Data breach response plan: A step-by-step guide for businesses


The General Data Protection Regulation (GDPR) concerns the security of data processing, mainly in Articles 32-34. However, in fact, the security of data processing and the choice of security measures according to the level of risk is one of the cross-cutting themes throughout the GDPR as a whole.   

The GDPR allows for the implementation of information security measures on a risk-based approach while at the same time placing the responsibility on the data controller to assess the risks and ensure the capacity to implement the measures.  

The assessment regarding the level of security required will, in particular, consider the threats posed by the processing of personal data, accidental or unlawful destruction, loss, alteration and unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.  

The most common causes of data-related incidents are loss of a laptop/mobile device, phishing or service interruption, unauthorised use of computer accounts, theft or loss of electronic or paper data, and unknowingly or intentionally disclosed data. If a company becomes aware or suspects that any of the above has occurred, rather than sadly singing ‘Let It Be’ by the Beatles, it should act quickly and with a clear plan. 

How to recognise a personal data breach (as part of an information security incident)?  

  • A cyber incident is a situation where the confidentiality, integrity and availability of an organisation’s, institution’s, or individual’s information system and/or the information contained within it is compromised. Cyber incidents are also situations where someone else’s information system is used without authorisation or its activity is intentionally disrupted (State Information System Authority).  
  • When an incident occurs, an assessment must always be made as to whether personalised data is affected. Until this is clear, it should be assumed that it is.  
  • Personalised data is any data that can be directly or indirectly associated with a particular natural person.  
  • Breach of personal data means unlawful or accidental destruction, loss, inaccessibility, or unauthorised access to the data as well as disclosure of the data.  
  • The number of data subjects affected, the type of data concerned, and the cause of the breach should be made as straightforward as possible. 

How to act?  

  • Stopping a sustained incident as soon as possible and taking action to prevent further damage. If necessary, informing other parties and cooperating to stop the incident.  
  • In certain cases, the obligation to inform the DPI (Data Protection Inspectorate) within 72 hours at the latest of learning of the incident. In certain cases, also the obligation to inform affected individuals.  
  • Records must be kept of incidents that have taken place in accordance with GDPR Article 33(5) ‘The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with the requirements laid down.’ 
  • Notifying CERT-EE (State Information System Authority) if the company provides, for example, a digital service, a communication service or a trust service within the meaning of the law on e-identification and trust services for e-transactions. 

A summary of steps to take in response to an incident 

Identifying a security incident Discovery and internal investigation. Ensure that, if necessary, the information security supervisory authority is informed if the incident qualifies as such (CERT-EE in Estonia).  Every employee should know that in the event of detection or suspicion of an incident, a specific contact person should be informed. 
Coordinating an investigation of the incident The company will assign specific persons/positions to the incident investigation team without delay. 
Documenting and analysing the incident  Investigating a security incident  
As soon as possible after the discovery of a security incident, an investigation should be conducted to determine whether the security incident is ongoing, whether a method of perpetrating the security incident is still available, and whether the vulnerability is still present and exploitable.  As soon as possible, it should be clarified whether the security incident includes a personal data incident/breach. If so, the actions outlined in the step ‘Notification and documentation of a personal data incident’ should follow. 

Suspension of personal data-related breaches  
Documentation of the breach 
Inspection report 
The investigation team will draw up an inspection report to identify the causes of the incident, the necessary measures and the elements that will help establish the extent of the damage. 
Personal data incident response team A personal data breach can affect several areas/departments of a company. Therefore, the initial team may be expanded to ensure that all affected parties are informed and involved. 

External advisers  
In order to effectively manage an incident, the company may engage the services of external consultants/experts, especially in cases where their services are required to limit the damage. External advisors typically include legal experts and IT specialists. 
The incident analysis process IT analysis
The IT team should provide a more detailed assessment of:  how the personal data incident occurred, including the causes and vulnerabilities in question;  the data or systems affected;  identification of the parties that may be affected by the personal data incident (e.g., customers, employees, customers’ employees, etc.);  the parties who may have been responsible for the breach (e.g., third-party service providers, employees, etc.);  whether personal data, trade secrets, intellectual property or other non-public information has been compromised;  whether the data was encrypted;  where personal data is involved, the number and location of the individuals involved;  what measures are available to ultimately remedy the incident .

Gathering evidence during IT analysis 
Whenever possible, available legal evidence is also collected and preserved during the analysis of an IT incident, including evidence that may be relevant to a potential legal dispute. The company can use the support of legal experts in this respect. 
Notification and documentation of an incident involving personal data Notification requirements 
If it is determined that a security incident involves a personal data breach, the company must assess whether the breach also qualifies as a notifiable breach. Criteria for this will be provided by the DPI based on the requirements of the GDPR (in Estonia 

Notifying individuals  
Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the company must promptly notify individuals of the breach and its potential impact.  The company shall consider the need to involve a public relations team/external advisor regarding the appropriate approach and how to inform individuals. The supervisory authority may also provide advice on how to approach individuals. 

Notifying the data controller   
Where the company is acting as an authorised data processor, it must ensure that the controller on whose behalf it is acting is notified in accordance with the provisions of the contract between them and the requirements of the GDPR.  
Complaints and claims defence plan In the event of a complaint, claim, proceeding or action arising out of a personal data breach, the company shall evaluate the possibility of engaging external counsel to assess the risks and defences arising from such complaints. 
Keeping a register of breaches Those responsible for investigating an incident should record the details of all personal data incidents (including the incident, the personal data affected, the actions taken by the company and the reasons for those actions) in a dedicated register. Such a register is also available for inspection by the supervisory authority.  Details of personal data breaches should be recorded whether or not it was necessary to inform the supervisory authority and/or individuals. In cases where notification is not considered necessary, it is desirable to record the reasons for non-notification. 

Should you have further questions, please contact our Specialist Data Privacy Counsel, Andres Ojaver.

Get the latest about Hedman law firm


Our memberships:
FinanceEstonia, Lexing®,
Estonian Service Industry Association,
Estonian Chamber of Commerce and Industry,
EstVCA, EstBan, FECC,
IBA & IBA European regional Forum