When you identify a potential privacy breach, whom should you notify first?

The first step is to alert the person responsible for privacy governance—your privacy officer or supervisor. They oversee the organization’s privacy policies and incident response plan, so they’re equipped to assess the breach, contain the issue, and determine what reporting is required. They coordinate with IT, legal, compliance, and any necessary regulators or affected individuals, and they document the incident properly for audits and future preventive actions. Notifying them first ensures the breach is handled consistently, legally, and efficiently rather than ad hoc. While PR handles communications and IT can fix technical problems, neither is the right first point of contact for initiating the appropriate privacy response.