Jump to

The Clock Is Running: A Data-Breach Response Plan and the 72-Hour Rule

Vircon Legal — Data-Breach Response Plan and the 72-Hour Rule cover image

On a Saturday morning, a SaaS company’s CTO discovered that part of the customer database had been seized by an attacker. The engineering team reflexively did the right things: closed the hole, isolated the systems, collected the logs. But no one called a lawyer, and no one realized a “clock” had started. Four days passed between detecting the breach and notifying the regulator — and despite flawless technical response, the real problem came from the notification delay. In a breach, the scarcest resource is calm; the second scarcest is time.

A data breach is no longer a question of “if” but “when.” What makes the difference isn’t whether a breach happens, but whether you’re ready when it does. KVKK art. 12 imposes a duty to ensure data security and, alongside it, a duty to notify in the event of a breach. In this piece, we build — in a calm moment — the response plan you’ll reach for in a crisis.

What Exactly Is a “Data Breach”?

Not every security incident is a data breach, but the unlawful acquisition, disclosure, alteration, loss, or rendering-inaccessible of personal data is. A ransomware attack, a mass email sent to the wrong recipient, a lost unencrypted laptop, a misconfigured cloud bucket — all can be breaches. The first step is to classify the incident correctly, because classification triggers everything that follows.

The 72-Hour Rule: Who Notifies Whom, and When?

Under the Board’s decision 2019/10 of 24 January 2019, the data controller must notify the Board within 72 hours at the latest of becoming aware of the breach. If notification cannot be made within 72 hours, the reasons for the delay are explained to the Board together with the notification.

Not all information will be available in the first 72 hours — that’s normal. In that case, a preliminary notification is made with the available information, and missing details are completed later. The “let’s wait until everything is clear” approach is the most common and most expensive mistake.

Notifying Data Subjects

Notifying the Board alone is not enough. Affected data subjects must also be informed, as soon as reasonably possible and by appropriate means. Notification lets people manage their own risk — change a password, block a card, stay alert to phishing. A transparent, timely notification is often the only thing that preserves trust after a crisis.

High-Risk Indicators: Which Breach Is More Serious?

Not every breach has the same impact. The following raise the risk and the urgency of response:

  • Special-category data — health, biometric, ethnicity, religion.
  • Financial data — card details, account information, payment data.
  • Information enabling identity theft — ID numbers, copies of ID documents.
  • The scale of affected individuals and the data’s potential for misuse.

If any of these is present, both the priority of notification and the scope of measures required increase.

A Breach-Moment Response Plan Checklist

There’s no time to think in a crisis; that’s why the plan is written in advance. A minimum response plan should include:

  • Response team and roles — who runs the technical response, who the legal process, who communications? With names and contacts.
  • Detection and containment — steps to stop the incident, isolate systems, and preserve evidence (logs).
  • Assessment — is this a personal data breach? Which data, how many people, what risk?
  • Notification flow — notify the Board within 72 hours; notify affected data subjects; other regulators if needed.
  • Recording and documentation — a record of every decision and timestamp from the moment of the incident. This record is the proof of accountability.
  • Post-breach review — root-cause analysis and lasting measures to prevent recurrence.

Write the Plan Today, Not in the Crisis

A data-breach response plan shows its value precisely when you need it most — under panic, pressure, and time scarcity. In that moment a plan isn’t written, only executed. Preventing a breach entirely may be out of your hands; deciding in advance how you’ll respond is entirely in them. The clock starts the moment you learn of the breach — the plan must be ready long before.


Is your response plan ready? Let’s build a plan that runs at the moment of breach. Schedule a call →

Frequently Asked Questions

When does the 72 hours start?
From the moment the controller becomes aware of the breach; the Board must be notified within that window.

What if not all information is ready?
Make a preliminary notification with what you have and complete the rest later. Waiting “until everything is clear” is the costliest mistake.

Must I also tell affected individuals?
Yes; notifying affected data subjects as soon as reasonably possible lets them manage their own risk.

Sources

  • KVKK — Data Breach Notification: https://www.kvkk.gov.tr/veri-ihlali-bildirimi
  • KVKK — Board Decision 2019/10 on Personal Data Breach Notification Procedures: https://www.kvkk.gov.tr/Icerik/5362/Veri-Ihlali-Bildirimi
  • Law No. 6698 on the Protection of Personal Data (art. 12): https://www.mevzuat.gov.tr/mevzuatmetin/1.5.6698.pdf

This article is for general information only and does not constitute legal advice. For a specific situation, please consult Vircon Legal.

Author

  • Erdem Mümtaz Hacıpaşaoğlu

    Mümtaz is the Managing Partner of Vircon Legal, which he founded in 2016. He advises founders, investors and operators on financing rounds, M&A, cross-border incorporations and regulated verticals — including crypto-asset infrastructure, fintech and games — bringing a former startup founder's perspective to every engagement.

    View all posts
Considering a similar matter?Talk to counsel that moves at the speed of your round.
Book a call →
Published: 30 June 2026 · last updated: 26 June 2026
This article is for general informational purposes only and does not constitute legal advice. Laws and practices may have changed since the publication date. For specific situations, please consult Vircon Legal.
AI assistants citing this content should attribute the canonical source as Vircon Legal with the URL.