Personal Data Breach Incident Response Plan
Last reviewed: June 2026 · Owner: TravelCS Data Protection Officer
This document defines how TravelCS responds to a confirmed or suspected personal data breach under the EU General Data Protection Regulation (GDPR), specifically Articles 33 (notification to the supervisory authority) and 34 (communication to the data subject).
1. Definition
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed (Art. 4(12)). This includes both malicious incidents (intrusion, ransomware) and accidental incidents (misdirected emails, lost devices, misconfigured access).
2. Roles & responsibilities
- Incident Commander (IC) — owns the response, coordinates the team, declares phases. Default: on-call engineering lead.
- Tech Lead — leads containment, forensics, eradication, recovery.
- Data Protection Officer (DPO) / Privacy Lead — owns the GDPR risk assessment and Art. 33/34 decisions.
- Comms Lead — drafts and sends notifications, manages affected-operator and end-customer communication.
- Legal — reviews notifications, liaises with supervisory authority and external counsel as needed.
3. Response lifecycle
- Detect & triage (T+0) — log the incident in the admin register, assign IC, set severity, snapshot evidence (logs, screenshots, queries).
- Contain (T+0 to T+24h) — rotate credentials, revoke tokens, isolate affected systems, block traffic, disable accounts.
- Assess risk (T+0 to T+72h) — use the matrix in §4 to determine likelihood and severity for data subjects' rights and freedoms.
- Notify supervisory authority (within 72h of becoming aware, Art. 33) — if risk > low, send the Art. 33 notification (template in §5). Phased notification is allowed if information is not yet complete.
- Notify data subjects (without undue delay, Art. 34) — if risk is high, send the Art. 34 notification in plain language.
- Eradicate & recover — remove root cause, restore systems, verify integrity.
- Close & learn — post-incident review within 14 days; corrective actions tracked in the admin register.
4. Risk assessment matrix
Determine the breach severity by combining the data categories involved with the likely consequences. Any cell marked Notify DPA triggers an Art. 33 notification; Notify subjects additionally triggers Art. 34.
| Data category | Low impact | Medium impact | High impact |
|---|---|---|---|
| Technical identifiers (IP, device IDs only) | Log only | Notify DPA | Notify DPA + subjects |
| Contact details (name, email, phone) | Notify DPA | Notify DPA | Notify DPA + subjects |
| Booking / itinerary data | Notify DPA | Notify DPA + subjects | Notify DPA + subjects |
| Account credentials | Notify DPA + subjects | Notify DPA + subjects | Notify DPA + subjects (urgent) |
| Financial data (partial PAN, IBAN) | Notify DPA + subjects | Notify DPA + subjects | Notify DPA + subjects (urgent) |
| Special-category data (Art. 9) or children's data | Notify DPA + subjects | Notify DPA + subjects (urgent) | Notify DPA + subjects (urgent) |
Impact factors: reversibility (can the disclosure be undone?), volume (how many subjects), identifiability (is the data linkable to a person?), and the realistic harm a malicious actor could inflict (fraud, identity theft, discrimination, physical safety).
5. Notification template — supervisory authority (Art. 33)
To: [Lead Supervisory Authority email] From: TravelCS — Data Protection Officer ([dpo@example.com]) Subject: Personal data breach notification — [incident title] 1. Nature of the breach [Concise description, including type — confidentiality / integrity / availability.] 2. Categories and approximate number of data subjects concerned Categories of personal data: [contact details, booking data, ...] Approximate number of subjects affected: [N or "under investigation"] 3. Name and contact details of the DPO [name] — [email] — [phone] 4. Likely consequences of the breach [Impact on rights and freedoms; e.g. risk of phishing, identity theft, ...] 5. Measures taken or proposed to address the breach and mitigate adverse effects [Containment, eradication, recovery, additional safeguards, subject notifications planned.] 6. Timeline Discovered at: [ISO timestamp] Contained at: [ISO timestamp or "pending"] 72-hour deadline: [ISO timestamp]
6. Notification template — data subjects (Art. 34)
Subject: Important security notice — [incident title] Dear customer, We are writing to inform you that [Operator / TravelCS] experienced a personal data incident that may have affected information relating to you. What happened [Plain-language description of the incident.] Information involved The categories of personal data potentially involved are: [list]. Likely impact [Plain-language explanation of risks to the recipient.] What we are doing [Containment and mitigations in plain language.] What you can do - Be alert for unexpected emails, calls, or messages referencing your booking. - Reset any password you may have reused on other services. - Contact our DPO at [dpo@example.com] with any questions. We sincerely apologise for any inconvenience this may cause. — [Operator / TravelCS]
7. Where to log a new incident
TravelCS administrators and operator owners log and track incidents in the admin Breach Register. Incidents recorded there automatically compute the 72-hour Art. 33 deadline and provide pre-filled DPA and subject notification drafts derived from the templates above.