The First 72 Hours After a Breach, What Organisations Should Do Next

When a personal data breach occurs, the first few hours are often the most important.

The decisions made immediately after an incident can significantly influence the outcome, affecting regulatory obligations, reputational damage, customer trust and the overall response effort.

In a recent episode of the Data Protection Made Easy podcast, Caine Glancy and Catarina Pereira dos Santos discussed the practical actions organisations should take during the first 72 hours following a personal data breach.

The discussion explored breach containment, risk assessments, notifications, lessons learned and the common mistakes organisations make when responding to incidents.

Whilst every breach is different, the session reinforced a simple message. Organisations that respond quickly, assess risk properly and learn from incidents are often far better positioned to reduce harm and prevent future issues.

Containment should always come first

One of the most important points raised during the discussion was the need to contain an incident as quickly as possible.

Before organisations start thinking about reporting obligations, notifications or regulatory engagement, they need to understand what has happened and stop any ongoing unauthorised access, disclosure or loss of personal data.

As Catarina explained: “We need to contain it immediately.”

Containment actions will vary depending on the nature of the breach. This may involve recalling emails, disabling accounts, restricting access to systems, recovering documents or preventing further disclosure.

The key objective is to stop the incident from escalating whilst gathering enough information to understand what has happened.

Understanding the facts before assessing risk

Once the immediate situation has been contained, organisations need to establish the facts.

The discussion highlighted how many organisations rush straight to questions about whether a breach should be reported to the ICO without first understanding what has actually happened.

Before any meaningful risk assessment can take place, organisations need to identify what information was involved, who was affected, how the breach occurred, whether the information has been accessed and what mitigating actions have already been taken.

This information forms the foundation of any subsequent decision-making process.

Without context, it is almost impossible to determine whether a breach presents a risk to individuals or whether reporting obligations apply.

Not every breach is reportable

The session also addressed a common misconception. Not every personal data breach needs to be reported to the ICO.

Many organisations automatically assume that any breach involving personal data must be reported, whilst others incorrectly assume that low-risk incidents are not breaches at all.

In reality, every incident should be assessed on its own merits.

A misdirected email, accidental disclosure or inappropriate access may still constitute a personal data breach even if the risk to individuals is ultimately low.

The discussion reinforced the importance of assessing the specific circumstances rather than relying on assumptions.

As Caine explained, context is critical when evaluating risk and determining the appropriate response.

Why context matters when assessing risk

A recurring theme throughout the discussion was the importance of context.

Organisations often want a straightforward answer to whether a breach is reportable or whether affected individuals should be notified. However, data protection rarely works in absolutes.

Caine highlighted how difficult it can be to assess risk without understanding the full circumstances surrounding an incident.

A simple statement such as “an email was sent to the wrong person” does not provide enough information to determine the level of risk involved. Organisations need to understand the contents of the email, the sensitivity of the information, who received it and whether any mitigating actions have already been taken.

As Caine explained: “The key is always in the likely.”

Risk assessments should focus on what is realistically likely to happen as a result of the breach, rather than becoming overly focused on highly unlikely scenarios.

This is why context remains one of the most important elements of effective breach management.

When should organisations notify the ICO?

One of the most common questions raised following a breach is whether the incident needs to be reported to the Information Commissioner’s Office.

The discussion highlighted that organisations should avoid treating ICO reporting as an automatic response.

Instead, reporting decisions should be based on the outcome of a documented risk assessment and the likelihood of risk to individuals.

Where a breach is likely to result in a risk to the rights and freedoms of individuals, organisations are generally required to notify the ICO within 72 hours of becoming aware of the incident.

However, the hosts also acknowledged that many organisations struggle with this decision-making process, particularly when dealing with complex incidents or limited information.

For smaller organisations without dedicated privacy teams, understanding reporting thresholds can be one of the most challenging aspects of breach management.

Should affected individuals always be informed?

The session also explored another area that frequently causes uncertainty, notifying affected individuals.

Many organisations assume that if a breach has occurred, the individuals involved must automatically be informed. However, this is not always the case.

Whilst transparency remains a fundamental principle of data protection, notifications should have a clear purpose.

As Catarina explained, the purpose of notifying individuals is not simply to tell them that a breach has happened. It is to allow them to take action where there is an active risk to them.

If a breach creates a high risk to an individual’s rights and freedoms, notifying them may allow them to protect themselves from fraud, identity theft, financial loss or other harms.

Where there is no ongoing risk, organisations may decide that notification is unnecessary.

The discussion highlighted the importance of carefully balancing transparency, risk and potential distress when making these decisions.

The risks of over-notification

Whilst organisations are often concerned about under-reporting breaches, the discussion highlighted that over-notification can also create problems.

Informing individuals about every low-risk incident may cause unnecessary concern, particularly where no meaningful action is required on their part.

Some individuals may understandably assume the worst when they hear the phrase “data breach”, regardless of the actual level of risk involved.

In certain circumstances, notifying individuals about low-risk incidents may create confusion, anxiety and additional complaints without providing any practical benefit.

This is why notification decisions should always be proportionate and based on a thorough assessment of the circumstances.

As the discussion demonstrated, there is rarely a one-size-fits-all approach.

Caine reinforced this point by explaining: “Nothing in data protection is a one size fits all kind of thing.”

Every breach is an opportunity to learn

One of the strongest messages from the session was that organisations should view breaches as learning opportunities.

Even low-risk incidents can reveal weaknesses in processes, training, systems or controls.

Rather than simply recording an incident and moving on, organisations should take the time to identify trends and recurring issues.

As Caine explained: “The main thing really is treating it as lessons learned always.”

If multiple incidents occur for similar reasons, such as misdirected emails, access errors or process failures, this may indicate a wider issue that requires attention.

Reviewing breach data collectively often provides valuable insight into where improvements can be made.

The discussion highlighted how organisations can use incidents to strengthen controls, improve staff awareness and reduce the likelihood of future breaches.

Getting value from incidents

Closely linked to the lessons learned approach was the idea of extracting value from incidents wherever possible.

Breaches are rarely desirable, but they can provide useful information about organisational weaknesses and areas for improvement.

As Caine commented: “You’ve got to try and claim some benefit back from it where you can.”

This might involve updating procedures, improving training, introducing additional technical controls or reviewing existing risk assessments.

By treating breaches as opportunities for continuous improvement, organisations can often strengthen their overall data protection framework.

What organisations should do after a breach

Once the immediate response has been completed, the discussion highlighted the importance of reviewing the incident in full.

This should include documenting what happened, assessing the effectiveness of the response, identifying any improvements and updating relevant policies or procedures where necessary.

Organisations should also consider whether additional staff training, awareness campaigns or technical measures may help prevent similar incidents in the future.

The first 72 hours are important, but the actions taken afterwards are often what determine whether an organisation genuinely learns from an incident.

A practical approach to breach management

The session reinforced a practical and proportionate approach to managing personal data breaches.

Contain the incident, establish the facts, assess the risk, determine whether reporting obligations apply and identify opportunities for improvement.

Whilst every breach is different, organisations that follow these principles are often better positioned to respond effectively, reduce harm and strengthen compliance over time.

Most importantly, the discussion highlighted that effective breach management is not just about regulatory compliance. It is about protecting individuals, maintaining trust and continuously improving organisational practices.

---

Need support managing personal data breaches?

Managing a personal data breach can be challenging, particularly when organisations are under pressure to assess risk, make reporting decisions and communicate effectively with regulators and affected individuals.

Our Data Protection Support Service, Outsourced DPO Service and Training and Awareness Services help organisations build effective breach management processes, improve governance and strengthen compliance.

Whether you’re responding to an incident, reviewing your breach procedures or looking to improve organisational awareness, our team can help you manage data protection with confidence.

---

Frequently Asked Questions About Personal Data Breaches

What should organisations do immediately after discovering a data breach?

The first priority should be containing the incident to prevent any further unauthorised access, disclosure, loss or destruction of personal data. Once contained, organisations should establish the facts and begin assessing risk.

Does every personal data breach need to be reported to the ICO?

No. Organisations should assess whether the breach is likely to result in a risk to the rights and freedoms of individuals. Not all breaches meet the threshold for ICO notification.

How quickly must a breach be reported to the ICO?

Where a breach is reportable, organisations are generally required to notify the ICO within 72 hours of becoming aware of the incident.

Do organisations always need to notify affected individuals?

No. Individuals generally need to be informed where the breach is likely to result in a high risk to their rights and freedoms. Notification decisions should be based on a documented risk assessment.

Why is a risk assessment important following a breach?

A risk assessment helps organisations understand the potential impact on affected individuals and determine whether reporting or notification obligations apply.

What can organisations learn from data breaches?

Even low-risk incidents can reveal weaknesses in processes, systems, training or controls. Reviewing breaches helps organisations identify trends, strengthen governance and reduce future risk.