Breach identification
– Potential data breach identified
– Inform incident response team and carry
out initial investigations
– Investigation confirms personal data
breach
– Engage legal advisors to protect privilege
Within 24 hours
– Notify insurers and all relevant business
teams and stakeholders
– Investigation team establishes
circumstances of the breach (possibly in
conjunction with external forensic experts)
– Data Protection Officer (DPO) concludes
notification to Supervisory Authority is
required
Within 48 hours
– Commence drafting of notification
Within 72 hours
– Finalise notification
– Notification reviewed by relevant teams
(legal regulatory) and DPO
– Notification to Supervisory Authority(/ies)
Click circles to reveal