R
Insights

Notifiable Data Breach: a step-by-step walkthrough for the first 30 days

What to do hour-by-hour when you discover a suspected data breach. The 30-day assessment, the notification triggers, OAIC and affected individuals.

Published 18 May 2026
Share:X / TwitterLinkedInEmail

Hour 0: discovery

You discover (or are told about) a suspected breach. Maybe a phishing campaign succeeded. Maybe a backup was misconfigured. Maybe a forensic provider has flagged unusual activity.

Immediate actions (within the hour):

  1. Activate your incident response plan — designate an incident owner, a privacy officer point of contact, and a comms lead
  2. Preserve evidence — do not delete logs, do not reformat affected systems
  3. Open a contemporaneous incident register entry — time of awareness, who knew, initial known facts
  4. Notify your cyber insurer immediately — most policies require notification within 24 hours

Hour 0–24: containment

Contain the breach to prevent further damage:

  • Suspend affected user accounts
  • Isolate affected systems from the network
  • Rotate credentials, API keys, certificates
  • Engage forensic provider if scope is uncertain (your cyber insurer typically has a panel)

Contemporaneous documentation. Everything you do in the first 24 hours is potentially evidence and will be reviewed by the OAIC.

Day 1–7: assessment kickoff

You have up to 30 days from awareness to assess whether this is an "eligible data breach" — that is, an unauthorised access, disclosure or loss of personal information that is likely to result in serious harm.

The assessment framework asks:

  1. What information was involved? Personal information, sensitive information, health information?
  2. Who is potentially affected? Customers, employees, contractors? How many?
  3. What's the risk of serious harm? Identity theft, financial loss, physical safety, emotional or psychological harm?

If the breach is clearly an eligible data breach (e.g. exfiltration of customer PII at scale), don't run the assessment clock for show — move to notification.

Day 7–30: completing the assessment

Most assessments are completed in 1–2 weeks. Things you'll do:

  • Forensic review — exactly what was accessed, exfiltrated, modified
  • Risk modelling — likelihood of serious harm to affected individuals
  • Pre-draft notification templates — OAIC NDB statement + affected-individual letter, ready to lodge
  • Engage legal counsel — particularly for cross-border issues
  • Brief executive, board (or audit & risk committee)

The 30-day clock is the maximum; assess in good faith and don't engineer delay.

Notification triggers

If your assessment concludes the breach is an eligible data breach, you must notify:

  • The OAIC — as soon as practicable after the conclusion
  • Affected individuals — as soon as practicable, by direct contact where reasonable

If the assessment concludes it is not an eligible data breach (no serious harm likely), document the reasoning and close the matter. No notification required.

Lodging with the OAIC

Use the OAIC's online NDB statement form. Mandatory content:

  • Identity of the entity (you)
  • Description of the breach (when, what, how)
  • Kinds of information involved
  • Recommended steps for affected individuals
  • Entity contact for further information

OAIC may follow up with questions, particularly for large breaches. Cooperate.

Notifying individuals

Three options:

  1. Direct notification to each affected individual (email or letter) — preferred
  2. Public notification on your website + reasonable steps to publicise — fallback if direct is not practicable
  3. Specified personal notification — for specific situations under the Act

Direct notification is the default. "Not practicable" requires documented reasoning (e.g. you don't have current contact details).

Post-incident lessons learned

Within 4–8 weeks of resolution:

  1. Root cause analysis — what control failed
  2. Remediation tracker — what you've changed (and tested) to prevent recurrence
  3. Board / audit committee briefing — non-financial risk reporting
  4. Update your breach response plan — every incident teaches you something
  5. Tabletop exercise — pressure-test the updated plan within 6 months

Done well, a breach response builds organisational resilience. Done badly, it becomes the basis for the next OAIC civil penalty proceeding.

Frequently asked

Is the deadline 72 hours?

No — that's the GDPR rule. Under the Australian Privacy Act you have up to 30 days to assess, then notify 'as soon as practicable' once eligible.

Do I have to notify the police?

Not as part of NDB. Separately, you may want to engage the AFP / state police for criminal investigation, or report to the ACSC ReportCyber.

What if I'm not sure whether it's eligible?

Continue the assessment in good faith — you have up to 30 days. Document the reasoning either way.

Can I rely on the cyber insurer's incident manager?

Helpful but not sufficient. The notification obligation is on you, the APP entity. Lawyer-led incident response is recommended for larger breaches.

Related

Obligations covered

Free tools