Why this matters

Notification decisions are scrutinised closely by regulators. The decision process matters as much as the outcome.

How the decision typically works

1. Fact‑finding: what happened and what data is affected
2. Risk assessment: likelihood and severity of harm
3. DPO advice: independent assessment and recommendation
4. Decision: taken by the organisation and documented

What regulators expect to see

• Clear rationale for the decision
• Evidence of DPO input
• Timely action within 72 hours

Red flags

• Undocumented decisions
• Decisions taken without DPO involvement
• Decisions that are not founded in facts