GDPR Data Breach Response Template

Download the GDPR Data Breach Response Template

What Is a GDPR Data Breach?

Under the GDPR (Regulation EU 2016/679), a personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes external cyberattacks, but also internal errors: a misconfigured database, an email sent to the wrong recipient, or a lost device containing unencrypted data.

Not every incident requires notification. The GDPR requires a risk-based assessment: if the breach is unlikely to result in any risk to individuals, you only need to document it internally. If it poses a risk, you must notify the supervisory authority within 72 hours. If the risk is high, you must also notify the individuals affected, without undue delay.

What makes breach response genuinely difficult is not the law, it is the time pressure. Most organisations lose precious minutes in the first hour of an incident because no one knows who does what. This template solves that problem.

What Does the GDPR Require When a Breach Occurs?

Articles 33 and 34 of the GDPR set out the obligations for breach management. In summary:

• Article 33: Notification to the supervisory authority: required when the breach is likely to result in a risk to the rights and freedoms of individuals. Notification must be made to the competent authority (in Spain, the AEPD) within 72 hours of becoming aware of the breach. If it is not possible to provide full information within 72 hours, an initial notification must be made and completed in phases.
• Article 34: Communication to data subjects: required when the breach is likely to result in a high risk to individuals. Notification must be made without undue delay and in clear, plain language, describing the nature of the breach, its likely consequences, measures taken and contact details for the DPO or responsible person.
• Article 30(3): Documentation obligation: all breaches must be documented, regardless of whether notification is required. The record must include the facts, effects and remedial actions taken. This documentation will be reviewed in any audit or supervisory inspection.

Failure to notify within 72 hours, or failure to document breaches properly, can result in significant fines, up to €10 million or 2% of global annual turnover under Article 83(4) of the GDPR.

Who Should Use This Template?

This template is designed for any organisation that processes personal data subject to the GDPR, which means virtually any business operating in or targeting the EU, regardless of where it is based. It is particularly useful for:

• Data Protection Officers (DPOs) who need a ready-to-deploy response structure that meets the requirements of Articles 33 and 34
• Legal and compliance teams at startups and scale-ups that have not yet formalised their breach response process
• IT and security managers who need a clear handoff protocol for what happens after an incident is detected
• HR, finance and operations teams who may be first to identify a breach (phishing email, lost device, accidental data disclosure) and need to know what to do next
• CEOs and founders at smaller companies with no dedicated DPO, who are responsible for breach response themselves

The template is practical by design: it asks the right questions in the right order, maps directly to the GDPR’s legal requirements and produces documentation that holds up under scrutiny from a supervisory authority.

Why Having a Breach Response Template Matters

When a breach occurs, every minute counts. The 72-hour notification clock starts running the moment you become aware of the incident, not when you finish investigating it. Organisations that improvise under pressure consistently make the same mistakes: delayed notifications, incomplete documentation, inconsistent risk assessments and communications to data subjects that create more confusion than they resolve.

Supervisory authorities do not only assess whether you notified, they assess how you managed the incident. A well-documented response, with clear risk reasoning and evidence of containment measures, is treated very differently from a late or incomplete notification with no internal documentation.

Having a template in place before an incident occurs means you are not making decisions about legal obligations, risk thresholds and communication protocols under time pressure. It means the people involved know their roles. And it means that whatever happens, you can demonstrate to regulators that you took your GDPR responsibilities seriously.

How PrivaLex Can Help

This template gives you a strong starting point. But a generic template has limits: it cannot account for your specific sector, the types of personal data you process, your organisational structure or your existing security controls.

At PrivaLex Partners we help companies go from a blank template to a fully operational, sector-specific breach response plan. That means customising the risk assessment criteria to your data types, building the escalation matrix for your team, integrating breach response into your broader GDPR compliance programme and ensuring your documentation would hold up in front of the AEPD or any other EU supervisory authority.

We also provide External DPO services for organisations that need ongoing GDPR oversight without hiring a full-time specialist, including acting as the point of contact for supervisory authorities, managing incident response in real time and maintaining the documentation required by Articles 30 and 33.

Frequently Asked Questions (FAQs)