Breach detection and response procedures

Controllers and processors should ensure they have robust breach detection, investigation and internal reporting procedures in place. In the event of a breach such procedures will aid decision-making, identify what actions need to be taken, by whom and who to notify.

On becoming aware of a breach, it is important to initiate steps to contain it and mitigate the potential adverse consequences for individuals. Controllers are expected to prioritise the breach investigation, provide adequate resources to do so, and expedite it urgently.

The steps to be taken should be based on how serious the consequences to an individual are, and how likely they are to happen.  Therefore, immediately upon becoming aware of a breach, it is vitally important that the controller should not only seek to contain the incident but it should also assess the risk that could result from it.

There are two important reasons for this: firstly, knowing the likelihood and the potential severity of the impact on the individual will help the controller to take effective steps to contain and address the breach; secondly, it will help it to determine whether notification is required to the supervisory authority and, if necessary, to the individuals concerned.

Breach response procedures should:- 

The breach response procedures should be subject to regular review and test.

Documenting a personal data breach

A controller is required to document the facts relating to the breach, its effects and the remedial action taken.

As with any security incident, an investigation should be undertaken to determine the cause of the breach for example, a result of human error or a systemic issue, and also identify how a recurrence can be prevented, perhaps through better processes or further training.

What should a processor do?

If you are a processor and a personal data breach occurs, then you must notify the controller without undue delay after becoming aware of the breach.


A controller contracts a cloud services firm (processor) to hold it customer records. The cloud services firm detects an attack on its network that results in personal data about the controller’s clients being unlawfully accessed.  As this is a personal data breach, the cloud services firm promptly notifies the controller of the breach.  The controller in turn notifies the Commissioner.

Note: where a processor is used, the obligations on personal data breach reporting should be set out in the contract required under Article 28 of the ‘Applied GDPR’.