Vendor breach response

Trigger: a vendor or service provider has given notice of a security incident that may have affected data shared with them. Or a vendor breach surfaces through public reporting before any direct notification arrives.

The vendor’s breach is, in part, the organisation’s breach. Any personal data they held on its behalf remains its responsibility under GDPR. Someone else losing it does not reduce that obligation.

Verify the notification

Before acting on a breach notification, confirm it is genuine. Phishing that impersonates breach notices from trusted vendors is a known vector. Contact the vendor through a channel already on record, not through the email just received, to confirm the incident is real.

Assess what data was affected

The notification may be vague about scope. Press for specifics:

  • What categories of data were involved?

  • What time period does the breach cover?

  • Were the records encrypted, and if so, with what?

  • How many individuals’ data is estimated to be affected?

  • Has the breach been contained, or is it ongoing?

The data processing agreement with the vendor sets out their notification obligations and the timeframe for detail. Where they fall short of those, document it.

Determine notification obligations

GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals. The clock may already have started at the moment of awareness, not at the vendor’s notification. Check the timing carefully.

Where the breach is likely to result in a high risk to individuals (special category data, or data enabling identity fraud or physical harm), the affected individuals have to be notified directly too.

Legal counsel can confirm the specific obligations in a given jurisdiction. Any data protection officer needs involving immediately.

Review the vendor relationship

A vendor breach is a prompt to review the relationship:

  • Was the data minimised, or did the vendor hold more than necessary?

  • Was it properly protected under the processing agreement?

  • Did they meet their contractual notification timeline?

Weigh whether to continue the relationship and, if so, what to add at contract renewal (see the vendor assessment playbook). Where it can be done without critically disrupting operations, temporarily revoke or reduce the vendor’s access while the incident is investigated.

Document and follow through

Record when the notification arrived, what it said, what obligations followed, what was disclosed to the supervisory authority, and what was communicated to affected individuals. Update the data audit to reflect what has changed about the vendor relationship.

Last reviewed: 2026-07-08.