Skip to main content
WPROIT WPROIT
en

Compliance & Governance

The first 72 hours after a GDPR data leak: a pragmatic playbook

GDPR's 72-hour notification clock starts when you become aware of a breach — not when you are sure of the scope. A clear playbook for the most pressured three days a CISO will face.

W
WPROIT Administrator
10 min read
Table of contents

The 72-hour clock under Article 33 GDPR starts ticking when you become aware of a personal-data breach — not when you have determined the scope. That nuance is where most organisations stumble. This playbook is built from real incidents WPROIT has supported across Germany, the Netherlands and Poland.

Hour 0–6: Triage and containment

Establish a single incident commander immediately. Their job is not to fix the problem — it is to coordinate the people who fix the problem. Open a war-room channel, snapshot affected systems for forensics, and contain laterally before you investigate.

Hour 6–24: Scoping

Three questions matter to the regulator: what data, how much, who is affected? Answer them in that order. Be honest about what you do not yet know — supervisory authorities respect "we are still investigating" far more than premature certainty that turns out to be wrong.

Hour 24–48: Notification preparation

Drafts must satisfy three audiences: the regulator, the affected data subjects, and your customers. Keep technical detail in the regulator notification; keep clear plain-language explanations for data subjects.

Hour 48–72: Notification and communication

File your initial notification with the supervisory authority before the deadline, even if the picture is incomplete. Article 33(4) explicitly permits subsequent updates. Coordinate any external communications with legal and PR — never with security alone.

Beyond hour 72: The forgotten phase

Most playbooks stop at the notification deadline. The harder work is the next two weeks: forensic root cause, evidence preservation, follow-up disclosures as scope clarifies, customer-trust rebuilding, and the painful but unavoidable post-incident review.

Common mistakes

  • Waiting for "complete information" — the clock does not stop
  • Letting the technical team write the regulator notification
  • Allowing legal to delay containment for fear of "preserving evidence" — speak to specialist DFIR counsel before the incident, not during
  • Telling customers "we have no evidence of misuse" before you have actually checked

WPROIT operates a 24/7 incident response retainer for European clients. If you do not have a playbook in place, building one outside an incident is dramatically cheaper than building one inside.

Tagged with

#GDPR

Share this article

LinkedIn X Email
W

Written by

WPROIT Administrator

Senior consultants at WPROIT advising European enterprises on cybersecurity, compliance and resilience.

Talk to our team

Continue reading

You might also like

View all articles →

A NIS2 readiness checklist for European mid-market businesses

NIS2 widens the perimeter of "essential and important entities" across the EU. Here is a practical 12-point checklist that mid-market security leaders can run before their auditor does.

9 min read

What changed in ISO 27001:2022 for European implementers

The 2022 revision tightens governance, adds 11 new controls and reorganises Annex A into four themes. A condensed migration guide for organisations holding a 2013 certificate.

8 min read

Reducing MTTR: a European SOC tuning playbook

Most security operations centres do not have an alert problem — they have a tuning problem. Five concrete steps that have cut mean time to respond by half across multiple WPROIT engagements.

7 min read