2026. Supervisors expect speed and evidence for personal data breaches. The 72-hour window starts when you become aware of a likely risk to individuals — not after full forensic completion.
What belongs in the first hours?
- Containment: stop further exfiltration, preserve logs, start forensics.
- Impact: which data, how many data subjects, what sensitivity?
- Duty to notify: authority, data subjects, processors — who is accountable?
- Communication: internal escalation (DPO, CISO, leadership).
When to notify — and when not
Not every incident is a notifiable breach. Document why you notify or not. Link to your privacy hub and ISO 27001 incident process.
Playbook checklist
- Supervisory authority and DPO contacts reachable 24/7.
- Notification templates for authority and data subjects.
- Decision logging (who, when, why).
- Annual exercise — not paper only.
AP supervision in 2026 asks for timestamps: when was the incident discovered, when was the DPO informed and when was the notification decision taken. Without that timeline, rationale for not notifying is fragile in later investigation.
Link GDPR incidents to your ISO 27001 incident register and CAP process. The same root cause can have privacy and security impact — one improvement action tagged for both frameworks is more efficient than parallel files.
Exercise annually with a scenario where notification need is initially unclear. Train legal, IT and communications in the same tabletop so escalation paths work in practice.
Timeline and decision-making
At discovery, start an internal timeline: who reported what, when was the DPO engaged, when was impact sufficient for a notification decision? Supervisory review in 2026 looks at those steps, not only the final yes/no.
Separate security and privacy incident files in structure, but use one improvement register for root cause. Ransomware can have GDPR and ISO impact; duplicate CAP tracks without shared conclusion confuse auditors.
Prepare templates for authority notification, data subject communication and internal escalation. Under stress, teams win when they are not hunting contacts or legal wording.
After each incident (notified or not), evaluate within two weeks: what worked, what must change in the playbook? That short after-action review is useful evidence for ISO 27001 and GDPR accountability.
Keep forensic data separate from authority communication — legal assessment must not delay the technical timeline. DPO and CISO share the file, each with own responsibility. That model also works for ISO 27001 incident registration.
Separate forensics and communication
Keep forensic data separate from authority communication — legal assessment must not delay the technical timeline. DPO and CISO share the file with separate responsibilities; that model also works for ISO 27001 incident registration.
Document timestamps: discovery, DPO notification, notification decision. AP supervision in 2026 asks explicitly — without a timeline, rationale for not notifying is fragile.
Exercise annually with a scenario where notification need is initially unclear. Train legal, IT and communications in the same tabletop.
Next steps in your ISMS
Turn this article into one concrete action in your risk register or improvement plan: owner, deadline, expected evidence. Discuss progress in the next management review — auditors and chain partners want decisions, not policy intent alone. Link where possible to existing ISO 27001, NIS2 or GDPR documentation so you do not maintain parallel folders.
Questions on scope, certification or chain requirements? Use our readiness overview and knowledge base for deeper guidance. This article does not replace legal or audit advice for your situation.
Share relevant findings briefly with line management and procurement — compliance becomes workable when the whole organisation recognises the same priorities. Repeat the chosen action quarterly in team meetings and update evidence locations in your SoA or control plan so surveillance samples are easy to answer.
What to do this week
Pick one concrete action from this article, assign an owner and add it to your risk or improvement register with a deadline. Share briefly in team meetings so compliance is something the line recognises. Repeat quarterly in management review so leadership sees progress, not only intent.
Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.
Evidence and governance
Record who owns the measures in this article and how you prove operation in the sample period — logs, tickets, approved changes or exercise reports. Certification bodies and chain partners do not accept intent without samples. Link evidence locations to your SoA or control plan so internal and external audit use the same sources.
