Respuesta a incidentes

GDPR data breach management

When a personal data breach occurs, the clock of Article 33 of the GDPR starts running from the moment of awareness: 72 hours to notify the AEPD. Summum Consultoría accompanies you through the entire process — risk assessment, regulatory notification, communication to affected individuals and full incident documentation.

Applicable lawGDPR (EU) 2016/679 · LOPDGDD 3/2018
Key deadline72 hours from awareness (art. 33 GDPR)
Supervisory authorityAEPD — Spanish Data Protection Agency

A personal data breach is any incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. The concept covers everything from an email sent to the wrong recipient or a lost laptop to a ransomware attack that encrypts the customer database. The General Data Protection Regulation — GDPR (EU) 2016/679 — requires all data controllers to manage these situations with documented procedures and strict deadlines: notification to the Agencia Española de Protección de Datos (AEPD) within 72 hours where the breach is likely to result in a risk to the rights of the individuals concerned (art. 33), and direct communication to those individuals when the risk is high (art. 34).

The real problem in most organisations is not a lack of goodwill, but the absence of a pre-established response protocol. When an incident occurs, the team does not know who should decide whether to notify, what information the notification must contain, who needs to be informed internally and how to record all actions taken. The typical result is that the 72 hours pass without notification, or the notification submitted to the AEPD is incomplete — which can worsen the regulator's assessment of the incident. The AEPD considers having procedures in place and acting diligently from the outset as a factor that mitigates the seriousness of the breach.

At Summum Consultoría we help SMEs and mid-sized companies build a data breach management protocol that works in practice, not just on paper. We design the internal procedure, train the responsible team, and when a real incident occurs we are available to assist with the risk assessment, drafting the AEPD notification, communicating with affected individuals and assembling the documentation file. We do not replace the AEPD or guarantee outcomes in any enforcement proceeding, but we do ensure that the organisation acts in an orderly manner, within the legal deadlines and with the documentation that the regulator expects to find.

The GDPR data breach management process.

The process · four stages
01

Preventive protocol implementation

We design and document the internal data breach management procedure: criteria for identifying and classifying incidents, internal escalation chain, notification templates for the AEPD and for communications to data subjects, and the format of the breach register (art. 33.5 GDPR). The protocol is integrated into the organisation's existing privacy documentation and tailored to its size and sector.

02

Incident risk assessment

When a breach occurs, we analyse its nature, the type and volume of data affected, the categories of individuals involved and the likelihood and severity of risk. We apply the risk assessment methodology recognised by the AEPD to determine whether the breach must be notified to the regulator (art. 33) and whether it additionally requires direct communication to the affected individuals (art. 34).

03

AEPD notification within 72 hours

We draft and submit the notification through the AEPD's electronic portal within the legal deadline. The notification sets out the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach. Where all information is not yet available, we structure a phased notification as permitted by art. 33.4 GDPR.

04

Communication to data subjects and file closure

Where the risk assessment determines that the breach may cause serious harm to individuals (high risk, art. 34), we prepare the communication to data subjects in plain language, including the protective recommendations required by the regulation. Once the incident is managed, we document the complete file in the breach register: timeline, decisions taken, corrective measures and improvements to prevent recurrence.

What is included

What GDPR data breach management includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Internal breach management protocol

    Documented procedure for detecting, classifying, escalating and managing personal data security incidents: activation criteria, internal communication chain, templates and assignment of responsibilities.

  • Risk assessment (art. 33 GDPR)

    Analysis of the nature of the incident, type and volume of data affected, categories of individuals and probability and severity of risk, following the AEPD's methodology to determine whether there is a notification obligation.

  • AEPD notification within 72 hours

    Drafting and submission of the notification through the AEPD's electronic portal with all content required by art. 33 GDPR, including management of phased notifications when full information is not available at the outset.

  • Communication to data subjects (art. 34 GDPR)

    Drafting of communications to affected individuals when the risk is high: description of the breach in plain language, contact details for the DPO or controller, and recommended protective measures.

  • Breach register (art. 33.5 GDPR)

    Complete documentation of each incident file: facts, effects, measures taken and chronology of actions, in the format required by the GDPR to demonstrate diligent management to the regulator.

  • Corrective and improvement measures

    Identification and documentation of the technical and organisational actions taken following the incident to reduce the risk of recurrence and improve the organisation's overall security posture.

Frequently asked questions about GDPR data breach management.

When is notification of a breach to the AEPD mandatory?

Article 33 of the GDPR requires notification to the supervisory authority — in Spain, the AEPD — within a maximum of 72 hours from the moment the data controller becomes aware of the breach, provided it is likely to result in a risk to the rights and freedoms of the individuals affected. If the breach is unlikely to entail that risk — for example because the data were protected by adequate encryption — notification is not mandatory, but the decision and its reasoning must be documented in the internal breach register. The risk assessment must be thorough and documented, not assumed.

What if it is not possible to complete the notification within 72 hours?

Article 33.4 of the GDPR allows phased notification when all information is not available at the outset. In that case, an initial notification is submitted with the information that is available, and it is supplemented or amended as further data become known, indicating the reasons for the delay. This approach is preferable to waiting until full information is gathered and thereby missing the 72-hour deadline. The AEPD takes a favourable view of prompt notification — even where information is initially incomplete — compared with unjustified delay.

When must the breach be communicated directly to the individuals affected?

Direct communication to data subjects is mandatory when, in addition to there being a likely risk, that risk is high for their rights and freedoms (art. 34 GDPR). Factors pointing to high risk include the type of data involved — particularly sensitive data such as health information, financial data or data relating to minors — the number of individuals affected, the possibility of identity theft and the degree of identifiability of the persons concerned. The communication must be made directly to each affected individual in clear and plain language, without undue delay.

Is a ransomware attack always a notifiable breach?

A ransomware attack that encrypts or blocks access to personal data constitutes a personal data breach within the meaning of the GDPR and must always be assessed. If adequate backups exist that allow data to be restored and there is no evidence that the attacker accessed or exfiltrated data, the risk to data subjects may be low and notification to the AEPD may not be required — although internal documentation remains mandatory. If there are indications of access to or exfiltration of data, notification is in practice almost always required. The key is that the assessment be rigorous and documented, rather than assuming no notification is needed without proper analysis.

What penalties can the AEPD impose for failing to notify a breach?

Failure to notify or an unjustified delay in notifying a breach to the AEPD may be classified as a serious infringement subject to the penalty framework of Article 83 of the GDPR: fines of up to EUR 10 million or 2 % of total annual worldwide turnover, whichever is higher. For more serious GDPR violations, the maximum ceiling rises to EUR 20 million or 4 % of global annual turnover. The AEPD takes into account as mitigating factors cooperation with the regulator, diligence in notification and measures taken to limit the damage caused.

What must the internal breach register contain?

Article 33.5 of the GDPR requires all breaches to be documented, including those that do not require notification to the AEPD. The register must include a description of the facts, their effects and the remedial measures taken. It is the document that the regulator may request at any time to verify that the organisation manages incidents responsibly. There is no prescribed official format, but the register must be sufficiently detailed to reconstruct the timeline of the incident and the decisions taken during its management.