GDPR4All
Sign inFree Assessment

Breach Management

Log breaches, track the 72-hour notification deadline, and manage your incident response

6 min readUpdated 26 February 2026
Client AdminCompliance OfficerDPO

A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Under Articles 33 and 34 of the GDPR, organisations must notify their supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms — and must notify the affected individuals themselves if the risk is high.

GDPR4All's Breach Management module helps you log incidents, track the critical 72-hour notification deadline, manage the resolution process, and maintain the documentation that demonstrates your compliance.

What Constitutes a Data Breach

Not every security incident is a data breach, and not every data breach requires notification. A breach occurs specifically when personal data is compromised. Common examples include:

  • Confidentiality breach — personal data is disclosed to or accessed by an unauthorised party (e.g., an email containing customer details is sent to the wrong recipient).
  • Availability breach — personal data is lost or destroyed and cannot be recovered (e.g., a ransomware attack encrypts your customer database and no backup exists).
  • Integrity breach — personal data is altered without authorisation (e.g., a database error corrupts patient records).

Even seemingly minor incidents — a lost USB drive, an unlocked laptop left on a train, a misdirected email — can constitute a reportable breach if personal data is involved.

Creating a Breach Incident Record

When a breach occurs, navigate to Compliance > Breaches and click New Breach. Complete the form with as much detail as is available at the time — you can always update the record as your investigation progresses.

Key Fields

  • Title — a brief, descriptive name for the incident (e.g., "Misdirected email containing client financial data").
  • Date and time discovered — the exact moment the breach came to your attention. This is the starting point for the 72-hour countdown, so accuracy matters.
  • Severity level — choose from LOW, MEDIUM, HIGH, or CRITICAL. Severity reflects the potential impact on affected individuals. A breach involving sensitive health data affecting thousands of people is CRITICAL; a misdirected email containing a single name and email address may be LOW.
  • Data categories — select the types of personal data involved (names, email addresses, financial data, health data, identity documents, and so on).
  • Description — a detailed account of what happened, how it was discovered, and what data was affected.
  • Number of individuals affected — your best estimate, which you can refine as the investigation continues.
  • Containment measures — what immediate steps were taken to stop the breach and prevent further data loss.

The 72-Hour Countdown Timer

GDPR4All's most distinctive breach feature is the 72-hour countdown timer. The moment you record a breach and save the discovery date and time, the platform starts counting down the hours and minutes remaining until the notification deadline.

Where the Timer Appears

  • Breach list page — each open breach shows a compact countdown next to its row, so you can see at a glance how much time remains for every active incident.
  • Breach detail page — a prominent compliance box at the top of the page displays the countdown in a larger format, with colour-coded urgency indicators.
  • Dashboard alerts — if a breach is approaching or has exceeded the 72-hour window, an alert banner appears on your main dashboard.

Colour Coding

  • Green — more than 24 hours remaining. You have time, but do not delay.
  • Amber — fewer than 24 hours remaining. Prioritise your assessment and notification.
  • Red — the 72-hour window has expired. If notification was required and has not been made, you are in breach of Article 33.

The timer is calculated from the date discovered field, not from the date the breach actually occurred. This aligns with the GDPR's requirement that the clock starts when the controller becomes "aware" of the breach.

Tracking Resolution

Every breach follows a status workflow that mirrors a typical incident response process:

  1. Open — the breach has been logged and the investigation is beginning.
  2. Investigating — the incident response team is actively gathering facts, determining scope, and identifying the root cause.
  3. Contained — the immediate threat has been neutralised. No further data loss is occurring, but the root cause may still need to be addressed.
  4. Resolved — the root cause has been fixed, affected individuals have been notified (if required), and remediation measures are in place.
  5. Closed — the incident is fully documented and closed. Lessons learned have been recorded.

Update the status as your response progresses. Each status change is logged in the audit trail, providing a clear record of your response timeline.

Notifying the Supervisory Authority

Not every breach requires notification to the supervisory authority. Notification is required when the breach is "likely to result in a risk to the rights and freedoms of natural persons". If the breach is unlikely to pose such a risk (for example, encrypted data was lost but the encryption key was not compromised), you may decide not to notify — but you must still document the breach and your reasoning.

When notification is required:

  • It must be made within 72 hours of becoming aware of the breach.
  • If you cannot provide all details within 72 hours, you may provide information in phases.
  • The notification must include the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken to address the breach.

In GDPR4All, the Supervisory Authority Notified field is a toggle that can only be set by users with approval-level permissions (Client Admin, DPO, or Platform Admin). This ensures that the decision to mark a breach as notified is made by someone with appropriate authority.

Notifying Data Subjects

If the breach is likely to result in a high risk to individuals' rights and freedoms, Article 34 requires you to notify the affected data subjects directly. This is a higher threshold than authority notification. High risk might include breaches involving financial data that could lead to fraud, health data that could cause distress, or identity data that could enable identity theft.

The notification to individuals should:

  • Be in clear, plain language
  • Describe the nature of the breach
  • Provide the name and contact details of your DPO or other contact point
  • Describe the likely consequences
  • Describe the measures taken to address and mitigate the breach

GDPR4All's Document Generator can help you create a Breach Notification document linked directly to the breach record, ensuring consistency between your internal records and external communications.

Tips for Effective Breach Management

  • Document everything — from the moment a breach is suspected, keep a detailed log of every action taken, every person involved, and every decision made. This is your evidence of accountability.
  • Rehearse your incident response — do not wait for a real breach to test your processes. Run tabletop exercises at least annually so your team knows exactly who does what when an incident occurs.
  • Set up internal escalation paths — make sure every employee knows how to report a suspected breach and who to escalate it to. Speed is critical when the 72-hour clock is ticking.
  • Assess severity honestly — it can be tempting to downplay a breach, but underestimating severity can lead to inadequate response and greater regulatory consequences later.
  • Learn from every incident — after closing a breach, conduct a post-incident review. What went wrong? What could be improved? Feed those lessons back into your security measures and update your ROPA if the breach revealed a previously undocumented processing activity.
  • Keep your ROPA linked — breaches often reveal gaps in your Records of Processing Activities. After every incident, review your ROPA to ensure it accurately reflects the data that was compromised and the processing activity it relates to.

The 72-hour deadline is tight, but with a well-documented process and the right tools, meeting it becomes manageable. GDPR4All ensures you never lose sight of the clock.

Related Articles

Records of Processing Activities (ROPA)

How to create, manage, and export your processing activity records under Article 30

7 min read· Updated 26 Feb 2026·Client AdminCompliance OfficerDPO

DPIA Workflows

Create Data Protection Impact Assessments, evaluate risks, and manage the approval workflow

7 min read· Updated 26 Feb 2026·Client AdminCompliance OfficerDPO

Reports & Alerts

Monitor your compliance score, track deadlines, and stay on top of overdue items

5 min read· Updated 26 Feb 2026·Client AdminCompliance OfficerDPO

Was this article helpful?

Previous

Records of Processing Activities (ROPA)

Next

Consent Management