Data Breach: What to Do in the First 72 Hours (Action Plan + Checklist)
9 min read · AstraLoop Studio
A data breach doesn't send you a warning. You find out on a Monday morning because a customer emails you saying they got a strange message from your company, or because your management software won't open and a ransom demand pops up on screen instead. From that moment, if personal data is involved, a clock starts ticking: you have 72 hours to notify the breach to the Data Protection Authority (Garante per la protezione dei dati personali), as required by Article 33 of the GDPR (EU Regulation 2016/679).
The problem is that in the first hours the temptation is to act at random. Shut everything down, call ten different people, delete whatever looks compromised. These are exactly the moves that make things worse, destroy evidence, and put you at odds with the authority. This guide gives you the operational sequence, action by action, for the first 72 hours. If you first want to understand what legally counts as a breach, read what a data breach is under the GDPR. Here, we go straight to the facts.

The 72 hours don't start when you think they do
The first rule, the one almost everyone gets wrong: the 72 hours run from when you become aware of the breach, not from when it happened, and not from when you've finished understanding it. If your IT team notices unusual traffic at 9am on Tuesday, the countdown starts right there. Don't wait until you have the full picture before starting the clock: for the Authority, what matters is the moment someone inside the organization had reasonable certainty that there was a problem.
Second thing to get straight right away: not every breach needs to be notified. Notification is only required if the breach poses a risk to the rights and freedoms of the people involved. A file encrypted with a strong key that ends up in the wrong hands but stays unreadable often doesn't trigger the obligation. A customer database with names, emails, phone numbers, and maybe payment data leaked in plain text, does. Risk assessment is the heart of the decision, and it must be documented even when you decide NOT to notify.
Hour 0-1: contain without destroying evidence
The first instinct is to unplug everything. Isolating is right; destroying is wrong. The difference is huge.
- Isolate, don't shut down abruptly. Disconnect the compromised machine from the network (unplug the cable, turn off Wi-Fi), but think carefully before powering it off completely: RAM can hold evidence useful for forensic analysis. If it's active ransomware still encrypting, immediate isolation takes priority. If it's an unauthorized access that has already ended, it's better to preserve the state.
- Don't format, don't restore backups over the evidence. Restoring immediately from backup feels like the heroic move, but it wipes out the traces of how they got in and when. Document first, restore after, ideally onto different hardware.
- Change critical credentials. Admin account passwords, management software logins, company email, hosting panels. If you haven't enabled MFA, this is the worst possible moment to realize it: turn it on anyway on everything that's still clean.
- Freeze what you can. Take screenshots, save the logs, note down the times. Every piece of data you gather now will be useful for the notification and for any insurance claim.
If the breach started from a compromised website, the logic is the same but the steps are specific. We have a dedicated guide on what to do when your WordPress site gets hacked, useful if the attack came in through there.
Hour 1-4: who to involve and who's in charge
In the chaos of the first hours you need a clear chain of command, otherwise four people end up doing four things that cancel each other out. Decide right away who calls the shots.
| Role | What they do in the first hours |
|---|---|
| Owner / CEO | Decides and coordinates. Under NIS2, responsibility can no longer be delegated to IT: the ball is in your court. |
| IT manager or provider | Isolates the systems, collects the logs, starts technical containment. |
| DPO (if appointed) or privacy consultant | Assesses whether the notification obligation applies and prepares the content for the Authority. |
| Legal | Assesses liability, relationships with third parties involved, any potential criminal complaint. |
| Communications | Prepares the messages for customers and press. Don't improvise statements. |
If you rely on external providers (hosting, management software, agency), call them now. A fact that often gets overlooked: roughly 30% of breaches involve a third party, and under NIS2 vetting your suppliers becomes an obligation, not a courtesy. If the breach originates from one of your providers, responsibility toward your customers still rests with you.

Hour 4-24: risk assessment (the document that saves you)
This is the phase that separates those who manage a breach from those who suffer through it. You need to answer specific questions in writing, because they're the same ones the Authority will ask you.
- What kind of breach is it? Confidentiality (data seen or stolen), integrity (data altered), availability (data made inaccessible, typical of ransomware). Often more than one applies at once.
- What categories of data are involved? Names and emails are one thing; health data, judicial records, banking credentials, or passwords are a whole different level of risk.
- How many people are affected? Even an approximate figure should be given. "About 4,000 customers" beats "we don't know."
- What are the likely consequences? Identity theft, fraud, reputational damage, targeted phishing against your customers using the stolen data.
- What measures have you already taken, and what do you plan to take? Containment, restoration, communication to those affected.
The outcome of this analysis leads to three scenarios: no notification obligation (unlikely risk, but document it anyway), notification to the Authority only (risk present), or notification to the Authority plus direct communication to the affected individuals (high risk to their rights, as required by Art. 34 GDPR). When the exposed data includes passwords or financial information, you almost always land in the third scenario.
How to notify the Data Protection Authority within 72 hours
The notification isn't done by email or with a generic certified mail (PEC). The Italian Data Protection Authority (Garante Privacy) has a dedicated online procedure, accessible from its official website garanteprivacy.it, with a structured form to fill out and sign digitally. Here's what you need to have ready.
Mandatory contents of the notification
- Description of the nature of the breach (what happened, how, when).
- Categories and approximate number of data subjects involved.
- Categories and approximate number of personal data records involved.
- Name and contact details of the DPO or a contact point for further information.
- Description of the likely consequences of the breach.
- Measures taken or proposed to address the breach and mitigate its possible adverse effects.
What if you can't gather everything within 72 hours?
The GDPR expressly allows for it: you can submit a notification in phases. Notify within 72 hours with the information available, stating that it is preliminary, and fill in the missing details as they come in. A partial notification on time beats a complete one that's late. If you go past 72 hours, the notification must still be made, along with the reasons for the delay. Unjustified delay is one of the factors the Authority weighs most heavily against you.
What you keep for yourself
Regardless of the notification, you must keep an internal breach register (Art. 33.5 GDPR) recording every breach, including those not notified, along with its risk assessment. It's the first document you'll be asked for in an inspection. Not having one, or having an empty one when it's clear something happened, is a serious problem in its own right.
Want to face a data breach with a plan already in place instead of improvising under pressure? Ask us for an assessment of your security and your incident response plan.
Communicating with those affected: when and how
If the breach carries a high risk, notifying the Authority isn't enough: you must also inform the people involved, without undue delay. The communication must use clear and plain language, explain what happened, which data is involved, the likely consequences, and what they can do to protect themselves (change passwords, monitor their accounts, be wary of suspicious emails exploiting their data).
It's not just an obligation. Handled well, this communication limits reputational damage. A company that notifies quickly and transparently is perceived very differently from one that hides it and then gets caught out. And stolen data is often used for targeted phishing campaigns against your own customers: warning them is also a concrete way to protect them.
72-hour operational checklist
| Phase | Action |
|---|---|
| Hour 0-1 | Isolate compromised systems without destroying evidence. Change critical credentials. Save logs and screenshots. |
| Hour 1-4 | Activate the chain of command. Contact IT, DPO, legal, and any providers involved. |
| Hour 4-24 | Conduct and write down the risk assessment. Decide the notification scenario. |
| Hour 24-48 | Prepare the notification on the Authority's portal with all mandatory content. Draft the communication to those affected. |
| Within 72 hours | Send the notification (even a preliminary one, if needed). Update the internal breach register. |
| After | Notify those affected if the risk is high. Close the gaps. Run a post-incident audit. |
The mistakes that turn an incident into a disaster
- Paying the ransom without thinking it through. It doesn't guarantee the data will be returned and it doesn't stop the notification obligation. In modern ransomware, data is often exfiltrated before encryption (double extortion): the breach has already happened regardless.
- Waiting to "have full clarity" before notifying. The 72 hours don't wait. That's exactly why phased notification exists.
- Not documenting the decision not to notify. Even "we assessed it and the risk was unlikely" needs to be written down and kept.
- Restoring backups over the evidence. You wipe the crime scene and jeopardize the forensic analysis and any insurance payout.
- Improvising communication to customers. A botched statement causes more damage than the breach itself.
The real cost, and why prevention pays off
For an Italian SME, the average cost of a serious incident ranges from €35,000 to €250,000, factoring in downtime, restoration, legal and forensic consulting, fines, and eroded trust. The 2026 Clusit Report confirms the picture: Italy accounts for roughly 10% of incidents worldwide, serious attacks are on the rise, and SMEs are the target in 72% of cases. If you want hard numbers on the table, we've broken down the real cost of a data breach for SMEs and the ROI of prevention.
The uncomfortable truth is that managing the 72 hours needs to be prepared beforehand, not improvised in the moment. Companies with an incident response plan, defined roles, configured logs, and tested backups close out a breach in days. Those without one drag it out for weeks, paying dearly for it. A full cybersecurity audit exists precisely for this: finding the gaps before someone exploits them and building the response plan while you're still thinking clearly. With NIS2 in force from 2026 and the AI Act moving into its enforcement phase, this kind of preparation is no longer optional for many companies. Read about which NIS2 obligations apply to your company to see if you're affected.
If the broader topic interests you, our 2026 cybersecurity guide for SMEs lines up the threats, obligations, and spending priorities for the year.
Frequently asked questions
When does the 72-hour clock for data breach notification start?
From the moment the organization becomes aware of the breach with reasonable certainty, not from when the attack happened or when the analysis is complete. If your team spots the anomaly on Tuesday morning, the countdown starts right there.
Do I have to notify the Authority of every data breach?
No. Notification is only required when the breach poses a risk to people's rights and freedoms. If the risk is unlikely (for example, encrypted and unreadable data), you can choose not to notify, but you still have to document the assessment in writing and record it in the internal register.
What happens if I go past 72 hours?
The notification still has to be made, stating the reasons for the delay. The GDPR also allows for notification in phases: you can send a preliminary one within 72 hours with the information available and fill in the details afterward. Unjustified delay, however, is one of the factors the Authority weighs most severely.
How do you actually notify the Data Protection Authority about a data breach?
Through the dedicated online procedure on the official website of the Garante Privacy (garanteprivacy.it), filling out the structured form and signing it digitally. A simple email or generic certified mail (PEC) isn't valid. You need the nature of the breach, the data and data subjects involved, the likely consequences, and the measures taken.
Do I also need to notify affected customers?
Only if the breach poses a high risk to their rights (Art. 34 GDPR). In that case you must inform them without undue delay, in clear language, explaining what happened and how to protect themselves. When data like passwords or banking information is exposed, this communication is almost always mandatory.
Does paying the ransom stop the notification obligation in a ransomware case?
No. Payment doesn't cancel the notification obligation or guarantee data recovery. In modern ransomware attacks, data is often exfiltrated before encryption (double extortion), so the confidentiality breach has already occurred and still needs to be handled.
Don't wait for the first incident to find out where you're exposed: talk to us and let's build your breach response plan together.