How do we communicate a data breach to customers?

Customer communication on a breach is not marketing, it is fact, impact, and what they can do. Communicating too early with loose details damages trust, too late does too. Aim for within 72 hours of confirmation, and only if GDPR art. 34 actually requires it.

Try this first

1. 1Collect facts before sending: which data, how many people, since when, how detected, what has already been done. No email that has to be retracted later.
2. 2Write in three blocks: what happened (one paragraph, no excuses), which data is involved (concrete, no 'possibly'), what we do and what you can do (change password, watch transactions, hotline).
3. 3Send through a channel customers recognise. Email from your known sender, not from a communications agency. For large groups use a separate mail gun, otherwise your SPF/DMARC gets overloaded and your own mail goes to spam.
4. 4Put a simple FAQ page online (your own domain) with the same information. No lock behind a form. Link to it from the mail.
5. 5Plan the second mail. Three to ten days later with an update: what was learned, what was fixed. Customers value that more than the first apology mail.

None of the above fits?

Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.