Data breach procedure — 72-hour step plan + AP report form

See our article 72-hour notification duty. Step plan first 72 hours: Hour 0-2: incident assessment. What leaked + scope? Stop further leaks. Document timestamp + evidence. Engage IT team + DPO. Hour 2-24: assessment. Categories of subjects + data + risk classification (low/medium/high). Retention impact. Which legal obligation? Hour 24-72: formal notification to AP (Art. 33) — only if likely risk. No risk = need not notify, but document internally. On high risk also inform data subjects (Art. 34). AP report form: via autoriteitpersoonsgegevens.nl. Required fields: nature + scope + categories, DPO contact, expected consequences, taken + proposed measures. Follow-up reports possible on later info. Communication letter to subject on high risk: what happened, which data, consequences, advice (change password, monitoring), contact route. Documentation duty (Art. 33(5)): every breach — reported or not — log in breach register. AP can request during audit. Fine for not reporting: Art. 83(4) — up to €10m / 2%. Examples 2024-2025: Booking.com (€475k late notification), Dutch tax authority (internal), TikTok (Irish DPC for NL).