GDPR Article 33 Compliance: Data Breach Notification Procedure
GDPR Article 33 Compliance: Data Breach Notification Procedure
Release: v0.1.144 Control: GDPR-10 Framework: GDPR
Overview
GDPR Article 33 requires that any organisation acting as a data controller notify the relevant supervisory authority — in the UK, the Information Commissioner's Office (ICO) — within 72 hours of becoming aware of a personal data breach. Failure to have a documented procedure in place is itself a compliance risk, independent of whether a breach has occurred.
Version 0.1.144 closes this gap by introducing a formal incident response runbook (INCIDENT_RESPONSE.md) in the repository root.
What the Procedure Covers
The INCIDENT_RESPONSE.md runbook documents five mandatory areas:
1. Breach Detection Triggers
Indicators that should prompt an immediate internal investigation, such as:
- Unauthorised access to personal data stores
- Accidental disclosure of sensitive records
- Loss or theft of devices containing personal data
- Anomalous data export activity surfaced by monitoring alerts
2. Internal Escalation Process
A defined chain of ownership from first responder through to Data Protection Officer (DPO) or nominated compliance lead, with clear timelines to ensure the 72-hour window is not missed.
3. ICO Notification Procedure
Step-by-step guidance for reporting a breach to the ICO:
- Deadline: Within 72 hours of discovery
- Reporting portal: ico.org.uk/report-a-breach
- Required information: nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed
Note: If notification cannot be made within 72 hours, the reasons for the delay must be provided alongside the notification.
4. Affected Data Subject Notification Template
A pre-drafted communication template for notifying individuals whose personal data has been compromised (required under GDPR Art. 34 where the breach is likely to result in a high risk to those individuals).
5. Post-Incident Review Process
A structured retrospective framework to identify root cause, assess control failures, and document remediation actions to prevent recurrence.
Repository Artefact
| File | Location | Purpose |
|---|---|---|
INCIDENT_RESPONSE.md | Repository root | Full breach notification runbook |
The privacy policy has been updated to link directly to this document.
Regulatory Reference
| Item | Detail |
|---|---|
| Regulation | UK GDPR / EU GDPR |
| Article | Art. 33 — Notification to supervisory authority |
| Art. 34 | Notification to data subjects (high-risk breaches) |
| Supervisory authority | Information Commissioner's Office (ICO) |
| ICO reporting portal | ico.org.uk/report-a-breach |
| Notification deadline | 72 hours from discovery |
Related Controls
- GDPR-10 — Breach notification to supervisory authority (Art. 33) ✅ Addressed in this release
- GDPR Art. 34 — Notification to affected data subjects (referenced in runbook)
- GDPR Art. 30 — Records of processing activities
No Application Changes
This release is documentation-only. No API endpoints, data models, or application behaviour were altered.