Seventy-Two Hours.
The Slack DM lands at 23:47. Helen — awake? We've got a situation. The on-call engineer never calls it a breach in the first message. They always hedge. By 00:03 she is at the kitchen table with her laptop. By 00:17 the word "breach" has been typed and the 72-hour clock has started, whether the incident bridge agrees yet or not.
Lexbridge is a 150-person legaltech SaaS company based in Bristol. Its platform lets UK law firms manage client matter files — case notes, court correspondence, witness statements, billing records — all stored in the cloud and accessible through a browser. The data is not merely sensitive in the general sense. It is legally privileged. It is confidential by professional obligation. And at 23:47 on a Thursday, the on-call engineer pages Helen Ashworth to tell her that a role-based access control misconfiguration has been exposing client matter files across firm boundaries for an estimated six days.
Helen picks up her phone, opens the Jira incident ticket the engineer has already created, and writes the first entry in the incident log: 23:47 Thursday — DPO notified. Article 33 clock starts now. She does not wait to understand the full scope. Under UK GDPR Article 33, the 72-hour notification window to the ICO begins when the organisation becomes aware of the breach — not when the breach is fully understood, not when it is contained, and not when the scope is confirmed. The clock started with that page. Helen has until 23:47 on Sunday.
The first call is with the CTO, Marcus, and the head of engineering. Helen needs to understand the data involved before she can classify the incident. Lexbridge holds two categories of personal data. The first is ordinary personal data: names, email addresses, billing contacts, user account records. The second, and the one that changes everything tonight, is special category data under Article 9 of UK GDPR — specifically, health information embedded in personal injury files, immigration status in asylum case files, and criminal conviction data in defence matter records. Special category data carries a higher bar for lawful processing and a higher standard of protection. The breach has exposed both categories.
Helen opens OneTrust on her laptop. The incident management module is already configured with Lexbridge's data inventory. She pulls the asset record for the client matter file store.
The data inventory tells her what she needs to know about classification. Lexbridge uses four levels: Public (marketing content, public API documentation), Internal (operational documents, internal comms), Confidential (customer account data, contracts, employee records), and Restricted (client matter files, special category personal data, legally privileged content). The exposed files are all Restricted. The classification level does not just label the data — it determines the encryption standard, the access control policy, the retention schedule, and the incident response tier. A Restricted-class breach triggers the full notification procedure automatically.
At 00:30, Marcus's team confirms the scope: 847 client matter files belonging to 23 law firms were potentially readable by users authenticated under a different firm's session. The misconfiguration was introduced in a deployment six days ago. The DLP system — Lexbridge runs Microsoft Purview — had been generating low-severity alerts on anomalous cross-tenant file access queries for four days. The alerts were in the queue. They had not been reviewed. Helen makes a note. That will go into the post-incident review.
She opens the Purview compliance portal and pulls the activity log. The DLP policy for Restricted data is configured with endpoint, network, and cloud controls. Endpoint DLP flags when a user attempts to copy Restricted files to removable media or an unapproved cloud destination. Network DLP inspects outbound traffic from the application servers. Cloud DLP monitors the Azure blob storage containers where the matter files live. The alerts show read queries, not exfiltration. No files were downloaded. Helen writes that down too — it matters for the Article 34 assessment.
By 02:00 Helen has what she needs for the first triage decision: is this notifiable to the ICO? The test is whether the breach is likely to result in a risk to the rights and freedoms of natural persons. The data is legally privileged and includes special category data relating to vulnerable individuals. The answer is yes. She opens the ICO's online breach reporting portal — the Report a Breach service at ico.org.uk — and begins the draft notification.
The 72-hour clock starts when you know. Not when you understand. Not when it is contained. When you know. Write the time in the incident log before you do anything else. — Story 22 · Data Protection & Compliance
The Article 33 notification to the ICO must include five things: the nature of the breach (what happened, how, the systems involved); the categories and approximate number of data subjects affected; the categories and approximate number of records affected; the likely consequences of the breach; and the measures taken or proposed to address it. Helen knows she does not have all of this at 02:00. That is permitted under UK GDPR — a notification can be submitted in phases, with information that is not yet available stated explicitly as pending and provided in a supplementary report. What she cannot do is wait until she has everything and miss the deadline.
She submits the initial notification at 03:15 Friday morning with what is known: the nature of the misconfiguration, the six-day exposure window, the 23 law firms affected, the Restricted classification of the data, the presence of special category data, and the interim containment measure — the misconfigured access control has been rolled back. Consequences and remediation measures are marked as pending supplementary report.
The harder question is Article 34. Under Article 34, where a breach is likely to result in a high risk to individuals — a higher threshold than Article 33's plain risk — the data subjects themselves must be notified directly, without undue delay. Helen applies the test to the facts: legally privileged information about individuals in asylum proceedings, personal injury claims, and criminal cases. If opposing parties, employers, immigration authorities, or insurers were to learn of these matters, the harm to individuals could be serious and concrete. The Article 34 threshold is met. The 23 law firms must be notified so they can contact affected clients.
Helen drafts the law firm notification template at 04:00. Each firm is a data controller for its own clients. Lexbridge is their data processor. Under the data processing agreements — which the DPA 2018 and UK GDPR require to be in place between every controller-processor pair — Lexbridge is obligated to notify each firm promptly so they can fulfil their own Article 33 obligations. Helen copies the legal team. All 23 notifications are sent by 06:30 Friday morning.
Friday's daylight hours are spent on the DPIA — the Data Protection Impact Assessment. A DPIA is required before any high-risk processing operation, not after a breach. Lexbridge should have conducted a DPIA before deploying the role-based access control system. It did not — or at least, the deployment last week bypassed the review gate. A DPIA maps the processing operation, identifies risks to data subjects, and documents measures to mitigate those risks. Privacy by design and by default is the principle that those measures should be built in from the start, not bolted on after. The misconfigured RBAC is a failure of that principle: the system was modified without a review of how the change affected access boundaries.
Helen spends two hours with the engineering team mapping the lawful bases for every processing activity in the Lexbridge platform. UK GDPR requires that every processing activity rests on one of six lawful bases: consent (explicit, freely given, withdrawable); contract (necessary to perform a contract with the data subject); legal obligation (required by law); vital interests (necessary to protect someone's life); public task (carrying out a task in the public interest); or legitimate interests (the organisation's interests, balanced against the data subject's rights). Lexbridge's basis for processing client matter data is primarily contract — the data subjects are the law firm's clients, but the processing is necessary to deliver the contracted service. The basis for retaining financial records is legal obligation — Companies Act requirements cannot be overridden by a data subject erasure request.
That last point matters. Three of the 23 notified firms have already called to say their clients may exercise their right to erasure. Helen explains the position: the right to erasure exists and is real, but it is not absolute. Where retention is required by law, the legal obligation lawful basis overrides the erasure right. She sends a written note to all 23 firms. Subject access requests, rectification requests, and objection rights she handles through TrustArc, where the workflow is documented and time-stamped.
On Saturday, Helen drafts the supplementary ICO report. By now the engineering team has completed a full audit of the exposure: 612 of the 847 accessible files were actually accessed by cross-tenant users. Of those, the access logs show file metadata queries only — no downloads, no print-to-PDF events, no clipboard copy events. The Purview endpoint DLP logs confirm no exfiltration. The risk to individuals is real but mitigated by the absence of confirmed exfiltration. Helen updates the ICO notification with the full scope, the confirmed access log findings, and the remediation plan: a mandatory DPIA gate in the deployment pipeline, DLP alert triage SLAs, and a platform-wide data minimisation review to ensure Restricted data is held only for the periods necessary.
Data minimisation is one of the GDPR data protection principles: personal data should be adequate, relevant, and limited to what is necessary for the purpose. Lexbridge has been retaining closed matter files indefinitely. The retention schedule, reviewed during the DPIA, will now enforce deletion of closed matter data after seven years — the standard legal hold period for solicitor records under UK professional conduct rules. Data at rest in the Azure blob storage is encrypted with AES-256. Data in transit between the application tier and the storage layer is protected with TLS 1.3. Data in use — the active file sessions in the application — is protected by access controls enforced at the application layer. All three states were protected. The breach was an access control logic failure, not an encryption failure. That distinction matters both for the ICO report and for the remediation scope.
At 19:15 on Sunday, Helen submits the supplementary report to the ICO. The initial notification was at 03:15 Friday — 27 hours and 28 minutes inside the Article 33 deadline. The supplementary report is at 43 hours and 28 minutes from the moment of awareness. She closes the Jira incident ticket, moves it to the post-mortem queue, and writes one line in the incident log: DPO review complete. She does not write that it was a good week. It was not. But Lexbridge will know next time what "privacy by design" actually costs when it is absent.
One note on the legislative landscape. The UK DPA 2018 incorporated the EU GDPR into UK law at the point of Brexit. Post-Brexit, the UK operates under UK GDPR, which is substantially identical to the EU regulation but is now maintained separately by the UK government and enforced by the ICO rather than EU supervisory authorities. For SY0-701 purposes, the core principles, lawful bases, data subject rights, and notification obligations are the same. The exam tests the concepts, not the Brexit mechanics. Article 33, Article 34, Article 9 — those article numbers are the same in UK GDPR as in the EU regulation.