GDPR Data Breach Assessment Form Template

When a data breach occurs, organisations operating under GDPR regulations face critical compliance obligations—including the requirement to notify the relevant supervisory authority within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms. Getting this assessment wrong can lead to significant fines, reputational damage and legal consequences.

This GDPR Data Breach Assessment Form gives your team a clear, structured framework to capture the essential details of a suspected breach, evaluate its severity and determine whether regulatory notification is required under Article 33 of the GDPR. Rather than scrambling through email threads or relying on memory during a crisis, this form guides data protection officers, legal teams and incident response managers through the key questions that matter most.

Who needs this form?

This template is designed for:

• Data Protection Officers (DPOs) managing breach response and compliance obligations
• Legal and compliance teams in EU-based or EU-serving organisations
• IT security and risk managers handling incident response
• Privacy consultants supporting clients with GDPR compliance
• HR and operations teams who need to escalate suspected breaches internally

Whether you're a SaaS company, healthcare provider, eCommerce business, professional services firm or public sector organisation, if you process personal data of EU residents, you need a reliable way to assess and document breaches quickly.

What this form covers

The form walks through the critical assessment criteria outlined in GDPR Article 33, including:

• Breach discovery and reporting details: Who discovered the breach, when it was detected and who is responsible for the assessment
• Nature of the breach: What type of incident occurred (unauthorised access, accidental disclosure, ransomware, loss of device, etc.)
• Data involved: Categories of personal data affected, volume of data subjects impacted and whether special category data (health, biometric, racial or ethnic origin, etc.) was involved
• Risk assessment: Likelihood and severity of harm to individuals, potential consequences and mitigating factors already in place
• Notification decision: Clear determination of whether the breach meets the threshold for supervisory authority notification within 72 hours
• Immediate actions taken: Containment measures, remediation steps and communication plans

The form includes conditional logic to tailor follow-up questions based on breach type and severity, ensuring you capture the right level of detail without overwhelming users during a high-pressure incident.

Why Paperform for breach assessments?

When a breach happens, speed and clarity are everything. Paperform's doc-style editor lets you build forms that feel intuitive and easy to navigate, even under stress. You can embed guidance text, tooltips and conditional logic to guide non-experts through complex compliance requirements without needing a law degree.

Once submitted, Paperform can trigger instant notifications to your DPO, legal team and senior management via email or Slack, ensuring the right people are looped in immediately. You can also connect the form to Stepper (stepper.io) to automate the next steps—creating incident tickets in your project management tool, logging details in a compliance register or triggering pre-approved communication templates.

All submissions are stored securely with SOC 2 Type II compliance, role-based access controls and data residency options, giving you the audit trail and security posture you need when regulators come calling.

Automate breach response workflows with Stepper

A breach assessment is just the first step. With Stepper, you can automate the entire incident response workflow:

• Route high-risk breaches straight to senior leadership and legal counsel
• Create a timestamped incident log in Airtable, Notion or your preferred system
• Generate pre-drafted notification templates for supervisory authorities or affected individuals
• Schedule follow-up tasks for investigation, remediation and reporting
• Update your CRM or compliance platform with breach status in real time

This means your team can focus on containment and remediation, not copy-pasting data between tools or worrying about missed steps.

Built for compliance, designed for clarity

GDPR breach assessments are high-stakes, time-sensitive processes that require both legal precision and operational speed. This template is built to meet both needs: structured enough to satisfy regulatory requirements, flexible enough to adapt to your organisation's workflows and clear enough to use in the middle of a crisis.

Whether you're managing your first breach or refining an established process, Paperform gives you a no-code, brandable and automation-ready foundation to handle GDPR breach assessments with confidence. Trusted by over 500,000 teams worldwide, SOC 2 Type II and GDPR compliant, Paperform helps businesses meet their data protection obligations without adding complexity.

Start with this template, customise it to your organisation's policies and connect it to your existing tools with Paperform and Stepper—so when a breach happens, you're ready.