Back to ContentGDPR

Personal Data Breach: How to React in 72 Hours

Incident response guide for personal data security breaches under GDPR.

January 18, 202613 min readBy Jônata Guimarães
Personal Data Breach: How to React in 72 Hours
Share

Introduction

When a personal data breach occurs, time is critical. GDPR requires notification to the authority within 72 hours. This guide presents the essential steps.

First 24 Hours

Hour 0-4: Detection and Containment

  1. Confirm the incident - verify if it's a real breach
  2. Contain the threat - isolate affected systems
  3. Preserve evidence - don't delete logs
  4. Activate response team - contact responsible parties

Hour 4-12: Initial Assessment

  1. Identify affected data - what categories?
  2. Estimate number of subjects - how many people?
  3. Assess risk - what's the probability of harm?
  4. Document everything - create chronological record

Hour 12-24: Impact Analysis

  1. Classify the breach - low, medium or high risk
  2. Determine obligations - notify CNPD? Data subjects?
  3. Prepare communications - notification drafts
  4. Consult legal counsel - validate strategy

24-48 Hours

Notification to CNPD

When to notify:

  • Whenever there's risk to rights and freedoms
  • When in doubt, notify

Notification content:

  • Nature of the breach
  • Categories and number of subjects
  • DPO or responsible contact
  • Likely consequences
  • Measures adopted or proposed

Communication to Data Subjects

When to communicate:

  • If there's high risk to rights and freedoms
  • Clear and accessible language

Content:

  • What happened (without excessive technical details)
  • What data was affected
  • What we're doing
  • What the subject can do
  • Contact for questions

48-72 Hours

Final Documentation

  1. Complete incident record
  2. Archive evidence
  3. Prepare internal report
  4. Identify lessons learned

Corrective Measures

  1. Fix vulnerabilities
  2. Update procedures
  3. Reinforce training
  4. Review vendor contracts

After 72 Hours

Follow-up

  • Monitor ongoing impact
  • Respond to data subject requests
  • Cooperate with CNPD if necessary
  • Update notification if there are new developments

Future Prevention

  • Review incident response plan
  • Conduct security tests
  • Update impact assessment
  • Consider cyber insurance

Conclusion

Preparation is the best defense. Have an incident response plan before you need it.

Jônata Guimarães

Jônata Guimarães

Lawyer · Digital Law

Practice areas: GDPR, LGPD and digital contracts, operating in Portugal and Brazil.

Related Articles

View all articles on GDPR

Need Legal Advice?

Get in touch to discuss how I can help your business with GDPR, LGPD and digital contract matters.

Open chat
WhatsApp (initial contact — no document sharing)
Open chat
WhatsApp (initial contact — no document sharing)