How should I respond to a data breach?

{
  "_meta": {
    "schema": "https://www.drawdecisiontree.com/decision-dag.schema.json",
    "source": "https://www.drawdecisiontree.com",
    "description": "DrawDecisionTree.com is a free tool for building, sharing, and embedding interactive decision trees. This file is the machine-readable export of a published decision tree. The `dsl` field contains the original source in the Decision DAG DSL; the `dag` schema is documented at the URL in `schema` above.",
    "links": {
      "interactive": "https://www.drawdecisiontree.com/t/drawdecisiontree/legal-data-breach-response.html",
      "embed": "https://www.drawdecisiontree.com/embed/path/drawdecisiontree/legal-data-breach-response",
      "dsl_reference": "https://www.drawdecisiontree.com/decision-tree-dsl-reference.html",
      "guides": "https://www.drawdecisiontree.com/guides",
      "schema_docs": "https://www.drawdecisiontree.com/decision-dag.schema.json",
      "author_trees": "https://www.drawdecisiontree.com/trees/drawdecisiontree"
    },
    "generated_at": "2026-05-29T12:05:39.312Z"
  },
  "author": {
    "handle": "drawdecisiontree",
    "first_name": "Andrew",
    "last_name": null,
    "avatar_url": "1d32d828-b6ca-40ec-bdd7-771fe7b9c36a/avatar-1778531481027.svg",
    "display_name": "Andrew"
  },
  "file": {
    "id": "7dd6107a-8db3-4e77-9aed-5808b0989d29",
    "name": "How should I respond to a data breach?",
    "public_slug": "legal-data-breach-response",
    "updated_at": "2026-05-12T16:53:43.587978+00:00",
    "url": "https://www.drawdecisiontree.com/t/drawdecisiontree/legal-data-breach-response.html",
    "json_url": "https://www.drawdecisiontree.com/t/drawdecisiontree/legal-data-breach-response/tree.json",
    "dsl_url": "https://www.drawdecisiontree.com/t/drawdecisiontree/legal-data-breach-response/tree.dag"
  },
  "meta": {
    "description": "Determines the appropriate response actions following a suspected or confirmed data security incident, from simple internal containment through to full regulatory notification and crisis management. The assessment is calibrated to GDPR obligations under Articles 33 and 34 but is relevant to any privacy regime that imposes breach notification duties. Complete this assessment as soon as a potential incident is identified — time limits for regulatory notification begin from the moment you become aware, not from when the breach is confirmed.",
    "mode": "decision",
    "entry": "Q1",
    "tags": [
      "legal",
      "data breach",
      "gdpr",
      "privacy",
      "compliance",
      "incident response"
    ],
    "image": "https://images.unsplash.com/photo-1614064641938-3bbee52942c7?w=1200&q=80"
  },
  "questions": [
    {
      "id": "Q1",
      "text": "Did the incident involve personal data — any information relating to an identified or identifiable living individual?"
    },
    {
      "id": "Q2",
      "text": "Is there a likely risk to the rights and freedoms of the individuals whose data was affected?"
    },
    {
      "id": "Q3",
      "text": "Does the affected data include special category data or data relating to criminal convictions or offences?"
    },
    {
      "id": "Q4",
      "text": "Are more than 500 individuals potentially affected by this breach?"
    },
    {
      "id": "Q5",
      "text": "Are more than 250 individuals potentially affected by this breach?"
    }
  ],
  "outcomes": [
    {
      "id": "NO_ACTION",
      "label": "No Action Required"
    },
    {
      "id": "INTERNAL_ONLY",
      "label": "Internal Containment Only"
    },
    {
      "id": "NOTIFY_DPA",
      "label": "Notify Data Protection Authority within 72 Hours"
    },
    {
      "id": "NOTIFY_DPA_INDIVIDUALS",
      "label": "Notify DPA and Affected Individuals"
    },
    {
      "id": "CRISIS",
      "label": "Full Crisis Response"
    }
  ],
  "dsl": "dag: How should I respond to a data breach?\nversion: 1.0.0\nimage: https://images.unsplash.com/photo-1614064641938-3bbee52942c7?w=1200&q=80\ndescription: Determines the appropriate response actions following a suspected or confirmed data security incident, from simple internal containment through to full regulatory notification and crisis management. The assessment is calibrated to GDPR obligations under Articles 33 and 34 but is relevant to any privacy regime that imposes breach notification duties. Complete this assessment as soon as a potential incident is identified — time limits for regulatory notification begin from the moment you become aware, not from when the breach is confirmed.\ntags: legal, data breach, gdpr, privacy, compliance, incident response\nentry: Q1\n\nQ1: Did the incident involve personal data — any information relating to an identified or identifiable living individual?\n  hint: Personal data includes names, email addresses, phone numbers, IP addresses, location data, identification numbers, and any other information that can directly or indirectly identify a living person. It also includes pseudonymised data where re-identification is reasonably possible. If you are unsure whether the data qualifies as personal data under the applicable privacy legislation, treat the answer as yes and proceed with the assessment conservatively.\n  yes -> Q2\n  no  -> [NO_ACTION]\n\nQ2: Is there a likely risk to the rights and freedoms of the individuals whose data was affected?\n  hint: Risk to rights and freedoms arises where the breach could lead to discrimination, identity theft, financial loss, reputational damage, loss of confidentiality of data protected by professional secrecy, unauthorised reversal of pseudonymisation, or other significant social or economic disadvantage for the individuals concerned. A risk is \"likely\" where it is more probable than not given the nature of the data, the cause of the breach, and the circumstances of exposure. Low-risk incidents — such as the accidental temporary inaccessibility of non-sensitive internal data with no external exposure — may not meet this threshold.\n  yes -> Q3\n  no  -> [INTERNAL_ONLY]\n\nQ3: Does the affected data include special category data or data relating to criminal convictions or offences?\n  hint: Special category data under GDPR Article 9 includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification purposes, health data, sex life or sexual orientation data. Data relating to criminal convictions and offences is governed separately under Article 10. A breach involving any of these categories is treated as higher risk because of the heightened potential for discrimination, stigma, or harm to affected individuals.\n  yes -> Q4\n  no  -> Q5\n\nQ4: Are more than 500 individuals potentially affected by this breach?\n  hint: The number of affected individuals is a key factor in assessing the scale of the breach and the proportionate response. Where the precise number is unknown, use a reasonable upper-bound estimate based on the scope of the affected system or data set. For special category data, the 500-person threshold is a practical trigger for escalating to full crisis response; even smaller numbers may require the same response where the sensitivity of the data or the nature of the harm is particularly acute.\n  yes -> [CRISIS]\n  no  -> [NOTIFY_DPA_INDIVIDUALS]\n\nQ5: Are more than 250 individuals potentially affected by this breach?\n  hint: For non-special-category personal data, scale remains a critical factor in determining whether notification to affected individuals is required in addition to regulatory notification. Where the number of affected individuals is uncertain, estimate conservatively using the maximum plausible scope of the affected system. Note that the 72-hour clock for notification to the supervisory authority under GDPR Article 33 runs from the point of awareness, regardless of the number of individuals affected — do not allow the individual count assessment to delay the regulatory notification decision.\n  yes -> [NOTIFY_DPA_INDIVIDUALS]\n  no  -> [NOTIFY_DPA]\n\n[NO_ACTION]: No Action Required\n  color: #22c55e\n  description: The incident does not involve personal data and does not constitute a personal data breach triggering notification obligations under GDPR or equivalent privacy legislation. Document the incident, your assessment, and the basis for concluding that no personal data was involved in the security incident log, as this record will be important if the assessment is later challenged by a regulator or in litigation. Review the incident for any other legal or contractual notification obligations — for example, under cybersecurity legislation, financial services regulations, or commercial contracts with clients — that may apply independently of privacy law. Brief the Information Security team on the root cause and implement any appropriate remediation to reduce the likelihood of recurrence.\n  code: LEGAL_BREACH_NO_ACTION\n\n[INTERNAL_ONLY]: Internal Containment Only\n  color: #3b82f6\n  description: Personal data was involved but the risk to affected individuals' rights and freedoms is assessed as low, meaning external notification to the supervisory authority or affected individuals is not required at this stage. Contain the breach immediately: isolate affected systems, revoke compromised credentials, and recover or securely delete any unlawfully disclosed data where possible. Document the full circumstances of the breach, the containment steps taken, and the rationale for concluding that the risk threshold for notification is not met — this documentation is mandatory under GDPR Article 33(5) and must be retained and available for regulatory inspection. Re-assess if new information comes to light that suggests the risk to individuals may be higher than initially evaluated, and escalate immediately if the assessment changes.\n  code: LEGAL_BREACH_INTERNAL\n\n[NOTIFY_DPA]: Notify Data Protection Authority within 72 Hours\n  color: #f59e0b\n  description: The breach involves personal data and poses a likely risk to individuals' rights and freedoms, triggering the mandatory obligation to notify the competent supervisory authority within 72 hours of becoming aware of the breach under GDPR Article 33. Prepare the notification immediately, including the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences, and the measures taken or proposed to address the breach. If full information is not yet available within the 72-hour window, submit an initial notification and supplement it with further details as they become available — do not delay notification pending a complete investigation. Appoint a breach response lead, brief the Data Protection Officer, preserve all relevant evidence, and retain complete records of the breach and the notification for at least three years.\n  code: LEGAL_BREACH_NOTIFY_DPA\n\n[NOTIFY_DPA_INDIVIDUALS]: Notify DPA and Affected Individuals\n  color: #f97316\n  description: The scale or sensitivity of the breach means that, in addition to notifying the supervisory authority within 72 hours, you are also required to communicate the breach directly to the affected individuals without undue delay under GDPR Article 34. Notifications to individuals must be written in clear, plain language and must describe the nature of the breach, the likely consequences, the Data Protection Officer's contact details, and the measures the individual can take to protect themselves — for example, changing passwords, placing fraud alerts, or monitoring financial accounts. Engage your communications and PR teams to coordinate messaging, and ensure that the DPA notification and the individual communications are consistent. Activate any cyber insurance policy, brief external legal counsel if litigation risk is significant, and document all steps taken in the breach register.\n  code: LEGAL_BREACH_NOTIFY_ALL\n\n[CRISIS]: Full Crisis Response\n  color: #ef4444\n  description: The breach involves special category or criminal offence data affecting a large number of individuals, representing the highest tier of regulatory and reputational risk. Activate the organisation's crisis management plan immediately: convene the crisis response team (Legal, DPO, IT Security, Communications, Senior Management), notify the supervisory authority within 72 hours, and prepare to notify affected individuals as a matter of urgency. Engage external specialist counsel for regulatory defence and litigation preparedness, and notify your cyber insurer without delay. Prepare for potential regulatory investigation by preserving all relevant evidence, suspending any document retention policies that might result in automatic deletion of pertinent records, and briefing key personnel on their obligations not to communicate about the incident outside approved channels. Consider proactive engagement with the supervisory authority beyond the minimum notification, including a full incident report and remediation plan, to demonstrate good faith and cooperation.\n  code: LEGAL_BREACH_CRISIS\n"
}