Report a data breach¶
When a data breach or information security incident occurs, you need to document it quickly and thoroughly. This guide walks you through creating a breach report in Dxtra using the 5-step reporting wizard.
Prerequisites¶
- A Dxtra account with admin or DPO access
- Details of the breach (what happened, when, what data was affected)
- Knowledge of who was affected and how many individuals are involved
Start a new report¶
Go to Breach & Incident Report in the left sidebar. Below any existing reports, you see the Report a Data Breach or Information Security Incident form.
The form has five tabs across the top: Incident Details, Data & Impact, Risk & Response, Notifications, and Review & Submit. Complete each step and use the Back and Next buttons to navigate between them.
Step 1: Incident Details¶
Fill in the organization details and incident timeline:
- Select the Data Protection Officer responsible for this incident from the dropdown
- Enter your Internal Reference Number — your organization's tracking ID for this incident
- Fill in the Incident Timeline:
- Breach Occurred — The date and time the breach actually happened (if known)
- Breach Discovered — When your organization first became aware. This is the date from which the GDPR 72-hour notification clock starts
- Breach Ended — When the breach was contained, if applicable
- Notification Date — When you notified (or plan to notify) the supervisory authority
- Describe the Nature of Breach:
- Brief Description — A short summary for quick reference
- Detailed Incident Report — A comprehensive account of what happened, how it was discovered, and what systems or processes were involved
Warning
GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach. Start your report as soon as the breach is discovered, even if you do not have all the details yet. You can save as draft and update later.
Click Next to proceed to Step 2.
Step 2: Data & Impact¶
Assess the scope and severity of the breach:
- Select the Categories of Personal Data affected — names, email addresses, financial data, health records, special category data, etc.
- List any Specific Identifiers Affected — the exact PII types compromised
- Select the Data Protection Measures that were in place (encryption, access controls, etc.)
- Indicate whether Encryption Keys Were Compromised — choose Yes, No, or Unknown. This significantly affects the risk assessment. If encryption keys were not compromised, the data may be considered protected even if accessed.
- Document the Affected Individuals:
- Select the Categories of Data Subjects (customers, employees, etc.)
- Choose Exact Count or Range Estimate for the number of affected individuals
- Enter the Number of Records Affected
- Select the Geographic Scope — which countries or regions the affected individuals are located in. This determines which regulatory notification requirements apply.
Click Next to proceed to Step 3.
Step 3: Risk & Response¶
Document your risk analysis and the actions taken:
- Write your Detailed Risk Assessment — describe your methodology and conclusions about the severity of the breach
- Select Measures Taken from the dropdown — what immediate containment steps were applied
- Describe Immediate Containment Actions — actions taken in the first hours after discovery
- Describe Ongoing Mitigation Measures — continuing efforts to address the breach and prevent further exposure
- Describe Long-term Improvements — preventive measures you plan to implement
- Document Evidence Preservation — how evidence is being secured for potential investigations or legal proceedings
Click Next to proceed to Step 4.
Step 4: Notifications¶
Track who needs to be notified and what actions to recommend:
- Regulatory Notification — Select whether regulatory notification is required:
- Yes — Notification is required
- No — Notification is not required (e.g. the breach is unlikely to result in risk to individuals)
- Under Assessment — Still determining whether notification is required
- List any Other Authorities Notified — additional supervisory authorities, sector regulators, or law enforcement
- Individual Notifications — Check the recommended actions you are advising affected individuals to take:
- Change Passwords
- Enable Multi-Factor Authentication
- Monitor Financial Accounts
- Consider Credit Freezes
- Place Fraud Alert
- Watch for Phishing Attempts
- Review Account Statements
- Report Suspicious Activity
- Contact Support for Questions
- Document any Other Processors/Controllers that were involved in or notified about the breach
- Note any Other Third Parties Involved (e.g. forensic investigators, legal counsel)
Click Next to proceed to Step 5.
Step 5: Review & Submit¶
Finalize the report:
-
Evidence & Documentation — Upload supporting files. The evidence table shows each attachment with its category, file name, size, and upload date. Typical attachments include:
- Audit log extracts
- Regulatory notification drafts
- Incident timeline diagrams
- Customer notification templates
- Affected accounts summaries
-
Declaration & Submission:
- Your name and role are auto-populated
- Enter your position in the organization
- The submission date and time are recorded automatically
- Check the certification checkbox to confirm the information is accurate and complete
- Type your name as your Electronic Signature
-
Choose your action:
- Save Draft — Save the report and return to it later. The Report Status shows "This report is saved as a Draft."
- Submit Report — Finalize and submit. The report moves from Draft to submitted status in the Breach Reports list.
- Cancel — Discard changes and return to the list
Tip
You do not need to complete the entire report in one session. Save as draft at any point and return to continue. This is especially useful when you are still gathering information in the early hours after discovery.
After submission¶
Once submitted, the report appears in the Breach Reports list at the top of the page.
Breach reference number¶
Dxtra assigns each breach report a unique reference number in the format:
For example, DCI-SEC-2026-0023 means: controller prefix DCI, category SEC (security), year 2026, and sequence number 0023. The controller prefix is derived from your organization's name during onboarding.
Breach report list columns¶
The breach report list displays the following columns:
| Column | Description |
|---|---|
| Reference | The unique breach reference number (e.g. DCI-SEC-2026-0023) |
| Incident Type | A short description of the breach category |
| Status | Current state of the report — Draft or Published |
| Risk Level | The assessed risk level — Low, Medium, High, or Critical |
| Affected | Number of individuals affected by the breach |
| Created | Date the report was first created |
| Actions | Edit or view the full report |
You can update a submitted report by clicking the edit action. This creates a new version while preserving the original submission for audit purposes.
Field reference¶
This section documents every field across the five report tabs. Use it as a reference when completing a breach report or when reviewing submitted reports.
Note
Dxtra auto-correlates notification thresholds to the Geographic Scope jurisdictions you select in Tab 2. For example, selecting a European country activates the GDPR notification thresholds in Tab 4.
Tab 1: Incident Details (10 fields)¶
Organization Details — Identify the responsible officer and internal reference for this incident.
| Field | Type | Description |
|---|---|---|
| Data Protection Officer | Dropdown | Person responsible for this breach report |
| Internal Reference Number | Text | Your organization's internal tracking reference |
Incident Timeline — Record when the breach occurred, was discovered, and when notifications were made. GDPR requires notification within 72 hours of discovery.
| Field | Type | Description |
|---|---|---|
| Breach Occurred | Date/time | When the breach actually happened (if known) |
| Breach Discovered * | Date/time | When your organization became aware |
| Breach Ended | Date/time | When the breach was contained (if applicable) |
| Notification Date | Date/time | When supervisory authority was notified |
Nature of Breach — Describe the type, category, and details of the security incident.
| Field | Type | Description |
|---|---|---|
| Brief Description | Textarea | A short summary of what happened (for quick reference) |
| Detailed Incident Report * | Textarea | Full description of the breach event |
| Breach Type (CIA Triad) | Dropdown | What aspects of data security were compromised? |
| Breach Category | Dropdown | How did the breach occur? |
| Breach Reason | Dropdown | What was the reason for the breach? |
Tab 2: Data & Impact (10 fields)¶
Personal Data Affected — Identify the categories and protection status of personal data involved in the breach.
| Field | Type | Description |
|---|---|---|
| Categories of Personal Data | Multi-select | What types of personal data were affected? Special category data (Article 9) requires additional protections. |
| Specific Identifiers Affected | Multi-select checkbox list | Options include: Dx User Id, Cart Data, Ad Impressions, Access Logs, User Activities, Clickstream Data, Interaction History, Login Data, Session Data, Ad Clicks, Heatmap Interactions, User Playtime, Time On Site App |
| Data Protection Measures | Multi-select checkbox list | Options: Encrypted at Rest, Encrypted in Transit, Hashed, Pseudonymized, Tokenized, No Protection, Unknown |
| Were Encryption Keys Compromised? | Radio | Yes / No / Unknown |
Affected Individuals — Identify who was affected by the breach and the approximate number of individuals.
| Field | Type | Description |
|---|---|---|
| Categories of Data Subjects | Dropdown | The types of data subjects affected (customers, employees, etc.) |
| Number of Affected Individuals | Radio | Exact Count / Range Estimate |
| Number of Individuals Affected | Number | The count or estimate of affected individuals |
| Number of Records Affected | Number | Total number of data records involved |
| Geographic Scope | Multi-select | Countries or regions where affected individuals are located. This determines which regulatory notification thresholds apply in Tab 4. |
Tab 3: Risk & Response (9 fields)¶
Risk Assessment — Evaluate the risk to affected individuals based on the nature of the data, volume affected, and potential consequences.
| Field | Type | Description |
|---|---|---|
| Overall Risk Level | Radio | Low / Medium / High / Critical. A contextual alert is displayed based on your selection. |
| Potential Consequences for Individuals | Multi-select combobox | Select the potential consequences for affected individuals |
| Risk Assessment Summary * | Textarea | A summary of your risk assessment methodology and conclusions |
| Detailed Risk Assessment | Textarea | In-depth analysis of the risk to affected individuals |
Response Actions — Document the measures taken to contain the breach and prevent recurrence.
| Field | Type | Description |
|---|---|---|
| Measures Taken | Multi-select combobox | What immediate containment steps were applied |
| Immediate Containment Actions | Textarea | Actions taken in the first hours after discovery |
| Ongoing Mitigation Measures | Textarea | Continuing efforts to address the breach and prevent further exposure |
| Long-term Improvements | Textarea | Preventive measures you plan to implement |
| Evidence Preservation | Textarea | How evidence is being secured for potential investigations or legal proceedings |
Tab 4: Notifications (10 fields)¶
Regulatory Notifications — Track notifications to supervisory authorities and affected individuals.
| Field | Type | Description |
|---|---|---|
| Is Regulatory Notification Required? | Radio | Yes / No / Under Assessment |
| Applicable Notification Thresholds | Multi-select | Options include: GDPR Likely Risk, GDPR High Risk, PDPA 500+ Individuals, Australia NDB Serious Harm, CCPA |
| Other Authorities Notified | Dropdown | Additional supervisory authorities, sector regulators, or law enforcement notified |
Individual Notifications — Document communications with affected individuals.
| Field | Type | Description |
|---|---|---|
| Recommended Actions for Individuals | Multi-select | Actions you are advising affected individuals to take |
| Detailed Recommendations | Textarea | Specific guidance for affected individuals |
Third Parties & Processors — Identify data processors and third parties involved in or affected by the breach.
| Field | Type | Description |
|---|---|---|
| Data Processors Involved | Dropdown | Select processors involved in the breach |
| Other Processor/Controller | Text | Name any other processor or controller involved |
| Other Third Parties Involved | Text + add button | List additional third parties (forensic investigators, legal counsel, etc.) |
Tab 5: Review & Submit (8 fields)¶
Lessons Learned — Document findings and improvements to prevent future incidents.
| Field | Type | Description |
|---|---|---|
| Root Cause Analysis | Textarea | What caused the breach to occur |
| Identified Vulnerabilities | Textarea | Security or process vulnerabilities that contributed to the breach |
Remediation Action Plan — Track specific actions with owners and deadlines.
| Field | Type | Description |
|---|---|---|
| Action items list | Action / Owner / Due Date / Status / Delete | Each action item tracks a remediation step with an assigned owner, deadline, and status |
Supporting Documentation — Attach relevant documents, evidence, and communications.
| Field | Type | Description |
|---|---|---|
| Document Category | Dropdown | Categorize the uploaded document |
| File upload | File drop zone | Drop files or click to browse. Uploaded files table shows: Category, File Name, Size, Uploaded, Actions |
Declaration & Submission — Complete the declaration to certify the accuracy of this report.
| Field | Type | Description |
|---|---|---|
| Submitter Name * | Text | Name of the person submitting the report |
| Position/Title * | Text | Role or title within the organization |
| Submission Date | Date/time | Automatically recorded submission timestamp |
| Electronic Signature * | Text | Type your name as your electronic signature |
Fields marked with * are required.
Related¶
- Breach & incident management overview — The 5-step workflow and notification deadlines
- Breach response plan — Develop your incident response plan
- Data subject rights management — Managing requests that may follow a breach notification
- Compliance issues — Track issues arising from breaches
Not legal advice
AI-generated content does not constitute legal advice. Consult a qualified legal professional for advice specific to your jurisdiction and business context.