{# Pre-built Tailwind bundle + project custom styles. Replaces the old cdn.tailwindcss.com script so we can drop 'unsafe-inline' from the CSP. Rebuild with `.venv/bin/tailwindcss -i tailwind_src/input.css -o static/css/app.css --minify`. #}
C
Fill in the sidebar to personalise, or scroll down to read the raw template (placeholders shown as {{ ORG_NAME }}). 
# Personal Data Breach Response β€” {{ ORG_NAME }}

**Effective date:** {{ EFFECTIVE_DATE }}
**Audience:** Engineers, ops, support, leadership.

A personal-data breach is any incident where personal data is lost,
disclosed, altered, or made unavailable in a way that puts data subjects
at risk. Examples: lost laptop with customer data, accidental email of a
spreadsheet to the wrong list, ransomware affecting a database, stolen
credentials, public S3 bucket, etc.

If you suspect a breach: **report first, investigate after.** Speed
matters more than certainty.

## Hour 0 β€” Containment

1. **Tell the on-call engineer + {{ CONTACT_EMAIL }}** by phone or chat.
   Do not wait for written confirmation.
2. **Stop the bleed.** Rotate credentials, revoke API keys, take the
   affected service offline if necessary, isolate compromised hosts.
3. **Preserve evidence.** Snapshot logs, take memory dumps if you can,
   note timestamps. Do not wipe machines.

## Hour 0–24 β€” Triage

The DPO contact (**{{ CONTACT_EMAIL }}**) coordinates a small response
team that answers:

- What happened? (event timeline)
- What categories of personal data are affected?
- How many people are affected?
- What is the realistic risk to those people? (identity theft, fraud,
  reputational harm, physical safety)
- What have we done to limit the harm?

## Hour 24–72 β€” Notification decisions

| Risk to data subjects | Notify supervisory authority? | Notify affected individuals? |
|---|---|---|
| None or negligible | Optional; document the decision | No |
| Some risk | **Yes β€” within 72h** | At authority's direction |
| High risk | **Yes β€” within 72h** | **Yes β€” without undue delay** |

Notification to the authority must include:

- nature of the breach, categories and approximate number of subjects
- likely consequences
- measures taken or proposed
- contact point: **{{ CONTACT_EMAIL }}**

If we cannot give all this information at once we provide it in stages
(an initial notice within 72 hours, then a follow-up).

## Days 3–14 β€” Communication

If individuals are notified, the message is plain-language, free of
legal jargon, and includes:

- what happened (in one paragraph)
- what data was involved
- what they should do (e.g., reset password, watch for fraud)
- how to reach us β€” **{{ CONTACT_EMAIL }}**

## Post-incident β€” Lessons

Within 30 days of closure, the response team writes a short post-mortem
covering: timeline, root cause, the gap in controls that allowed it,
and three concrete actions to prevent recurrence. The post-mortem is
shared with leadership and filed by the DPO contact. Records of all
breaches (notified or not) are kept for **24 months**.