DEV Community

Custodia-Admin
Custodia-Admin

Posted on

GDPR Data Breach Response: A Step-by-Step Guide for Small Businesses

#gdpr #security #privacy #incident

GDPR Data Breach Response: A Step-by-Step Guide for Small Businesses

Data breaches don't just happen to big corporations. A lost laptop, a misdirected email, a phishing attack that compromises a single employee account — any of these can trigger GDPR's breach response obligations. And unlike the hacks that make headlines, most small business breaches are quiet, accidental, and deeply stressful for the people who have to deal with them.

This guide walks you through everything you need to know: what counts as a breach under GDPR, the notification deadlines you can't miss, how to assess severity, and how to build a response plan before you ever need it.

What Counts as a Data Breach Under GDPR?

Most people picture data breaches as dramatic hacking incidents — ransomware, database dumps, stolen credit cards. GDPR defines them far more broadly.

Under Article 4(12), a personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

That means a breach includes:

  • Lost or stolen hardware — a laptop left on a train, a phone stolen from a car, a USB drive that goes missing
  • Wrong email recipients — sending customer data to the wrong address, CCing instead of BCCing a mailing list
  • Unauthorised access — an ex-employee still able to log into your CRM, a contractor accessing files they shouldn't
  • Accidental deletion — permanently deleting customer records without a backup
  • Ransomware attacks — even if you restore from backup, availability was disrupted and data may have been exfiltrated
  • Phishing — a staff member's email account compromised, giving attackers access to stored messages

The test isn't whether someone malicious was involved. It's whether personal data was exposed, altered, or made unavailable in a way you didn't authorise.

The 72-Hour Rule: Notifying Your Supervisory Authority

GDPR Article 33 requires that you notify your supervisory authority (your national data protection authority — the ICO in the UK, CNIL in France, BfDI in Germany, etc.) within 72 hours of becoming aware of a breach — unless the breach is unlikely to result in a risk to individuals' rights and freedoms.

Those 72 hours go fast. A breach discovered at 9am Monday means you may need to notify by 9am Thursday. Over a weekend, you're working against an even tighter practical window.

What "aware" means

The clock starts when your organisation has a reasonable degree of certainty that a breach has occurred. If you're still investigating whether something was actually a breach, the clock hasn't necessarily started — but you need to move quickly, because you can't delay investigation deliberately to push back the deadline.

What to include in the notification

Article 33(3) specifies what your supervisory authority notification must include:

  1. Nature of the breach — what type of data was involved, approximate number of individuals and records affected
  2. Contact details — name and contact details of your DPO or other privacy contact
  3. Likely consequences — what harm might result for affected individuals
  4. Measures taken — what you've done or plan to do to address the breach and mitigate its effects

You can notify in phases if you don't have all the information yet. Send what you have within 72 hours and supplement with additional information as your investigation continues.

When You Must Notify Affected Individuals

Not every breach requires telling the people affected. Article 34 sets a higher bar: you must notify individuals only when the breach is likely to result in a high risk to their rights and freedoms.

High risk means the breach could result in:

  • Identity theft or fraud
  • Financial loss
  • Discrimination or reputational damage
  • Significant social or economic disadvantage
  • Loss of confidentiality for sensitive data (health information, financial details, passwords)

If a breach involves special category data (health, religion, biometrics, sexual orientation, political opinions) or financial credentials, assume high risk unless you have strong mitigating factors.

Individual notifications must be made without undue delay — which in practice means as soon as you've confirmed the breach and identified who's affected. There's no fixed deadline like the 72-hour rule, but "as soon as possible" is the standard.

Assessing Breach Severity: A Practical Risk Matrix

Before you can decide whether to notify — and at what level — you need to assess the breach. Work through these four factors:

1. Nature of the data

Low sensitivity: names, job titles, business email addresses
Medium sensitivity: home addresses, personal email addresses, phone numbers
High sensitivity: passwords, financial data, health records, special category data

2. Volume of records affected

A breach affecting 10 people is materially different from one affecting 10,000. Volume amplifies risk.

3. Ease of identification

Could someone use the exposed data to identify and target specific individuals? A spreadsheet with names and home addresses is more dangerous than an anonymised analytics export.

4. Potential consequences

What could a bad actor do with this data? Could it enable fraud? Could it cause embarrassment or harm? Could it be used for phishing or social engineering?

Quick severity guide:

Scenario Supervisory Authority Individuals
Low-sensitivity data, small volume, unlikely to cause harm No notification required No notification required
Moderate risk — some personal data, limited harm potential Notify if in doubt Likely not required
High risk — sensitive data, financial credentials, health info Notify within 72 hours Notify without delay

When in doubt, err on the side of notification. Regulators take a dim view of organisations that decided not to notify and got it wrong.

Building a Breach Response Plan Before You Need It

The worst time to figure out your breach response process is when you're already in the middle of one. A documented plan — even a simple one — makes a significant difference to how calmly and effectively you can respond.

Your breach response plan should cover:

1. Who's in charge
Designate a breach response lead. In a small business, this might be the founder, a senior manager, or your DPO if you have one. Someone needs to own the response.

2. How breaches get reported internally
Staff need to know where to report a potential breach. A dedicated email address (privacy@yourcompany.com) or a Slack channel works. The key is that there's a clear, low-friction route so people actually report things.

3. Your supervisory authority contact
Know who your supervisory authority is and have their reporting portal bookmarked before you need it. The ICO's reporting tool is at ico.org.uk/report-a-breach. Most EU authorities have similar online portals.

4. Investigation checklist
What data was involved? How many individuals? When did it start? How was it discovered? Is it ongoing? Who had access? You'll need answers to all of these quickly.

5. Communication templates
Draft a template individual notification letter now. Personalise it when needed. Don't wait until 2am during a breach to write it from scratch.

6. External contacts
Your IT support, your legal counsel (or a data protection lawyer you can call), your cyber insurance provider if you have it.

Breach Log Requirements: Recording Every Incident

Article 33(5) requires you to document every breach — including ones you decide don't require notification. Your breach register must record:

  • The facts of the breach (what happened, when, how it was discovered)
  • Its effects (what data, how many people, what potential harm)
  • The remedial action taken
  • Your reasoning for not notifying (if applicable)

This isn't optional. The ICO and other regulators check breach logs during audits and investigations. An undocumented breach that later comes to light looks much worse than one that was logged and assessed.

Keep your breach log in a secure location (not in the same system that was compromised). A simple spreadsheet or a document in a dedicated compliance folder is sufficient for most small businesses.

Common Small Business Breach Scenarios

Scenario 1: Phishing Attack

What happens: An employee clicks a malicious link and enters their email credentials. Attackers access their inbox, which contains customer correspondence and some personal data.

Response:

  1. Immediately revoke the compromised credentials and enable MFA
  2. Audit the inbox — what data was accessible? For how long?
  3. Check for email forwarding rules or other persistence mechanisms
  4. Log the incident in your breach register
  5. Assess: was sensitive personal data accessible? If yes, notify your supervisory authority within 72 hours
  6. Consider whether affected individuals need to be notified (especially if attackers may have used their data to target them)

Key lesson: Enable MFA on all business email accounts. It stops most phishing attacks cold.

Scenario 2: Accidental Email to Wrong Recipient

What happens: A staff member sends a client report containing personal data to the wrong email address.

Response:

  1. Contact the recipient immediately and request deletion
  2. Get written confirmation if possible
  3. Log the incident
  4. Assess: what was in the email? Was it sensitive? How many people's data? Did the recipient have any reason to misuse it?
  5. If it's a one-off error, the recipient responded, and the data wasn't sensitive — this is likely a low-risk breach that doesn't require supervisory authority notification, but document your reasoning
  6. If the data was sensitive (health info, financial details) or the recipient can't be confirmed to have deleted it — notify your supervisory authority

Key lesson: BCC instead of CC for bulk emails. Consider a "delay send" policy that gives staff 2 minutes to catch errors.

Scenario 3: Ransomware Attack

What happens: Your systems are encrypted by ransomware. You restore from backup within 48 hours but aren't certain whether data was exfiltrated before encryption.

Response:

  1. Isolate affected systems immediately
  2. Do not pay the ransom without legal and cyber insurance advice
  3. Contact your IT provider and, if warranted, a specialist incident response firm
  4. Engage your cyber insurance provider
  5. Even with a successful backup restore, this is a breach — availability was disrupted and exfiltration can't be ruled out
  6. Notify your supervisory authority within 72 hours — the uncertainty about exfiltration doesn't delay this obligation
  7. Affected individuals may need notification if sensitive data was likely exfiltrated
  8. Document the full incident timeline

Key lesson: Offline backups are your most important defence. Test them regularly.

Scenario 4: Ex-Employee Access

What happens: You discover that a former employee, whose account was never disabled, has been accessing your CRM for three months after leaving.

Response:

  1. Immediately revoke all access — email, CRM, cloud storage, everything
  2. Audit access logs: what did they access? What did they download or export?
  3. This is an unauthorised access breach regardless of intent
  4. Assess the severity based on what data was accessible and what they may have done with it
  5. If customer or employee personal data was accessed without authorisation, notify your supervisory authority
  6. Consider whether affected individuals need notification based on risk
  7. Consider legal advice regarding the former employee
  8. Log the full incident

Key lesson: Have an offboarding checklist that includes immediately revoking all system access on an employee's last day — not days later.

Breach Response Checklist

Print this and keep it somewhere accessible.

Immediate (first hours):

  • [ ] Contain the breach — stop ongoing data loss or unauthorised access
  • [ ] Preserve evidence — don't overwrite logs or wipe systems
  • [ ] Notify your breach response lead
  • [ ] Start the clock — when did you become aware?

Within 24 hours:

  • [ ] Begin investigation — what data, how many people, how did it happen?
  • [ ] Log the incident in your breach register
  • [ ] Assess severity using the risk matrix
  • [ ] Consult legal counsel if the breach is significant
  • [ ] Notify your supervisory authority if needed (before the 72-hour window closes)

Within 72 hours:

  • [ ] Supervisory authority notification filed (if required)
  • [ ] Investigation continuing or complete
  • [ ] Remediation steps underway

Following days:

  • [ ] Individual notifications sent (if high risk)
  • [ ] Full incident documented in breach register
  • [ ] Root cause identified
  • [ ] Changes implemented to prevent recurrence
  • [ ] Staff briefed on lessons learned

Start With a Privacy Scan

You can't respond to breaches involving data you don't know you're collecting. The first step is understanding what personal data your website actually processes — what trackers are running, what third-party tools have access to visitor data, and where your current privacy documentation falls short.

Run a free privacy scan at Custodia — it takes 60 seconds and shows you exactly what your website is collecting and sharing. No signup required.

This post provides general information about GDPR data breach obligations. It does not constitute legal advice. Your specific obligations will depend on the nature of the breach, your industry, and your jurisdiction. Consult a qualified data protection lawyer or DPO for advice specific to your situation.

Top comments (0)