The conference call started at 6:15 AM on a Monday. Three CEOs, five legal teams, two data protection officers, and me—all scrambling because none of us had ever planned for this scenario.
A breach had occurred. Customer data was compromised. But here's where it got complicated: the data was jointly controlled by three separate companies operating across four EU member states. Who reports to the supervisory authority? Who notifies the data subjects? Who's liable for the fines? And most critically—who's responsible for containing the breach right now?
In my fifteen years managing cybersecurity incidents, I can tell you this with certainty: single-party breaches are stressful. Joint controller breaches are absolute chaos—unless you've prepared for them.
What I Learned at 6:15 AM: Joint Controllers Create Unique Nightmares
Let me paint the picture of what happened. A marketing technology platform (Company A) was working with a customer relationship management system (Company B) and an analytics provider (Company C). Together, they processed customer data for several major retailers across Europe.
The breach originated at Company C—a ransomware attack that encrypted their systems and exfiltrated approximately 340,000 customer records. But here's the problem: all three companies were joint controllers under GDPR Article 26.
When I asked, "Where's your joint controller agreement?", I was met with uncomfortable silence.
They had contracts. They had service agreements. They even had data processing addendums. But they'd never properly established who does what during a breach. And now, with the 72-hour notification clock ticking, we had to figure it out in real-time.
"Joint controller agreements are like prenuptial agreements—nobody wants to think about them when things are going well, but you'll desperately wish you had one when everything falls apart."
Understanding Joint Controllers: It's More Common Than You Think
Before we dive into breach management, let me clear up a massive misconception I encounter constantly: most companies involved in joint data processing don't realize they're joint controllers.
They think they have a simple controller-processor relationship. They're wrong.
The Joint Controller Reality Check
Under GDPR Article 26, you're joint controllers when two or more parties:
Jointly determine the purposes of processing
Jointly determine the means of processing
Share responsibility for compliance
Here's a real example from my consulting work in 2023:
A healthcare app partnered with a fitness tracking company. The app collected health metrics; the fitness company analyzed patterns. Both companies used the insights to improve their services. Both marketed to users based on combined data.
They considered themselves independent controllers. The Irish DPC disagreed—and issued a preliminary finding that they were joint controllers with inadequate arrangements. The investigation is still ongoing, but they're looking at potential fines up to €10 million.
Common Joint Controller Scenarios
Scenario | Why It's Joint Control | Common Misconception |
|---|---|---|
Co-branded loyalty programs | Both parties decide what data to collect and how to use it for marketing | "We're separate controllers with overlapping customers" |
Marketing partnerships with shared customer databases | Joint decisions on targeting, messaging, and data retention | "One party is the processor for the other" |
Research collaborations sharing participant data | Collaborative determination of research purposes and methods | "We each control our own portion of the study" |
Platform + Plugin/Integration partnerships | Both determine what data flows and how it's used | "The platform is the controller; we just provide a service" |
White-label service arrangements with data sharing | Joint decisions on customer experience and data utilization | "The white-label provider is just our processor" |
Cross-company analytics projects | Collaborative analysis purposes and methodology decisions | "We're independent controllers using shared insights" |
In my experience, about 40% of companies operating under controller-processor agreements are actually in joint controller relationships without proper documentation.
The 72-Hour Nightmare: What Actually Happens During a Joint Controller Breach
Let me walk you through what that Monday morning escalated into, because this is exactly what you're trying to avoid:
Hour 0-4: Discovery and Confusion
Company C's security team detected the ransomware at 4:30 AM GMT. By 6:15 AM, they'd confirmed data exfiltration. Here's where the problems started:
The Initial Questions Nobody Could Answer:
Do we each have 72 hours from our own discovery, or does the clock start when the first party discovered it?
Who contacts the lead supervisory authority?
Do we need to notify all relevant supervisory authorities in each member state?
Can one party report on behalf of all, or must each report independently?
Who notifies the affected data subjects?
What if we disagree on the severity assessment?
We spent four hours just trying to figure out who should be on the call.
Hour 4-12: The Legal Scramble
By 10:00 AM, we had seven lawyers from three firms arguing about liability allocation. The joint controller agreement... didn't exist. The contracts between the companies had boilerplate indemnification clauses that directly contradicted each other.
Company A's counsel argued they weren't liable because the breach originated at Company C.
Company C's counsel argued they were just providing a service and shouldn't bear full responsibility.
Company B's counsel argued they weren't even properly informed about security measures at Company C.
Meanwhile, the clock kept ticking.
"In a joint controller breach, every hour spent arguing about responsibility is an hour you're not spending on response. And the supervisory authorities will notice."
Hour 12-24: The Coordination Breakdown
By evening, we had three separate incident response teams working with minimal coordination:
Company C focused on containment and forensics
Company A started drafting a supervisory authority notification
Company B began preparing customer notifications
Nobody was coordinating. The notifications had different severity assessments. The timelines didn't match. The technical details contradicted each other.
At 11:47 PM, Company A's DPO called me: "If we submit three different breach notifications to the same supervisory authority with conflicting information, what happens?"
I told him the truth: "Nothing good."
Hour 24-72: The Regulatory Race
We eventually got everyone aligned—barely. We submitted a coordinated notification to the lead supervisory authority at hour 68. We made the deadline. Just.
But the damage was done. The fragmented response, the conflicting initial statements, the lack of clear accountability—all of it went into the case file.
The investigation lasted 14 months. The combined fines exceeded €4.2 million. But the reputational damage and customer churn cost significantly more.
The Joint Controller Incident Response Framework That Actually Works
After managing six joint controller breaches over the past four years, I've developed a framework that I now mandate for every client engaged in joint processing. Here's what actually works:
Phase 1: Pre-Incident Preparation (Do This Before Anything Happens)
1. Document Your Joint Controller Arrangement Properly
Your Article 26 arrangement must specify:
Critical Element | What It Must Include | Common Mistake to Avoid |
|---|---|---|
Contact Points | Named individuals with 24/7 contact details for each party | Generic email addresses or role-based contacts |
Incident Notification Timeline | Maximum time each party has to notify the others (I recommend 2 hours) | Vague language like "promptly" or "reasonable time" |
Breach Assessment Authority | Who makes the final call on severity and notification requirements | Assuming it will be decided "collaboratively" |
Technical Coordination | Which party leads containment, forensics, and recovery | Each party assuming they'll handle their own systems |
Communication Authority | Who speaks to supervisory authorities, media, and data subjects | Assuming everyone can communicate independently |
Cost Allocation | How incident response costs and potential fines are split | Ignoring it completely or using vague "proportional" language |
Legal Privilege | How to maintain attorney-client privilege across parties | Assuming joint privilege automatically exists |
2. Create a Joint Incident Response Plan
I use this template structure with all my clients:
Detection and Initial Response (0-2 Hours)
Party discovering the breach notifies all other joint controllers within 2 hours
Each party assigns an incident commander
Joint incident response team convenes (virtually) within 4 hours
Single "Primary Coordinator" takes charge (rotate this role quarterly)
Assessment and Containment (2-12 Hours)
Technical teams share findings in real-time through shared incident platform
Joint assessment of scope, severity, and notification requirements
Coordinated containment actions (not parallel independent actions)
Regular updates to all parties every 2 hours minimum
Notification Decision (12-48 Hours)
Legal teams jointly assess notification obligations
Single point of contact designated for supervisory authority
Coordinated notification strategy for data subjects
Pre-approved communication templates customized for incident
Post-Incident (72+ Hours)
Joint lessons learned session within 5 business days
Coordinated response to supervisory authority inquiries
Shared forensics reports and remediation plans
Update joint controller agreement based on learnings
3. Conduct Joint Tabletop Exercises
Here's something I insist on: test your joint incident response plan at least twice yearly.
I facilitated a tabletop exercise for a retail partnership in early 2024. Within the first 20 minutes of the simulated breach scenario, we discovered:
The emergency contact list had four outdated phone numbers
Two companies' incident response platforms couldn't share data securely
The designated legal liaison had left one company three months prior
Nobody had actually read the joint controller agreement in 18 months
The cost allocation formula didn't account for multi-party fines
We fixed all of this during the exercise. Three months later, they had a real incident. Because we'd practiced, they executed flawlessly—notification submitted in 44 hours, coordinated data subject communication, zero conflicting statements.
The supervisory authority actually complimented their coordinated response in the case file.
Phase 2: Real-Time Incident Management (When the Breach Happens)
When you get the call that a breach has occurred, here's the exact sequence I follow:
Immediate Actions Checklist (First 60 Minutes)
☐ Discovering party notifies all joint controllers (Target: 30 minutes)
☐ Primary Coordinator confirms receipt and activates response plan
☐ All parties join incident response bridge/platform
☐ Initial situation briefing from discovering party
☐ Assign roles: Technical Lead, Legal Lead, Communication Lead, DPO Lead
☐ Establish communication cadence (I recommend every 2 hours minimum)
☐ Begin preliminary scope assessment
☐ Legal teams review notification triggers
☐ IT teams begin containment coordination
The Coordination Platform You Actually Need
Forget email. Forget phone calls. You need a real-time collaboration platform with:
Secure document sharing: Forensics reports, logs, evidence
Audit trail: Who said what, when
Legal privilege protection: Separate channels for legal strategy
Real-time updates: Technical teams can update status without meetings
Timeline tracking: Automatic 72-hour countdown with milestones
I've used several platforms. The best ones integrate with each party's existing incident response tools while maintaining a unified view.
Phase 3: Supervisory Authority Notification (The Critical 72 Hours)
This is where most joint controllers fail. Here's how to get it right:
Single vs. Multiple Notifications: The Decision Matrix
Scenario | Recommended Approach | Rationale |
|---|---|---|
All joint controllers in same EU member state | Single joint notification from agreed lead party | Reduces confusion, shows coordination |
Joint controllers in different member states, single lead authority | Single notification to lead authority, with all parties identified | GDPR one-stop-shop mechanism applies |
Different lead authorities for different controllers | Coordinated separate notifications with identical core facts | Required by regulation, but content must align |
Disagreement on breach severity | Emergency escalation to independent legal counsel, then majority rules | Cannot delay notification due to internal disputes |
One party refuses to participate | Other parties notify with documentation of attempts to coordinate | Protects compliant parties from non-compliant partner |
The Joint Notification Template I Actually Use
After writing dozens of these, here's the structure that works:
Section 1: Joint Controller Declaration
This notification is submitted on behalf of [Company A], [Company B], and
[Company C], operating as joint controllers under GDPR Article 26 for
[specific processing activities]. Section 2: Incident Discovery Timeline
[Specific date/time]: Initial detection by [Party Name]
[Specific date/time]: Notification to all joint controllers
[Specific date/time]: Joint assessment completed
[Specific date/time]: Notification decision made
Section 3: Nature of the Breach
What happened (unified technical assessment)
Which joint controller's systems were affected
What data was compromised
How many data subjects affected
Section 4: Coordinated Response Actions
Containment measures by each party
Joint investigation approach
Coordinated remediation plan
Section 5: Joint Controller Responsibilities
How notification responsibilities are divided
Who is notifying affected data subjects
How costs and remediation are allocated
Phase 4: Data Subject Notification (Getting the Message Right)
Here's a mistake I see constantly: each joint controller sends separate notifications with different tone, different details, and different remediation offers.
Data subjects get confused. Media picks up on inconsistencies. Supervisory authorities take note.
The Unified Communication Approach
I recommend this structure:
Option A: Single Joint Communication (Preferred when possible)
Subject: Important Security Notice from [Company A], [Company B], and [Company C]Option B: Coordinated Separate Communications
When you must send separate notifications, create a coordination matrix:
Element | Must Be Identical | Can Be Customized |
|---|---|---|
Date and time of incident | ✓ | ✗ |
Number of affected data subjects | ✓ | ✗ |
Categories of data compromised | ✓ | ✗ |
Description of incident | ✓ | ✗ |
Assessment of risk to individuals | ✓ | ✗ |
Tone and severity level | ✓ | ✗ |
Specific remediation offered | ✗ | ✓ |
Company-specific contact details | ✗ | ✓ |
Company-specific next steps | ✗ | ✓ |
Real Example: The Right Way
A payment processing partnership I advised had a breach in late 2023. Three joint controllers, 89,000 affected individuals across 6 EU countries.
They sent a unified email notification from a joint communications address. The email clearly identified all three companies and their respective roles. It provided consistent facts about the incident. It offered coordinated remediation (credit monitoring from Company A, fraud insurance from Company B, account security review from Company C).
Data subjects received one email with clear information and coordinated support. The supervisory authority noted the "exemplary coordination" in their case file. Media coverage was minimal because there were no conflicting narratives.
Contrast this with a different case where three joint controllers each sent separate notifications on different days with different severity assessments. The media had a field day. The supervisory authority investigation expanded to include "inadequate coordination" as a separate compliance failure.
The Liability Question: Who Actually Pays?
This is what keeps general counsels up at night. When supervisory authorities issue fines for joint controller breaches, how is liability allocated?
What GDPR Actually Says (And Doesn't Say)
Article 82(4) states that joint controllers are jointly and severally liable for damages. This means:
Data subjects can sue any or all joint controllers for full damages
Supervisory authorities can fine any or all joint controllers
Each joint controller is potentially liable for the full amount
Controllers can seek contribution from each other afterward
But here's the nuance most miss: supervisory authorities consider the degree of responsibility when setting fine amounts.
The Allocation Framework I Use
In every joint controller agreement I draft, I include this allocation matrix:
Liability Factor | Weight | Assessment Criteria |
|---|---|---|
Origin of Breach | 40% | Which party's systems/processes were compromised |
Preventive Measures | 25% | Relative security maturity and investment of each party |
Response Quality | 20% | Quality and speed of each party's incident response |
Notification Compliance | 10% | Adherence to notification obligations |
Remediation Investment | 5% | Contribution to fixing the problem |
Example Calculation:
Let's say total fines and costs equal €5 million:
Company A (Payment Processor):
Origin: Breach was at Company C (0% of 40% = 0%)
Prevention: Strong security program (10% of 25% = 2.5%)
Response: Led coordination efforts (5% of 20% = 1%)
Notification: Submitted on time (3% of 10% = 0.3%)
Remediation: Funded forensics (2% of 5% = 0.1%)
Total Responsibility: 3.9%
Allocation: €195,000
Company B (Analytics Provider):
Origin: Breach was at Company C (0% of 40% = 0%)
Prevention: Adequate security (15% of 25% = 3.75%)
Response: Good coordination (10% of 20% = 2%)
Notification: Supported submission (4% of 10% = 0.4%)
Remediation: Provided technical support (2% of 5% = 0.1%)
Total Responsibility: 6.25%
Allocation: €312,500
Company C (Marketing Platform - Origin):
Origin: Breach originated here (40% of 40% = 16%)
Prevention: Inadequate security (0% of 25% = 0%)
Response: Delayed initial notification (5% of 20% = 1%)
Notification: Required coordination to comply (3% of 10% = 0.3%)
Remediation: Led technical remediation (1% of 5% = 0.05%)
Total Responsibility: 17.35%
Allocation: €867,500
Remaining amount (€3,624,000 or 72.5%) would be allocated jointly based on relative revenue, data volumes, or other pre-agreed factors.
The Insurance Complication
Here's something that shocked me when I first encountered it: most cyber insurance policies don't clearly cover joint controller liability.
I reviewed the insurance policies for a joint controller partnership in 2022. All three companies had cyber insurance. None of the policies explicitly addressed:
Whether joint controller fines are covered
How coverage applies when breach originates at a different joint controller
Whether defense costs for multi-party investigations are included
How contribution claims between joint controllers are handled
We had to get special endorsements added to all three policies. Cost about €140,000 total, but it prevented a €2.3 million coverage dispute after a subsequent breach.
"Cyber insurance for joint controllers is like group health insurance—you need to explicitly document who's covered for what, or you'll discover the gaps at the worst possible moment."
Common Joint Controller Breach Scenarios and How to Handle Them
Let me walk through the specific situations I've encountered most frequently:
Scenario 1: The Breach Originates at Your Partner
What Usually Happens:
You discover your data was compromised through your joint controller partner's breach
You weren't directly attacked, but your shared data is affected
Your partner is scrambling and communication is poor
What You Should Do:
Immediate (0-4 hours):
Activate your incident response plan, even though it's not "your" breach
Demand immediate detailed briefing from your partner
Independently assess what data of yours is affected
Begin your own forensics of any interconnected systems
Prepare for potential supervisory authority notification regardless of partner's plan
Critical (4-24 hours):
Don't assume your partner will handle notification correctly
Review your joint controller agreement—you may have independent obligations
Coordinate notification strategy, but prepare to act independently if needed
Document all communications with your partner (this protects you later)
Notify your cyber insurance carrier immediately
Real Example: A CRM provider I advised had data compromised through their analytics partner's breach. The analytics company insisted they'd "handle everything." My client wisely prepared their own notification. Good thing—the partner missed the 72-hour deadline. My client submitted their own notification at hour 68, avoiding complicity in their partner's violation.
Scenario 2: One Joint Controller Goes Silent
What Usually Happens:
You detect a breach and notify your joint controller partners
One partner stops responding to communications
The 72-hour clock is ticking
What You Should Do:
Create an escalation protocol in advance:
Timeframe | Action |
|---|---|
+2 hours no response | Contact secondary/alternate contact person |
+4 hours no response | Escalate to executive leadership at non-responsive party |
+6 hours no response | Contact board members if available |
+8 hours no response | Engage legal counsel and document all contact attempts |
+12 hours no response | Proceed with notification without non-responsive party, documenting their non-cooperation in submission |
Real Example: In 2023, I managed a breach where one of three joint controllers simply stopped responding 14 hours after initial notification. We later discovered their CEO had decided to "let legal handle it" and their legal team was trying to make the problem go away by ignoring it.
We documented every attempted contact. We proceeded with notification from the two responsive parties, explicitly noting the third party's non-cooperation in our submission.
The supervisory authority investigation ultimately focused heavily on the non-responsive party. They received a fine approximately 3x larger than the responsive parties.
Scenario 3: Disagreement on Breach Severity
What Usually Happens:
One joint controller thinks it's a minor incident requiring no notification
Another controller thinks it's a major breach requiring immediate notification
Legal teams are arguing while the clock ticks
What You Should Do:
Include this tie-breaker in your joint controller agreement:
In case of disagreement on notification requirements:
1. Engage independent legal counsel within 4 hours
2. Independent counsel reviews facts and provides binding opinion
3. If not resolved within 12 hours, default to HIGHER severity assessment
4. Rationale: Better to over-notify than under-notify
Why This Matters:
A financial services partnership I advised had this exact situation. One party thought a database exposure of 12,000 records was "technical, not actual access"—no notification needed.
The other party thought it met the notification threshold.
They argued for 8 hours.
I stopped the argument: "Here's the reality—if you don't notify and the supervisory authority later determines you should have, you're looking at fines for both the breach AND the failure to notify. If you notify unnecessarily, the worst case is some embarrassment. Which risk do you prefer?"
They notified. The supervisory authority later confirmed it absolutely met the notification threshold. That 8-hour argument could have cost them millions in additional fines.
Scenario 4: Cross-Border Complexity
What Usually Happens:
Joint controllers operating across multiple EU member states
Different lead supervisory authorities for different controllers
Confusion about one-stop-shop mechanism
What You Should Do:
Map this out in advance:
Joint Controller | Main Establishment | Lead Supervisory Authority | Other Relevant Authorities |
|---|---|---|---|
Company A | Ireland | Irish DPC | German, French authorities (branch offices) |
Company B | Germany | German authority | None |
Company C | France | French CNIL | Belgian authority (processing facility) |
Notification Strategy:
If breach affects processing with single lead authority: Submit to that authority
If multiple lead authorities involved: Coordinate identical notifications to each
Always copy concerned supervisory authorities in member states where data subjects reside
Use one-stop-shop mechanism where applicable, but don't assume it always applies
Real Case: A marketing partnership across Ireland, Germany, and Netherlands had a breach. They assumed Ireland (Company A's lead authority) would handle everything via one-stop-shop.
Wrong. Because each controller had different main establishments, they needed coordinated notifications to Irish DPC, German authority, and Dutch AP. They figured this out at hour 58. The scramble to prepare three coordinated but separate notifications was intense.
We made the deadline, but it taught them to map this out in advance.
The Post-Incident Reality: What Happens Next
Even after you submit notifications and communicate with data subjects, the joint controller breach journey is far from over. Here's what you need to prepare for:
The Supervisory Authority Investigation
Expect different dynamics than single-controller investigations:
Week 1-4: Initial Information Requests
Expect coordinated requests sent to all joint controllers
Supervisory authorities will compare your responses for consistency
Any contradictions will trigger deeper investigation
Month 2-6: Detailed Assessment
On-site inspections at multiple joint controller facilities
Interviews with personnel from all organizations
Forensics review across all systems
Month 6-18: Determination and Settlement
Preliminary findings shared with all controllers
Opportunity for coordinated response
Settlement negotiations (complex with multiple parties)
Cost Realities You Need to Know
Based on six joint controller breach investigations I've been involved with, here are real numbers:
Cost Category | Single Controller Breach | Joint Controller Breach (3 parties) | Multiplier |
|---|---|---|---|
Initial forensics and containment | €180,000 | €520,000 | 2.9x |
Legal fees (through investigation) | €240,000 | €890,000 | 3.7x |
Notification costs | €85,000 | €125,000 | 1.5x |
Remediation and security improvements | €320,000 | €740,000 | 2.3x |
Supervisory authority fines | €1,200,000 | €3,800,000 | 3.2x |
Ongoing compliance monitoring | €60,000/year | €180,000/year | 3.0x |
Total Cost (3 years) | €2,205,000 | €6,615,000 | 3.0x |
The joint controller multiplier is real. Coordination overhead, duplicated efforts, and complexity all drive up costs significantly.
Lessons from the Trenches: What I Tell Every Client
After managing these nightmares for years, here's my hard-won wisdom:
1. Your Joint Controller Agreement Is Your Lifeline
I've never—not once—seen a joint controller breach go smoothly without a detailed Article 26 agreement in place beforehand.
The agreement must be:
Specific: Not "parties will coordinate" but "Party A will notify within 2 hours using [specific method]"
Tested: Run through scenarios annually
Updated: Review after every industry breach, regulatory guidance, or business change
Accessible: Everyone who might need it during a 2 AM breach can find it immediately
2. Practice Before You Need It
The tabletop exercises I run aren't academic. They're designed to break things in a safe environment:
I deliberately create miscommunication scenarios
I simulate unresponsive parties
I introduce conflicting legal advice
I create time pressure
Every single time, we discover problems that would have been catastrophic in a real breach.
3. Invest in the Coordination Platform Now
Trying to coordinate a multi-party breach response via email and phone calls is like performing surgery with a butter knife. It technically might work, but why would you?
Invest €20,000-50,000 in proper incident coordination technology. It will save you millions when you need it.
4. Have the Uncomfortable Conversations Early
Nobody wants to discuss:
"What if the breach is your fault?"
"What if we disagree on severity?"
"What if one of us goes bankrupt during the investigation?"
"What if our insurance carriers fight about coverage?"
Have these conversations anyway. Put the answers in your agreement. Future you will be grateful.
Your Action Plan: Starting Today
If you're currently operating as a joint controller:
This Week:
[ ] Pull out your joint controller agreement (if you have one)
[ ] Check if it covers incident response in detail
[ ] Identify all parties who would need to be involved in breach response
[ ] Verify contact information is current
This Month:
[ ] Schedule a joint incident response planning session with all controllers
[ ] Draft or update detailed incident response procedures
[ ] Select and implement incident coordination technology
[ ] Review cyber insurance coverage for joint controller scenarios
This Quarter:
[ ] Conduct first joint tabletop exercise
[ ] Finalize and execute enhanced Article 26 agreement
[ ] Train relevant personnel at all controller organizations
[ ] Establish regular coordination and testing schedule
Ongoing:
[ ] Quarterly contact list verification
[ ] Semi-annual tabletop exercises
[ ] Annual agreement review and update
[ ] Continuous monitoring of regulatory guidance
Final Thoughts: The 6:15 AM Call You Want to Be Ready For
Remember that conference call I started this article with? Three CEOs, five legal teams, complete chaos?
I managed a similar scenario six months ago with a different set of joint controllers. Same type of breach. Similar data volume. Same tight timeline.
The difference? This group had prepared.
The call started at 6:15 AM. By 6:45 AM, we had:
Situation briefed to all parties
Roles assigned
Containment coordinated
Legal assessment underway
Notification strategy drafted
By hour 48, we submitted a coordinated notification that the supervisory authority later described as "exemplary in its clarity and coordination."
The investigation was straightforward. The fines were minimal. The customer impact was managed. The partnership survived and even strengthened.
The only difference between chaos and coordination is preparation.
"You can't prevent every breach. But you can absolutely prevent the chaos, confusion, and catastrophic costs that come from poor multi-party incident management. The choice is yours—and you need to make it before 6:15 AM on that Monday morning."
Joint controller relationships create value through collaboration. Don't let poor incident planning destroy that value when things go wrong.
Because in GDPR compliance, it's not whether you'll face a breach. It's whether you'll face it together—with a plan—or in chaos.