Data Breach Response Plan Template

No. Under GDPR, notification is required unless the breach is "unlikely to result in a risk to the rights and freedoms of natural persons." If the exposed data was encrypted and the key was not compromised, or if the data was limited to non-sensitive categories affecting a small number of users, notification may not be required. Document your risk assessment and reasoning regardless.

The Article 29 Working Party guidance says a controller should be regarded as "aware" when it has a reasonable degree of certainty that a security incident has led to personal data being compromised. Initial detection of anomalous activity does not start the clock. Confirmation that personal data was accessed or exfiltrated does.

For breaches involving financial data, government IDs, or data that could enable identity theft, yes. For email and name exposure without financial data, credit monitoring is typically not necessary, but offering it demonstrates good faith and can reduce litigation risk.

Your contract with the sub-processor should require them to notify you without undue delay. Once notified, the breach response obligation falls on you as the controller. Coordinate with the sub-processor on containment and forensics, but the regulatory notification and user notification are your responsibility. Review your [data processing agreements](/glossary/prioritization) to confirm contractual obligations.

The 72-hour notification clock starts from discovery, not from when the breach occurred. However, you must explain the delay between occurrence and discovery in your notification to the supervisory authority. A significant gap may prompt questions about your monitoring capabilities.