Ransomware attacks reached a new record high in 2024, threatening organizations worldwide. Critical sectors such as healthcare and public authorities remain prime targets, but small and medium-sized enterprises (SMEs) are increasingly affected as well. Cybercriminals are increasingly stealing data to extort ransom payments. Unfortunately, this tactic often proves successful, further intensifying the threat landscape.

But how can organizations defend themselves? The General Data Protection Regulation (GDPR) plays a key role in responding to cyberattacks by defining clear security requirements and reporting obligations.

The GDPR as a Framework for Cybersecurity

The GDPR requires organizations to implement appropriate technical and organizational measures to protect personal data (Article 32 GDPR). If a personal data breach nevertheless occurs — for example, as a result of a ransomware attack — the reporting obligations under the GDPR come into effect.

According to Article 33 GDPR, controllers must notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, no later than 72 hours after becoming aware of it. An exception applies only where the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

But what does a proper notification look like? And what steps should organizations take in practice?

Step by Step: How to Properly Report a Ransomware Attack

1. Review Internal Procedures

If not already in place, establish clear procedures for handling personal data breaches. These processes should be reviewed, tested, and updated regularly.

2. Perform a Risk Assessment

Assess as accurately as possible whether personal data has been affected and evaluate the potential impact. This assessment forms the basis for communication with the supervisory authority.

3. Submit the Initial Notification on Time

The initial notification must be submitted within the 72-hour deadline, even if all details are not yet available. Additional information can and should be provided as it becomes available.

4. Use Secure, Encrypted Communication

Any sensitive information should always be transmitted to the supervisory authority using encrypted communication channels to ensure confidentiality.

5. Take Immediate Mitigation Measures

Do not wait until the forensic investigation has been completed. Immediately implement appropriate containment and mitigation measures and document all actions taken.

6. Report the Incident to Law Enforcement

File a criminal complaint with the appropriate law enforcement authorities. Doing so demonstrates a proactive response and may support both the investigation and damage mitigation efforts.

7. Provide Regular Updates

Keep the supervisory authority informed about the progress of your investigation and remediation activities. Transparent communication helps facilitate cooperation throughout the incident.

8. Maintain Comprehensive Documentation

Every step taken in response to the personal data breach must be documented internally. These records are mandatory regardless of the assessed level of risk and may be requested during regulatory inspections.

Working Effectively with the Supervisory Authority

Successful cooperation with the data protection supervisory authority requires:

  1. A Cooperative Approach: Provide all requested information promptly and within the required timeframes.

  2. Continuous Communication: Keep the authority informed about the progress of your investigation and the measures you have implemented.

  3. Implementation of Recommendations: Consider and implement the authority’s recommendations where appropriate to further strengthen your data protection and security measures.

Taking a proactive and transparent approach demonstrates that your organization treats the incident seriously and is committed to preventing similar incidents in the future.

GDPR as a Driver of Cyber Resilience

The General Data Protection Regulation (GDPR) not only establishes a clear legal framework for protecting personal data but also serves as a catalyst for building a sustainable cybersecurity strategy. Article 32 GDPR defines security requirements that help organizations safeguard their digital assets and improve resilience against cyber threats.

At a time when ransomware attacks continue to increase dramatically, the GDPR has become an indispensable framework. It promotes not only effective incident response but also preventive security measures. Organizations that consistently implement GDPR requirements benefit from stronger cyber resilience over the long term.

Conclusion: Ransomware attacks are more than just IT incidents — they are data protection incidents with far-reaching legal and operational consequences. Complying with GDPR requirements is not only a legal obligation but also an opportunity to strengthen an organization’s overall cybersecurity posture. Organizations that embrace these requirements establish a solid foundation for protecting sensitive data while gaining a competitive advantage in an increasingly digital world.