How to write a GDPR data breach notification procedure

Documenting your GDPR compliance can be tough, but a little guidance and access to documentation templates can make things much easier.

You probably found the documentation process one of the most stressful parts of EU GDPR (General Data Protection Regulation) compliance. What you write forms the backbone of your data protection practices, but there’s very little guidance on exactly what you should be doing. After all, every organisation has different things it needs to document.

Whether you’ve written your documentation or not (many organisations are still working towards compliance months after the GDPR took effect), it’s worth getting all the guidance you can when it comes to your processes and policies. Poorly written documentation could even cause data breaches. For example, staff might lose information because they weren’t given correct instructions and failed to apply a patch to fix an application’s vulnerability.

Flawed documentation could also aggravate a data breach, as would be the case if your data breach notification procedure wasn’t written correctly. Without a robust data breach reporting mechanism, you will almost certainly fail to report incidents within the GDPR’s 72-hour deadline. You will then face a compliance audit, enforcement actions or possibly a fine.

You should be under no illusions about the likelihood of a data breach. Experts have repeatedly warned that there are simply too many risks to account for and that breaches are a matter of ‘when, not if’. It’s therefore not good enough to assume that you won’t be breached or that it’s something you’ll deal with if it ever happens.


Personal data breach notification under the GDPR

Organisations must create a breach notification procedure that applies in the event of a personal data breach under Article 33: Notification of a personal data breach to the supervisory authority, and Article 34: Communication of a personal data breach to the data subject.


Data breach notification template

Here’s an example of what a data breach notification might look like:


This is an extract from our EU GDPR Documentation Toolkit, which sets out the scope of the procedure, responsibilities and the steps that the organisation must take to notify everybody involved, including the data controller, supervisory authority and data subjects.

This toolkit was designed and developed by data protection experts and has been used by thousands of organisations worldwide. It includes:

  • A complete set of easy-to-use and customisable documentation templates (including a personal data breach notification procedure) that will save you time and money;
  • Helpful dashboards and project tools to ensure complete GDPR coverage;
  • Guidance from expert GDPR practitioners; and
  • Two licences for our GDPR Staff Awareness E-learning Course.

Take a free trial to see how the toolkit can help >>


The Data Breach Survival Guide

You can find out more about how to prepare for data breaches by reading The Data Breach Survival Guide.

This free guide provides in-depth advice on how to prepare for a data breach, and explains how you can reduce the risk of information security incidents.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.