A board should ensure the incident is contained, decisions are documented, regulatory obligations are assessed within 72 hours, and evidence of oversight is retained.

Why this matters

Boards remain accountable for GDPR compliance, even when incidents are operationally managed by IT or suppliers. Regulators look for clear governance, documented decisions, and timely response.

What Boards should expect to happen

1. Containment (IT‑led): Systems are isolated and access controlled to prevent further data loss.

2. Impact assessment (DPO‑advised): What data is affected, who is impacted, and potential harm.

3. Notification decision (documented): Whether the breach is reportable to the regulator and/or data subjects.

4. Evidence capture (system‑based): Decisions, timing, rationale, and actions logged.

5. Board oversight (visible and recorded): Trustees receive a clear summary showing risks, decisions taken, and next steps.

What evidence boards should see

• Incident timeline and containment actions
• Risk and harm assessment
• Notification decision and rationale
• Communications plan
• Remediation and lessons learned
  
  

What good looks like