The Spanish Supervisory Authority (AEPD) published its guidelines on the management of personal data breaches under the GDPR. The guidelines further develop the data breach procedure with a practical approach in line with the NIS Directive and the Spanish National Security System (ENS), in particular with its guidelines on the "Management and Notification of Cyber Incidents" (CCN-STIC 817). The guidelines foresee three phases that may, under certain circumstances, overlap: (i) Phase I — preparation; detection and identification; (ii) Phase II — analysis and classification; response procedure; notification procedure; and (iii) Phase III — monitoring and closing. Another interesting point is that the Spanish Supervisory Authority has stated that, even where the data controller does not have all the required minimum information to submit in the event of a data breach, the notification still has to be made, and the remaining information must be submitted as soon as the data controller is able to do so.