loss)
  2. Categories and number of data subjects
  3. Categories and number of personal data items
  4. Likely consequences
  5. Measures taken
  6. Contact details of the DPO or controller

Not all information ready yet? Allowed. You submit a phased notification: first notification with available information within 72 hours, additions later. This is explicitly permitted under GDPR art. 33(4).

Informing data subjects: when?

Article 34 requires you to inform data subjects if the breach poses a high risk. In practice that means:

Information to data subjects contains: nature of the breach, expected consequences, measures you are taking, contact person, advice for the data subject (e.g. change passwords, alert the bank).

Hour 48 to 72: submit and communicate

  1. Submit the notification to the AP.
  2. If necessary, inform data subjects by letter, email or publication.
  3. Internal communication: what may and may not be shared by staff.
  4. Alignment with processors involved in the breach. Check liability in the processor agreement.
  5. Preparation for possible media attention.
  6. Keep a log of all decisions and actions.

Data breach due to missing archives or unsecured transport?

We will come within 24 hours with an on-site shredder and prevent a second data breach. All destruction on site, certificate per order for your GDPR file.

Request a quote

After hour 72: aftercare and learning

A data breach notification is not an endpoint. The AP can ask additional questions, start an investigation, impose fines. Make sure that you:

Specific scenarios around destruction

Data breaches due to poor destruction happen regularly:

Paper boxes in the waste paper

An employee accidentally puts archive boxes by the paper container. As soon as someone finds legible data, it is a data breach. Direct action: try to retrieve the boxes, analyse the incident, notify, tighten policy.

Unencrypted laptop stolen

Laptop with company data unencrypted. A breach unless it can be proved that the thief gained no access (rare). Notify and inform data subjects.

Destruction container lost during transport

An unsealed container disappears en route between client and central shredder facility. In that case ask for seal numbers on the destruction certificate. A breach. That is why on-site destruction makes sense: then nothing leaves the premises before it is destroyed. See on-site versus offsite shredding.

USB stick left behind

Stick with customer data in a taxi, restaurant, train. Unless encrypted: a breach. See our article on USB and SD safe disposal.

Internal reporting point and playbook

An organisation without a playbook loses hours in the first phase. Recommendations:

  1. An email address such as datalek@yourcompany.nl, monitored 24/7.
  2. A playbook with roles, telephone numbers and escalation paths.
  3. A template notification for the AP with fixed fields.
  4. A communications plan for data subjects and media.
  5. An annual exercise of a fictitious incident.

Fine risk

The AP has repeatedly imposed fines of 500,000 to 1 million euros for late notification or for the breach itself. In 2020 Booking.com was fined 475,000 euros because an incident had only been reported after 22 days. Main reproach: failure to meet the 72-hour deadline. The lesson: notify too early rather than too late.

Prevent a breach through on-site destruction? Call us or request a quote via desnipperaar.nl. We are reachable 24/7 for urgent assignments.