Tool · Respond 5.2

A breach just happened. Who do I notify?

Two separate duties hang off one incident: telling the supervisory authority (Art. 33) and telling the affected people (Art. 34). They have different thresholds. Answer a few questions to see which apply.

Question 1 · is it a breach
Did the incident compromise personal data: its confidentiality, integrity, or availability?
A breach is broad: a public S3 bucket, an accidental DELETE, or a lost laptop all count (Art. 4(12)).
Question 2 · risk threshold
Is it likely to result in a risk to individuals' rights and freedoms?
Consider the data, the number of people, and the possible harm.
Question 3 · severity
Is that risk likely to be high?
High risk pulls in the duty to tell the individuals themselves.
Was the data strongly encrypted with keys intact, or the high risk otherwise mitigated afterwards?
Who to notify
Answer the questions to see who you must notify, and by when.
Not legal advice. The clock starts at awareness with reasonable certainty, not at the breach. Loop in your DPO before any external word; this helper does not replace that.