On a Saturday morning, a SaaS company’s CTO discovered that part of the customer database had been seized by an attacker. The engineering team reflexively did the right things: closed the hole, isolated the systems, collected the logs. But no one called a lawyer, and no one realized a “clock” had started. Four days passed between detecting the breach and notifying the regulator — and despite flawless technical response, the real problem came from the notification delay. In a breach, the scarcest resource is calm; the second scarcest is time.
A data breach is no longer a question of “if” but “when.” What makes the difference isn’t whether a breach happens, but whether you’re ready when it does. KVKK art. 12 imposes a duty to ensure data security and, alongside it, a duty to notify in the event of a breach. In this piece, we build — in a calm moment — the response plan you’ll reach for in a crisis.
What Exactly Is a “Data Breach”?
Not every security incident is a data breach, but the unlawful acquisition, disclosure, alteration, loss, or rendering-inaccessible of personal data is. A ransomware attack, a mass email sent to the wrong recipient, a lost unencrypted laptop, a misconfigured cloud bucket — all can be breaches. The first step is to classify the incident correctly, because classification triggers everything that follows.
The 72-Hour Rule: Who Notifies Whom, and When?
Under the Board’s decision 2019/10 of 24 January 2019, the data controller must notify the Board within 72 hours at the latest of becoming aware of the breach. If notification cannot be made within 72 hours, the reasons for the delay are explained to the Board together with the notification.
Not all information will be available in the first 72 hours — that’s normal. In that case, a preliminary notification is made with the available information, and missing details are completed later. The “let’s wait until everything is clear” approach is the most common and most expensive mistake.
Notifying Data Subjects
Notifying the Board alone is not enough. Affected data subjects must also be informed, as soon as reasonably possible and by appropriate means. Notification lets people manage their own risk — change a password, block a card, stay alert to phishing. A transparent, timely notification is often the only thing that preserves trust after a crisis.
High-Risk Indicators: Which Breach Is More Serious?
Not every breach has the same impact. The following raise the risk and the urgency of response:
- Special-category data — health, biometric, ethnicity, religion.
- Financial data — card details, account information, payment data.
- Information enabling identity theft — ID numbers, copies of ID documents.
- The scale of affected individuals and the data’s potential for misuse.
If any of these is present, both the priority of notification and the scope of measures required increase.
A Breach-Moment Response Plan Checklist
There’s no time to think in a crisis; that’s why the plan is written in advance. A minimum response plan should include:
- Response team and roles — who runs the technical response, who the legal process, who communications? With names and contacts.
- Detection and containment — steps to stop the incident, isolate systems, and preserve evidence (logs).
- Assessment — is this a personal data breach? Which data, how many people, what risk?
- Notification flow — notify the Board within 72 hours; notify affected data subjects; other regulators if needed.
- Recording and documentation — a record of every decision and timestamp from the moment of the incident. This record is the proof of accountability.
- Post-breach review — root-cause analysis and lasting measures to prevent recurrence.
Write the Plan Today, Not in the Crisis
A data-breach response plan shows its value precisely when you need it most — under panic, pressure, and time scarcity. In that moment a plan isn’t written, only executed. Preventing a breach entirely may be out of your hands; deciding in advance how you’ll respond is entirely in them. The clock starts the moment you learn of the breach — the plan must be ready long before.
Is your response plan ready? Let’s build a plan that runs at the moment of breach. Schedule a call →
Frequently Asked Questions
When does the 72 hours start?
From the moment the controller becomes aware of the breach; the Board must be notified within that window.
What if not all information is ready?
Make a preliminary notification with what you have and complete the rest later. Waiting “until everything is clear” is the costliest mistake.
Must I also tell affected individuals?
Yes; notifying affected data subjects as soon as reasonably possible lets them manage their own risk.
Sources
- KVKK — Data Breach Notification: https://www.kvkk.gov.tr/veri-ihlali-bildirimi
- KVKK — Board Decision 2019/10 on Personal Data Breach Notification Procedures: https://www.kvkk.gov.tr/Icerik/5362/Veri-Ihlali-Bildirimi
- Law No. 6698 on the Protection of Personal Data (art. 12): https://www.mevzuat.gov.tr/mevzuatmetin/1.5.6698.pdf
This article is for general information only and does not constitute legal advice. For a specific situation, please consult Vircon Legal.
Author
-
View all postsMümtaz is the Managing Partner of Vircon Legal, which he founded in 2016. He advises founders, investors and operators on financing rounds, M&A, cross-border incorporations and regulated verticals — including crypto-asset infrastructure, fintech and games — bringing a former startup founder's perspective to every engagement.
More from Vircon Insights
When the "Delete My Data" Email Arrives: Handling Data-Subject Requests
June 29, 2026The Risk That Quietly Kills a Round: Data-Protection Due Diligence in Funding and M&A
June 26, 2026The KVKK Compliance Audit: A Step-by-Step Guide to Measuring Your Data-Protection Health
June 25, 2026You Are the Assistant: Generative AI at Work and KVKK
July 1, 2026The Cost of Never Printing Your Share Certificates: The Two-Year Clock That Never Started
June 17, 2026Notification Comes Earlier Than You Think: Turkey's New Merger-Control Thresholds and the Tech Exception
July 2, 2026Related Practice Areas
Privacy & Cybersecurity
KVKK and GDPR compliance, breach response, cybersecurity governance.
View service →Corporate Law
Share transfers, capital increases, board structuring, governance.
View service →Mergers & Acquisitions
End-to-end M&A: due diligence, structuring, documentation, negotiation.
View service →