Sceau
How it worksDataScope checkWhy SceauCompliance serviceKnowledge centreResearchAboutContact
ENFRNLDE
Book a demo Log in

Knowledge centre

Personal-data breaches: the 72-hour clock and the evidence trail

How to triage incidents, assess risk, decide on authority and data-subject notification, and prove the response.

Executive summary

Breach handling starts with triage, not panic.The 72-hour clock must be visible where notification may be required.No-notification decisions still need evidence.

A personal-data breach is not only a cybersecurity event. It can be a misdirected email, lost device, wrong portal access, exposed file, ransomware incident or accidental disclosure.

The operational pressure comes from the 72-hour notification clock where a breach is notifiable to the supervisory authority. The office needs fast triage, evidence capture, containment and a documented risk-to-rights assessment.

Even when no notification is made, the office should keep a breach register showing facts, risk assessment, decision-maker, remediation and follow-up.

Who this applies to

This guide is for offices that need to respond to personal-data incidents, from misdirected documents to cyber events.

  • Wrong-recipient emails
  • Lost laptops or phones
  • Portal access mistakes
  • Ransomware or account compromise
  • Paper files or USB devices lost in transit

Legal and supervisory context

GDPR breach duties require a risk assessment and, where required, notification to the supervisory authority without undue delay and within the relevant timeframe.

Even when no notification is required, the organization should keep an internal breach record showing the assessment and remediation.

What the office must actually do

The office should turn the obligation into a repeatable workflow with named owners, deadlines, evidence and reviewable decisions.

  • Open an incident record immediately.
  • Capture facts and affected data categories.
  • Contain the incident.
  • Assess risk to rights and freedoms.
  • Decide on authority and data-subject notification.
  • Record remediation and closure.

What good evidence looks like

The breach register should show dates, facts, risk assessment, decision-maker, notifications, remediation and lessons learned.

Common mistakes supervisors find

  • Assuming only hacks are breaches.
  • Waiting for complete certainty before opening a record.
  • Missing the notification clock.
  • Not documenting why notification was not required.

Practical checklist

  • Log incident.
  • Start clock.
  • Contain exposure.
  • Assess risk.
  • Decide notification.
  • Record remediation.
  • Close and review controls.
How Sceau operationalizes this
  • Creates breach records with deadline clocks.
  • Guides risk-to-rights assessment.
  • Records DPA and data-subject notification decisions.
  • Feeds unresolved breach issues into assurance.

FAQ

Is a misdirected email a breach?

It can be, depending on the data and recipient. It should be triaged rather than ignored.

Do all breaches need authority notification?

No. The decision depends on risk, but the assessment should be documented.

What if facts are incomplete?

Open the record, contain the issue and update the assessment as facts become available.

Official references

From knowledge to compliance

Reading is a start. Sceau turns these obligations into a workflow that runs itself and proves itself.

Book a demo