What Happens in the First 72 Hours After a Data Breach

Immediately after recognising a data breach, an organisation must assess the impact, contain the breach, decide whether ICO notification is required, and document every action and decision.

Even if the organisation is unable to contain or even fully understand the scope of the breach: If there is risk to the affected data subjects then the ICO needs to be notified.

Why this Matters

The UK GDPR imposes a 72‑hour window to assess and, where required, notify the regulator of a personal data breach.
Poor preparation leads to rushed decisions, incomplete evidence, and increased regulatory risk.

Regulators assess how decisions were made, not just what decision was taken.

The first 72 Hours: Step by Step

0–24 Hours: Containment & Fact‑Finding (IT‑Led)

Primary objective: Stop further data loss and establish the facts.

What happens

Systems or accounts are isolated
Access is restricted or revoked
Malicious activity is contained
Initial timelines are established

IT responsibilities

Identify affected systems
Preserve logs and forensic evidence
Prevent further compromise

Evidence created

Incident start time and detection method
Containment actions taken
Initial system and access logs

24–48 Hours: Impact & Risk Assessment (IT + DPO)

Primary objective: Understand whether personal data is affected and assess risk to individuals.

Key questions

Was personal data involved?
What categories of data were affected?
How many individuals are impacted?
What possible harms might come to the data subjects (financial, emotional, safety, discrimination)?

Roles

IT: Provides factual technical detail and timelines
DPO: Advises on GDPR implications and risk assessment

Evidence created

Data categories and volumes affected
Risk and harm assessment
DPO advice and recommendations

48–72 Hours: Notification Decision & Escalation

Primary objective: Decide whether notification is required and prepare communications.

Decision points

Is notification to the regulator required?
Are affected individuals at high risk?
What mitigation steps reduce impact?

Accountability

The organisation makes the decision
The DPO advises and documents the rationale

If notification is required

Regulator notification is prepared and submitted
Communications to individuals are drafted

Evidence created

Notification decision and rationale
Draft or submitted notifications
Internal escalation and approval records

What Regulators Expect to See

Regulators do not expect perfection. They expect timely, reasoned, and evidenced decision‑making.

Typically requested evidence includes:

Incident timeline
Technical facts and containment actions
Risk assessment and DPO advice
Notification decision (including where no notification was made)
Remediation and lessons learned

Common Failure Points in the First 72 Hours

Delayed escalation from IT to DPO
Decisions made verbally with no record
Missing or overwritten logs
Confusion over who owns the decision
Scrambling to reconstruct events after the fact

What Good Preparation Delivers

Organisations that prepare in advance typically achieve:

Faster containment
Clearer decision‑making
Lower regulatory exposure
Calmer, more confident leadership response

Preparation turns the 72‑hour window from a panic period into a controlled process.

How IT Teams Support a Defensible Response

IT teams play a critical role by:

Preserving accurate timelines
Acting promptly on decisions around investigation and mitigation
Providing clear, factual input
Supporting evidence capture
Escalating promptly and appropriately

IT does not decide notifiability; but do IT evidence enables defensible decisions.

What “Good” Looks Like

Well‑run organisations:

Have rehearsed breach response processes
Know who escalates to whom, and when
Capture evidence as incidents unfold
Document decisions as they are made

This allows boards, DPOs, and regulators to see control, not confusion.