The 72-hour clock — without inventing the notification in real time.
A free in-browser triage for the first 72 hours of a personal-data breach under the GDPR. Answer nine questions. You get a clear verdict — notify or document — and your Article 33 deadline, counted from the time you became aware. You also get the required Article 33(3) contents, a do-not-touch list, and a starter notification draft you can hand to counsel.
The triage runs in your browser. Your answers never leave your device. That matters more when the question is "is this a breach we have to report?"
Three tiers — one for solo DPOs, one for cross-border SMBs, one for multi-DSA enterprises.
Each tier serves a different Data Protection Officer (DPO) situation. Buy the tier that matches the kind of breach you're handling — or the kind you might handle next.
- Nine-question breach triage with expert annotations
- 72-hour clock countdown reference
- Article 33 notification starter template
- Do-not-touch list for the first hour
- Single-jurisdiction Supervisory Authority directory entry
- Everything in Solo
- Cross-border breach decision tree (one-stop-shop applicability)
- Lead Supervisory Authority identification worksheet
- Article 34 (data-subject notification) drafting checklist
- Multi-language breach-notification snippets (English, German, French, Spanish, Italian, Dutch)
- Record-of-breach register template (Article 33(5))
- Post-breach review template
- Everything in SMB
- Multi-jurisdiction Data Supervisory Authority (DSA) filing matrix
- EDPB consistency-mechanism coordination playbook
- Sector overlays: HIPAA breach pairing, PCI DSS §12.10, and NIS2 reporting
- Board-briefing pack (one-page incident summary + decision-log template)
- Legal-counsel handoff package
- Cross-border subject-notification translation matrix
Two paths into the toolkit.
1. Take the free triage
Nine questions about the personal-data breach you're handling. The triage returns a notifiable-or-document verdict, the Article 33 72-hour deadline calculated from your awareness time, the required Article 33(3) contents tailored to your situation, and a starter notification draft you can hand to counsel. About five minutes. Runs in your browser — no email required, no data transmitted.
Start the free triage →2. Download the free Breach Battle-Card
A one-page printable reference that summarises the first 72 hours of a personal-data breach: the awareness-time anchor, the Article 33 vs. Article 34 distinction, the do-not-touch list, the four artefacts to capture before the clock starts. Keep one printed copy in the DPO's desk drawer.
Get the free Battle-Card →Build the readiness side, too
GDPR Breach Response is the tactical product. Once the notification deadline has passed and the dust has settled, build readiness with the matching strategic product so the next breach is less chaotic.
GDPR Compliance Assessment
The calm-day counterpart. 30-question self-assessment + the full toolkit for the documentation a regulator expects to see before a breach happens.
First 4 Hours Incident Response
The general-security sibling. If the breach started as an infrastructure incident (ransomware, vendor compromise, lost laptop), First 4 Hours handles the technical side while Breach Response handles the regulatory side.