Managing a personal data breach—process flowchart—GDPR
Managing a personal data breach—process flowchart—GDPR

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • Managing a personal data breach—process flowchart—GDPR
  • Stage 1—assemble data breach team
  • Stage 2—preliminary assessment
  • Stage 3—containment and recovery
  • Stage 4—assess and record
  • Stage 5—notify the ICO (if required)
  • Stage 6—notify data subject (if required)
  • Stage 7—notify other relevant parties
  • Stage 8—prevent future breaches

This Practice Note illustrates how to manage a data protection breach under the EU General Data Protection Regulation (GDPR). It reflects reporting and recording requirements under the GDPR together with data breach management guidance issued by the Information Commissioner's Office (ICO). It maps out a process, providing guidance and links to relevant precedents for each stage of that process. It can also be used for cybersecurity breaches.

Click below for a PDF version of this Flowchart that you can download and print.

Data protection breach management workflow


See Precedents: Personal data breach plan, Data breach report form—internal, and Data breach assessment and action plan, which guide you through each stage of this workflow.

Stage 1—assemble data breach team

The first step is to assemble your data breach team. Consider who within the organisation would be best placed to react swiftly to news of the breach and who should be involved with the subsequent investigation. This will often involve input from specialists across the business such as IT, HR and compliance/legal and in, some cases, contact with external stakeholders and suppliers.

Precedent: Data breach plan encourages you to assemble a skeleton data breach team in advance of a data breach occurring.

Stage 2—preliminary assessment

You will need to conduct a very high level, preliminary assessment of the personal data breach so you can take

Related documents: