GDPR Breach Notification Checklist for SaaS

• 72-Hour Rule: GDPR mandates you notify authorities within 72 hours of confirming a breach that risks individuals' rights and freedoms. High-risk breaches also require notifying affected individuals.
• Fines for Non-Compliance: Missing deadlines can result in fines up to €20 million or 4% of global turnover.
• Types of Breaches: GDPR defines breaches as confidentiality (unauthorized access), integrity (data alteration), or availability (data loss or inaccessibility).
• Dual Responsibility: SaaS companies often act as both data controllers and processors, meaning compliance involves managing customer data and third-party subprocessors.

Quick Steps to Handle a Breach:

1. Detect & Contain (First 4 Hours):
   • Assemble your incident response team.
   • Secure affected systems (e.g., reset passwords, isolate systems).
   • Preserve evidence for investigation.
2. Assess Scope (Hours 4–24):
   • Identify affected individuals and data types.
   • Use a risk matrix to evaluate potential harm.
3. Notify (Hours 24–72):
   • Report to authorities and individuals if required.
   • Submit a preliminary report if details are incomplete.
4. Post-Breach Actions:
   • Strengthen security (e.g., encryption, MFA, access controls).
   • Document the breach thoroughly for audits.
   • Review and update your incident response plan.

Tip: Having pre-prepared templates, clear workflows, and compliance tools can save critical time during a breach.

This checklist ensures you stay compliant, protect your customers, and minimize regulatory penalties.

GDPR Data Breach Notification - The 72 hours notification

sbb-itb-5f36581

GDPR Breach Notification Checklist

If you suspect a data breach, it’s time to act - and fast. The General Data Protection Regulation (GDPR) gives you just 72 hours to notify authorities once you become aware of a breach. This countdown doesn’t wait for your investigation to conclude or for all the details to be confirmed. As PrivacyForge.ai aptly states:

"The clock starts when you know, not when you're done investigating".

This means having a clear, actionable plan ready to roll out under pressure is absolutely critical.

Detect and Contain the Breach

The first few hours - Hours 0–4 - are crucial. Start by activating your incident response team, which should include members from IT, legal, management, and communications. While the team is assembling, work on containing the breach immediately. Be careful not to destroy evidence during this process; preserve logs and avoid wiping systems, as regulators will need this information later.

How you contain the breach depends on its nature. For instance:

• Revoke compromised credentials and reset passwords.
• Enable Multi-Factor Authentication (MFA).
• Isolate affected systems from the network to prevent further spread.
• Secure or disable exposed data points.
• If an email was sent to the wrong recipient, contact them immediately and request written confirmation of deletion.

Establish direct internal reporting channels, such as a dedicated Slack channel or a "privacy@" email address, to ensure potential breaches are flagged quickly. Enable continuous monitoring to spot unauthorized access attempts or unusual data patterns before they escalate. Keep audit logs that capture access events, data changes, and administrative actions in an immutable format.

Assess the Breach Scope and Impact

During Hours 4–24, your focus should shift to investigating the breach. Determine how many individuals are affected, what types of data were compromised, and the potential risks involved. A risk matrix can help you evaluate factors like data sensitivity, the volume of records involved, and the likelihood of harm such as fraud or identity theft.

GDPR differentiates between breaches that pose a "risk" (requiring notification to supervisory authorities) and those that pose a "high risk" (requiring notification to both authorities and individuals). For example:

• Basic contact details might fall into the lower-risk category.
• Sensitive data, such as passwords, financial information, or health records, usually triggers high-risk protocols.

If the breached data was encrypted and the encryption key remains secure, you may not need to notify anyone. Regardless, document everything. GDPR requires maintaining a breach register that outlines the facts, effects, and remedial actions for every incident - even if you decide notification isn’t necessary.

Once the scope is clear, focus on deciding who needs to be notified.

Determine Who Needs to Be Notified

Hours 24–48 are all about risk assessment and making notification decisions. Based on your findings, decide whether to notify:

• The supervisory authority only.
• Both the supervisory authority and affected individuals.
• No one (in rare cases).

If the breach is likely to impact individuals' rights and freedoms, notify the supervisory authority within 72 hours. If the breach poses a high risk, notify affected individuals as soon as possible.

For SaaS companies acting as data processors, you must also notify your data controllers promptly - often within 24 hours, as specified in many Data Processing Agreements - so they can meet their own compliance deadlines.

"When in doubt, notification is the safer path. The penalty for failing to notify when required is significantly higher than the administrative burden of notification." – PrivacyForge.ai

Prepare Notifications for Supervisory Authorities

Use Hours 48–72 to finalize and submit your notification. If your company operates in multiple EU countries, submit your report to the Lead Supervisory Authority (LSA) in the country where your primary data processing decisions are made. Your notification should include:

• The nature of the breach (e.g., confidentiality, integrity, or availability issues).
• Categories and approximate number of affected individuals and records.
• Contact details for your Data Protection Officer.
• Potential consequences for individuals.
• Measures taken or planned to address the breach.

If you don’t have all the details yet, submit a preliminary report and update it as more information becomes available. To streamline this process, prepare notification templates in advance for both supervisory authorities and affected individuals. Regularly audit the data you collect - such as cookies, trackers, and third-party scripts - so you’re always aware of what could be at risk.

Notify Data Controllers

If your SaaS company processes data on behalf of customers, notifying data controllers is just as urgent as informing regulators. As soon as you’re aware of a breach, provide your data controllers with:

• A timeline of the breach.
• Details on the affected data, including categories and the number of records and individuals impacted.
• Information on containment measures you’ve implemented.
• Your assessment of potential risks.

This information helps your customers meet their own compliance deadlines. Even if the breach doesn’t meet regulatory thresholds, transparency is essential. It not only builds trust but also ensures both parties are prepared for any regulatory scrutiny.

How to Notify Data Subjects

When a breach presents a high risk to individuals' rights and freedoms, it’s crucial to notify them without delay. Below, you’ll find guidance on what information to share with data subjects and when a broader public announcement might be necessary.

What to Tell Data Subjects About the Breach

When notifying individuals, make sure to include these four essential details:

• Nature of the breach: Explain what happened in clear, straightforward language.
• Contact details: Share the name and contact information of your Data Protection Officer (DPO) or relevant point of contact.
• Likely consequences: Outline the potential impact of the breach on affected individuals.
• Measures taken: Highlight the steps you've already implemented to address the issue and prevent it from happening again.

Additionally, provide practical advice to help individuals minimize potential harm. For instance, if passwords were exposed, require password resets and advise users to update any accounts where they’ve reused credentials. If financial data has been compromised, recommend monitoring bank accounts for unusual activity and being cautious of phishing attempts.

As the Information Commissioner’s Office (ICO) emphasizes:

"One of the main reasons for informing individuals is to help them take steps to protect themselves from the effect of a breach." (ICO)

Prompt and transparent communication is not just a regulatory requirement under GDPR - it’s a way to build trust by empowering individuals to protect themselves.

When to Make a Public Announcement

In cases where notifying each affected person directly isn’t feasible - such as when thousands of individuals are impacted and reliable contact information isn’t available - consider alternative methods. A public announcement may be the best option in these scenarios. This could include:

• A press release
• A prominent notice on your website
• Media announcements to reach a wider audience

Whatever method you choose, it must effectively alert those impacted by the breach. Additionally, ensure you document the decision to use public notification and the reasoning behind it. This documentation can prove invaluable if questions arise about your response.

Post-Breach Actions and Documentation

Once notifications are complete, it’s time to focus on strengthening security and preparing for potential future incidents. Under GDPR, you’re required to keep thorough records of all personal data breaches, and each incident should serve as an opportunity to improve your security practices.

Improve Security Measures

After evaluating the impact of the breach, take immediate steps to prevent it from happening again. Start by performing a root cause analysis to identify the attack vector, whether it was due to SQL injection, stolen credentials, or phishing. Statistics show that unpatched vulnerabilities account for 30% of breaches, stolen credentials for 28%, and phishing for 18%. Knowing the exact entry point allows you to implement targeted fixes.

Enhance your technical defenses by upgrading encryption protocols to AES-256 and TLS 1.3. Implement multi-factor authentication (MFA) across all systems, and enforce the Principle of Least Privilege (POLP) so employees only access the data they actually need. For SaaS-based systems, ensure tenant isolation at the database, application, and network levels to avoid cross-tenant data exposure. Organizations with tested incident response plans save an average of $2.66 million in breach-related costs compared to those without such plans.

Keep Complete Breach Records

Building on your initial breach investigation, maintaining detailed records is essential for demonstrating accountability. Create a comprehensive register documenting every breach, including the facts, its effects, and the actions taken to address it. If you submit phased reports, clearly explain any initial omissions and log all subsequent updates.

"If you can't demonstrate a thorough, documented risk assessment process, regulators will assume you didn't perform one".

These records are crucial during regulatory audits and serve as evidence of your compliance efforts.

Review and Update Incident Response Plans

Within two weeks of the incident, conduct a blameless postmortem. The goal is to identify weaknesses in your response process, such as delays in detection, unclear escalation procedures, or gaps in communication protocols.

"Post-incident review is where the most valuable learning happens --- do not skip it under pressure to 'move on'".

Use these findings to update your incident response plan with clear, actionable steps and deadlines. Test the revised plan through tabletop exercises or simulations to ensure it’s effective. In 2025, the average time to identify and contain a data breach was 258 days, but organizations with tested plans reduced this by 74 days. Regularly refine your response measures to keep your breach-handling process sharp and effective.

Managing Subprocessors and Vendors

As mentioned earlier, quick breach notifications are essential, but so is managing risks associated with third-party providers. SaaS companies often depend on external services - whether for cloud hosting, payments, analytics, or customer support - that handle sensitive customer data. Under GDPR, you're still fully accountable for data protection failures caused by your subprocessors, even if the issue originates with them. To minimize these risks, it's critical to establish thorough compliance checks for every subprocessor you work with.

Verify Subprocessor Compliance

Every subprocessor you engage must sign a Data Processing Agreement (DPA) that mirrors the data protection obligations you have with your own customers. This isn’t just good practice - it’s a legal requirement under Article 28 of the GDPR. Your DPA should also include a clause requiring subprocessors to notify you within 24–48 hours of any data breach, ensuring you can meet your 72-hour reporting deadline.

"As a processor, your primary obligation is to notify the data controller without undue delay. The controller then decides whether to notify the supervisory authority." - Custodia Blog

Additionally, request certifications like SOC 2 or ISO 27001 from your subprocessors and conduct quarterly compliance reviews to stay on top of their practices. Automated tools can also help identify unverified third-party trackers or processors that might otherwise slip through the cracks.

Many SaaS companies use a general authorization model to manage subprocessors. This involves maintaining a public list of subprocessors and informing customers about changes in advance. This approach gives customers the opportunity to voice concerns before new subprocessors are added. Your DPA should also include audit rights, allowing you to inspect subprocessors for compliance with security and notification requirements.

Reduce Risks in Multi-Tenant Systems

Beyond ensuring compliance, securing multi-tenant systems is essential to prevent breaches from spreading between tenants. Multi-tenant environments are particularly vulnerable because a breach affecting one tenant could potentially expose others. To mitigate this, implement role-based access controls (RBAC) and maintain detailed audit logs to track who accessed tenant data and when. Encryption is another must - use AES-256 for data at rest and TLS 1.3 for data in transit to maintain baseline security.

Pseudonymization is another effective strategy, separating identifying data from functional data to limit the damage in case of a breach. Additionally, many EU enterprises now require data to be stored and processed exclusively within the EEA or UK to simplify the vendor chain and reduce cross-border transfer risks. If you rely on US-based subprocessors, you may need to conduct a Transfer Impact Assessment (TIA) to ensure local laws don’t compromise GDPR protections, even when using Standard Contractual Clauses.

Conclusion

Key Points for SaaS Companies

When it comes to GDPR breach notifications, the clock starts ticking the moment you detect a breach - giving you just 72 hours to act. This tight timeline makes preparation far more important than scrambling to react after the fact.

A solid breach response plan should include the basics: quick detection and containment, a thorough assessment of the breach's scope and impact, predefined workflows for notifying both supervisory authorities and data controllers, and meticulous documentation of every incident - even those that don’t require formal reporting. GDPR mandates that you keep detailed records of all breaches to demonstrate accountability.

Don’t overlook your dual responsibilities as a data controller and processor. Clear Data Processing Agreements with customers and transparent reporting on subprocessors are non-negotiable. Similarly, technical safeguards - such as encryption (both at rest and in transit), strict access controls, and a well-documented incident response plan - are essential for maintaining compliance and protecting customer data.

By establishing these practices, you’ll ensure a smoother, more effective response when a breach occurs.

How Tools Can Help with Compliance

Modern compliance tools can make all the difference when time is of the essence. Automated compliance platforms can simplify your breach response by generating detailed incident documentation that meets GDPR requirements within the 72-hour deadline. Pre-configured notification templates ensure you cover all necessary elements outlined in Articles 33 and 34.

Solutions like Reform can further enhance your process by enabling employees to report potential breaches through custom intake forms. Automated workflows and live data mapping ensure that as soon as a breach is detected, it’s immediately flagged for your response team. When every minute matters, having the right tools in place eliminates delays and helps you act swiftly to locate and address affected data.

FAQs

When does the GDPR 72-hour clock start?

Once you're reasonably certain a data breach has happened, the GDPR’s 72-hour clock starts ticking. This means you have gathered enough information to confirm the breach and assess its potential impact, which then activates the obligation to notify.

Do we still have to notify if the breached data was encrypted?

Yes, you are required to notify authorities even if the breached data was encrypted - unless it’s determined that the breach is unlikely to pose a risk to individuals. While encryption can reduce the likelihood of harm, it doesn’t automatically exempt you from GDPR's notification obligations.

How do SaaS companies handle breach notices when they’re both controller and processor?

SaaS companies that operate as both a controller and a processor must adhere to GDPR's strict 72-hour breach notification rule. This means they need well-defined procedures to quickly assess whether a breach pertains to data they control or data they process on behalf of their customers. Once a breach is identified, they are required to notify the appropriate supervisory authority without delay, staying within the 72-hour window.

Related Blog Posts

• Internal Data Breach Reporting Checklist
• GDPR Breach Notification Letter Templates
• GDPR Breach Records: What to Include
• 5 Steps to Notify Supervisory Authorities Under GDPR