Compliance, Quality & Risk / Data Privacy & DSAR (Subject Rights)

Data Breach Notification Decision & Log: Beat the 72-Hour Clock Without Panic

Log a suspected personal-data breach, run a structured risk-to-individuals assessment, start the notification clock, and draft regulator and individual notices — with your privacy officer approving the notify/no-notify call before anything is sent or filed.

IntermediateA weekendBuilds onNext.jsSupabaseResend

What you'll build

A locked-down web tool where your team logs a breach, timestamps the moment you became aware, runs a structured risk assessment, gets an AI notify/no-notify recommendation with rationale, and — after the privacy officer approves — drafts regulator and individual notifications, tracks the deadline with Resend reminders, and exports the full breach decision record as CSV.

Before you start

A Supabase account (free)
A Vercel account (free)
A Resend account (free)
Your breach assessment criteria / notification thresholds
A short list of who must be alerted (privacy officer, legal, security)
Claude Code or any AI coding agent

The problem this kills

A breach lands on a Tuesday afternoon. Someone forwards a "we think customer data may have leaked" email, and suddenly a clock you can't see is already running. Under GDPR you may have 72 hours from becoming aware to notify the regulator. Other regimes have their own deadlines. And in that window your team has to figure out what data, how many people, how bad the risk is to those people, whether you even have to notify, and then write the notices — all while pulling facts out of Slack threads, half-remembered phone calls, and a security tool nobody fully trusts.

The result is the worst kind of compliance work: high stakes, hard deadline, no structure. Decisions get made in a panic and documented after the fact (if at all). When the regulator later asks "when did you become aware, and why did you decide not to notify?", there's no clean record — just an inbox. You don't need to be a developer to fix this, and you shouldn't be assembling a breach timeline from memory.

What you'll build

A simple, access-restricted internal web tool for handling a personal-data breach end to end. When an incident comes in, your team logs the breach and timestamps the awareness moment — the instant the clock starts. The tool walks them through a structured risk-to-individuals assessment built from your thresholds (data categories involved, number of people, sensitivity, likelihood and severity of harm, whether the data was encrypted or contained). Based on that assessment, the AI produces a notify / no-notify recommendation with a written rationale — and crucially, it documents the rationale even when the answer is "do not notify."

Your privacy officer (looping in legal as needed) reviews and approves the decision. Only after sign-off does the tool draft the regulator notification and the individual notifications, which the officer again reviews and approves before anything goes out. The tool tracks the deadline, fires Resend reminders as it approaches, and lets you export the complete breach record as a CSV for your files and any audit. The tool assists; humans decide and send.

What's inside the Implementation Plan

The plan opens by interviewing you about your business — your incident process, who handles breaches, which regulators and deadlines apply to you, your exact assessment criteria and notification thresholds, your typical data categories, and your messiest edge cases — so the tool is tailored to how you actually handle incidents, not a generic template. It reads a short spec back to you and waits for your thumbs-up before building anything.

From there it's a step-by-step build, each step ending with a ready-to-paste prompt:

A breach intake form that captures incident details (what data, how many people, cause, containment) and stamps the awareness moment that starts the clock.
A structured risk-to-individuals assessment wired to your own thresholds.
An AI notify / no-notify recommendation with a documented rationale — including the rationale for not notifying.
A hard privacy-officer approval gate on the decision and on every notification draft.
Regulator and individual notification drafts the officer reviews before sending.
Deadline tracking with Resend reminder emails.
A duplicate guard keyed on breach ID, an audit trail, access restriction on breach records, and a CSV export of the full decision log — plus a no-API fallback so you can build and use it today.

The governance it includes (this is the point)

This is breach handling that holds up to scrutiny, not a glorified notepad. Built in from the start:

Login, so only your incident team can open it.
Row-level security, so people only ever see their own organization's breach records — and you can lock breach records down tighter than ordinary data.
A complete audit trail: who logged the breach, who assessed it, who approved the decision, who approved each notice, and exactly when.
A hard human-in-the-loop approval gate: the AI drafts the assessment and notices, but the privacy officer (with legal) decides and sends. Nothing is filed or emailed on autopilot.
A duplicate guard keyed on breach ID, so the same incident can't be logged and processed twice.
A timestamped awareness moment so your deadline clock is defensible, and a documented rationale for every decision — notify and no-notify.

This tool assists with breach handling and documentation. It is not legal advice — your privacy officer and legal counsel make the call.

Who it's for

Privacy officers, data protection officers, security and incident-response teams — anyone responsible for handling a personal-data breach under deadline pressure and documenting it defensibly. If you've ever rebuilt a breach timeline out of an inbox after the fact, this is for you.

You've got this — paste the first prompt and let the plan interview you.