Skip to content
Emily Helps Docs

Data Breach Management

Introduction

Section titled “Introduction”

Articles 33 and 34 of the GDPR require organizations to report certain types of data breaches to supervisory authorities and, in some cases, to affected individuals. Having a robust incident response plan is essential for GDPR compliance and protecting individuals’ rights.

What is a Personal Data Breach?

Section titled “What is a Personal Data Breach?”

GDPR Definition

Section titled “GDPR Definition”

A breach of security leading to the accidental or unlawful:

  • Destruction of personal data
  • Loss of personal data
  • Alteration of personal data
  • Unauthorized disclosure of personal data
  • Unauthorized access to personal data

Types of Breaches

Section titled “Types of Breaches”
  1. Confidentiality Breach: Unauthorized access or disclosure
  2. Integrity Breach: Unauthorized or accidental alteration
  3. Availability Breach: Accidental or unauthorized loss of access or destruction

Examples

Section titled “Examples”
  • Laptop or device stolen containing personal data
  • Ransomware attack encrypting databases
  • Email sent to wrong recipient containing personal data
  • Unauthorized access to systems
  • Loss of unencrypted backup media
  • Phishing attack resulting in credential compromise
  • Malware infection exposing data
  • Paper records lost or stolen
  • Accidental deletion of data without backup

When to Report

Section titled “When to Report”

To Supervisory Authority (Article 33)

Section titled “To Supervisory Authority (Article 33)”

Required When:

  • Breach is likely to result in a risk to the rights and freedoms of individuals
  • Must report within 72 hours of becoming aware of the breach

Not Required When:

  • Breach is unlikely to result in a risk to individuals’ rights and freedoms
  • You must still document the breach and your reasoning

Assessment Criteria:

  • Type of breach
  • Nature, sensitivity, and volume of data
  • Ease of identification of individuals
  • Severity of consequences for individuals
  • Special characteristics of individuals
  • Number of affected individuals

To Affected Individuals (Article 34)

Section titled “To Affected Individuals (Article 34)”

Required When:

  • Breach is likely to result in a high risk to the rights and freedoms of individuals
  • Must notify without undue delay

Not Required When:

  • You had appropriate technical and organizational protection measures in place (e.g., encryption)
  • You have taken subsequent measures that ensure the high risk is no longer likely
  • It would involve disproportionate effort (then make a public communication instead)

Risk Assessment

Section titled “Risk Assessment”

Likelihood Assessment

Section titled “Likelihood Assessment”

Consider:

  • Was data encrypted or otherwise protected?
  • Has breach been contained?
  • Is data intelligible to unauthorized person?
  • Can individuals be easily identified?
  • Are there other factors limiting risk?

Impact Assessment

Section titled “Impact Assessment”

Evaluate potential consequences:

  • Low Risk: Minimal or no impact (e.g., encrypted data)
  • Medium Risk: Some adverse effects (e.g., inconvenience, minor financial loss)
  • High Risk: Significant adverse effects (e.g., identity theft, financial fraud, discrimination, psychological harm)

Special Considerations

Section titled “Special Considerations”

Higher risk when breach involves:

  • Special category data (health, religious beliefs, etc.)
  • Criminal convictions data
  • Children’s data
  • Vulnerable individuals
  • Financial information
  • Location data
  • Large numbers of individuals

Notification Requirements

Section titled “Notification Requirements”

To Supervisory Authority

Section titled “To Supervisory Authority”

Timeline: Within 72 hours of becoming aware

Required Information:

  1. Nature of the breach

    • Categories of individuals affected
    • Approximate number of individuals
    • Categories of records affected
    • Approximate number of records

  2. Contact details

    • Name and contact of data protection officer or other contact

  3. Likely consequences

    • Description of likely consequences of the breach

  4. Measures taken or proposed

    • Actions taken to address the breach
    • Actions to mitigate possible adverse effects

Phased Reporting: If you can’t provide all information within 72 hours, provide what you have and submit additional information as it becomes available.

How to Report:

To Affected Individuals

Section titled “To Affected Individuals”

Timeline: Without undue delay

Required Information:

  • Nature of the breach in clear and plain language
  • Contact details of data protection officer or other contact
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

Method:

  • Direct communication (email, letter, phone)
  • If disproportionate effort: public communication or similar measure
  • Must ensure individuals can easily take notice

Emily Helps Features:

  • Breach notification templates
  • Bulk notification tools
  • Communication tracking
  • Plain language guidance

Breach Response Procedure

Section titled “Breach Response Procedure”

Phase 1: Detection and Initial Response (0-24 hours)

Section titled “Phase 1: Detection and Initial Response (0-24 hours)”
  1. Detect: Identify potential breach
  2. Assess: Determine if it’s a personal data breach
  3. Contain: Take immediate action to contain the breach
  4. Activate: Initiate incident response team
  5. Preserve: Secure evidence for investigation

Key Actions:

  • Isolate affected systems
  • Change compromised credentials
  • Block unauthorized access
  • Preserve logs and evidence
  • Document initial findings

Phase 2: Assessment and Notification (0-72 hours)

Section titled “Phase 2: Assessment and Notification (0-72 hours)”

  1. Investigate: Determine scope and nature of breach

    • What data was affected?
    • How many individuals?
    • What happened?
    • When did it happen?
    • How did it happen?

  2. Risk Assessment: Evaluate risk to individuals

    • Likelihood of harm
    • Potential impact
    • Mitigating factors

  3. Decision: Determine notification requirements

    • Report to supervisory authority?
    • Notify individuals?
    • Both?
    • Neither (but document why)?

  4. Notify: If required, submit notifications

    • Supervisory authority (within 72 hours)
    • Affected individuals (without undue delay)

Phase 3: Recovery and Remediation (Days-Weeks)

Section titled “Phase 3: Recovery and Remediation (Days-Weeks)”
  1. Remediate: Fix vulnerabilities that led to breach
  2. Monitor: Watch for further indicators of compromise
  3. Support: Provide assistance to affected individuals
  4. Update: Keep stakeholders informed of progress
  5. Document: Maintain detailed records of all actions

Phase 4: Review and Improvement (Weeks-Months)

Section titled “Phase 4: Review and Improvement (Weeks-Months)”

  1. Analyze: Conduct post-incident review

    • What went wrong?
    • What went well?
    • What could be improved?

  2. Learn: Identify lessons learned

  3. Improve: Update policies, procedures, and controls

  4. Train: Provide additional training if needed

  5. Test: Update and test incident response plan

Breach Documentation

Section titled “Breach Documentation”

Record Requirements

Section titled “Record Requirements”

You must maintain a record of all breaches, including:

  • Facts surrounding the breach
  • Effects of the breach
  • Remedial action taken

Required Even If: You don’t have to report the breach to the supervisory authority.

Documentation Should Include

Section titled “Documentation Should Include”
  • Date and time of breach
  • Date and time discovered
  • Nature of the breach
  • Personal data affected
  • Number of individuals affected
  • Number of records affected
  • Cause of the breach
  • Actions taken to contain
  • Risk assessment performed
  • Decision on notification (and reasoning)
  • Notifications sent (when, to whom, content)
  • Remediation steps taken
  • Lessons learned and improvements

Emily Helps Breach Log

Section titled “Emily Helps Breach Log”
  • Structured breach recording
  • Risk assessment tools
  • Notification tracking
  • Remediation tracking
  • Reporting and analytics

Incident Response Team

Section titled “Incident Response Team”

Team Roles

Section titled “Team Roles”

  1. Incident Manager

    • Overall coordination
    • Decision-making authority
    • External communications

  2. Technical Lead

    • Technical investigation
    • Containment and remediation
    • Evidence preservation

  3. Legal/DPO

    • GDPR compliance assessment
    • Notification requirements
    • Regulatory liaison

  4. Communications Lead

    • Internal communications
    • Individual notifications
    • Public relations (if needed)

  5. Business Representatives

    • Business impact assessment
    • Operational decisions
    • Resource allocation

Escalation Criteria

Section titled “Escalation Criteria”

Escalate immediately if:

  • Large number of individuals affected
  • Special category data involved
  • Children’s data involved
  • High-profile individuals affected
  • Significant system compromise
  • Media attention likely
  • Regulatory interest likely
  • Legal action possible

Specific Breach Scenarios

Section titled “Specific Breach Scenarios”

Ransomware Attack

Section titled “Ransomware Attack”

Immediate Actions:

  • Isolate infected systems
  • Do not pay ransom without expert advice
  • Assess data exfiltration
  • Notify law enforcement
  • Engage cybersecurity experts

GDPR Considerations:

  • Availability breach (even if no data stolen)
  • High risk if data exfiltrated
  • Report within 72 hours if risk to individuals

Phishing/Social Engineering

Section titled “Phishing/Social Engineering”

Immediate Actions:

  • Reset compromised credentials
  • Review access logs
  • Block attacker access
  • Alert all staff

GDPR Considerations:

  • Confidentiality breach
  • Assess what data was accessed
  • Risk depends on data exposed

Lost or Stolen Device

Section titled “Lost or Stolen Device”

Immediate Actions:

  • Remote wipe if possible
  • Change credentials
  • Review data on device
  • Report to police

GDPR Considerations:

  • Low risk if encrypted
  • High risk if unencrypted
  • Consider data sensitivity and volume

Unauthorized Access by Employee

Section titled “Unauthorized Access by Employee”

Immediate Actions:

  • Revoke access
  • Review audit logs
  • Determine scope of access
  • HR investigation

GDPR Considerations:

  • Confidentiality breach
  • Assess why access occurred
  • Review access controls

Misdirected Email/Mail

Section titled “Misdirected Email/Mail”

Immediate Actions:

  • Request return/deletion
  • Recall email if possible
  • Follow up to confirm

GDPR Considerations:

  • Confidentiality breach
  • Risk depends on recipient
  • Consider data sensitivity

Prevention Measures

Section titled “Prevention Measures”

Technical Controls

Section titled “Technical Controls”
  • Encryption (data at rest and in transit)
  • Access controls and authentication
  • Network segmentation
  • Intrusion detection/prevention
  • Security monitoring and logging
  • Regular patching and updates
  • Backup and recovery
  • Endpoint protection

See: Data Security Measures

Organizational Controls

Section titled “Organizational Controls”
  • Security policies and procedures
  • Staff training and awareness
  • Incident response plan
  • Regular security assessments
  • Vendor management
  • Physical security
  • Clear desk policy
  • Secure disposal procedures

Specific Measures

Section titled “Specific Measures”
  • Phishing: Security awareness training, email filtering
  • Ransomware: Backups, endpoint protection, network segmentation
  • Device Loss: Encryption, remote wipe, device tracking
  • Unauthorized Access: Strong authentication, access reviews, least privilege
  • Misdirected Communications: Verification procedures, email warnings

Emily Helps Support

Section titled “Emily Helps Support”

Breach Response Support

Section titled “Breach Response Support”

If you experience a breach:

  1. Contact Emily Helps support immediately
  2. Provide initial breach details
  3. Work with our team to assess impact
  4. Access breach response tools and templates
  5. Receive guidance on notification requirements

Emily Helps Responsibilities

Section titled “Emily Helps Responsibilities”

As data processor, Emily Helps will:

  • Notify you without undue delay upon becoming aware of a breach affecting your data
  • Provide information about the breach
  • Assist with investigation and remediation
  • Cooperate with regulatory authorities
  • Implement security measures to prevent future breaches

See: Data Processing Agreement

Best Practices

Section titled “Best Practices”
  1. Prepare: Have an incident response plan before a breach occurs
  2. Train: Ensure all staff know how to identify and report breaches
  3. Test: Regularly test your incident response procedures
  4. Detect: Implement monitoring to quickly detect breaches
  5. Respond: Act quickly when a breach is discovered
  6. Document: Keep detailed records of all breaches and responses
  7. Learn: Use each incident to improve your security
  8. Review: Regularly update your breach response plan

Breach Response Checklist

Section titled “Breach Response Checklist”
  • Breach detected and confirmed
  • Incident response team activated
  • Breach contained
  • Evidence preserved
  • Scope and impact assessed
  • Risk assessment completed
  • Notification decision made
  • Supervisory authority notified (if required, within 72 hours)
  • Individuals notified (if required, without undue delay)
  • Emily Helps support contacted (if relevant)
  • Breach documented in breach log
  • Remediation actions implemented
  • Monitoring for further compromise
  • Post-incident review scheduled
  • Lessons learned documented
  • Policies and procedures updated
  • Additional training provided (if needed)
Section titled “Related Documentation”

Resources

Section titled “Resources”

Templates

Section titled “Templates”
  • Breach notification to supervisory authority
  • Breach notification to individuals
  • Breach log template
  • Risk assessment template
  • Post-incident review template

Further Reading

Section titled “Further Reading”
  • ICO Guide to Data Security Incident Management
  • ENISA Breach Notification Guidelines
  • EDPB Guidelines on Breach Notification
  • National Cyber Security Centre (NCSC) Incident Management

Emergency Contacts

Section titled “Emergency Contacts”
  • Emily Helps Support: [support contact]
  • Your DPO: [your DPO contact]
  • Local Supervisory Authority: [relevant authority]
  • Law Enforcement: [local cybercrime unit]

Last updated: October 2025