Ghost
ResourcesPricingSecurity
Get started
ResourcesBreach management

On this page

  • Why structured breach logging matters
  • Logging a breach
  • The breach detail page
  • The register view
  • A practical breach workflow

Breach management

Deep dive: log breaches, track the authority notification clock, manage severity and remediation, and export for regulators.

Last updated April 2026

Why structured breach logging matters

Most privacy frameworks require you to document every personal data breach and notify your regulatory authority within a set window — for example, the 72-hour notification window as required by GDPR; timelines vary under other frameworks — when the breach is likely to result in a risk. In some cases you must also notify the affected individuals. Keeping breach records in a structured register rather than ad-hoc emails or spreadsheets makes notification deadlines easier to track and gives you an audit trail from discovery through resolution.

The Breach register in Ghost's Compliance module is where you do this. Open Compliance from the header tools menu, then choose Breach register (or Log breach) from the sidebar under Incidents.

Logging a breach

  1. Click Log breach in the sidebar (or the new-breach button on the register page).
  2. Fill in the form: date and time discovered (required), a short title, what happened (description), how it was discovered, and the reporter's name and role.
  3. Save. Ghost creates the breach record and opens the detail page where you can classify and track the incident as your investigation progresses.

You do not need every detail at creation time. The point is to get the record into the system as soon as possible so the 72-hour clock is visible to your team.

The breach detail page

Each breach has a detail page with a classification and status form where you fill in additional fields as the investigation unfolds:

  • Status and breach type (CIA classification).
  • Approximate individuals affected and whether special-category or sensitive data was involved.
  • Containment (unknown, yes, or no) and severity band with a required reason when you change it. You can also run a severity assessment from the detail page.
  • Regulatory authority notified at and individuals notified at (date-time fields for tracking your notification obligations).
  • An optional linked privacy request case if the breach relates to an open request.

Regulatory authority notification drafts. The detail page includes structured text fields aligned to typical regulatory authority notification content: nature of the breach, categories and approximate number of individuals affected, categories and approximate number of records, likely consequences, and measures taken or proposed. Use these to draft your notification before submitting to the authority.

Individual communication tracking. When individual notification is required, a second set of fields tracks communication status, means of communication, timing, content summary, and any exceptions or disproportionate effort justification.

The page also shows an audit event timeline that traces every action taken on the record: who created it, who updated which fields, and when. This timeline is useful when you need to demonstrate to a regulator that you acted within the required timeframe.

The register view

The Breach register page lists all breaches for the active matter in a table with columns for reference number, title, status, severity, and discovery date. Use it as your running log. You can export the register using the actions menu for audits or board reporting.

If your matter has a regulatory authority preset configured (set in Settings > Matters), breach exports automatically include the authority name and any boilerplate text your organisation has prepared.

A practical breach workflow

  1. Discover : as soon as anyone suspects a breach, log it immediately with whatever you know.
  2. Classify : update the detail page with breach type, containment status, severity, and the number of individuals affected.
  3. Draft notifications : use the regulatory authority notification fields to prepare your regulatory authority notification. Record the notification date once submitted.
  4. Communicate : if individual notification applies, track communications using the dedicated fields.
  5. Close : mark the breach as closed when investigation and follow-up are complete. The audit timeline preserves the full history.

For an overview of all Compliance areas, see Compliance hub overview.

PreviousCompliance hub overviewNextImpact assessment overview
© 2026 Ghost. All rights reserved.
ResourcesPrivacyTermsSecurity