In This Article
- GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a qualifying personal data breach.
- Not all breaches require notification — only those likely to result in a risk to individuals' rights and freedoms.
- High-risk breaches also require direct notification to affected individuals without undue delay.
- Failure to notify is a separate violation carrying fines of up to EUR 10 million or 2% of global turnover.
- Organizations must document all breaches regardless of whether notification is required (Article 33(5)).
Breach Notification Overview
GDPR Articles 33 and 34 establish mandatory breach notification requirements. When a personal data breach occurs, controllers must act swiftly - notifying the supervisory authority within 72 hours and, in high-risk cases, notifying affected individuals without undue delay.
The 72-hour notification window starts from when you become "aware" of a breach - not when the breach occurred. Awareness means having a reasonable degree of certainty that a security incident has compromised personal data.
What Constitutes a Personal Data Breach
GDPR defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data."
Three Types of Breaches
Confidentiality Breach
Unauthorised or accidental disclosure of, or access to, personal data.
- Hacker gains access to customer database
- Email sent to wrong recipient containing personal data
- Lost or stolen laptop with unencrypted data
- Employee accesses records without authorisation
Integrity Breach
Unauthorised or accidental alteration of personal data.
- Ransomware encrypting personal data
- Malicious modification of records
- Accidental data corruption
Availability Breach
Accidental or unauthorised loss of access to, or destruction of, personal data.
- Permanent loss of data without backup
- Power outage causing data loss
- Accidental deletion of records
- DDoS attack preventing access to systems
The 72-Hour Rule Explained
Controllers must notify the supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become aware" of a breach likely to result in a risk to individuals' rights and freedoms.
When Does "Awareness" Start?
You are considered "aware" when you have a reasonable degree of certainty that a security incident has compromised personal data. This is typically when:
- Initial investigation confirms personal data was affected
- Security team verifies the incident involved personal data
- Evidence clearly indicates data compromise (even if full scope unknown)
Awareness does not require complete certainty about the breach scope. If you reasonably believe personal data has been compromised, the clock starts.
What If 72 Hours Is Not Enough?
The GDPR recognises that complete information may not always be available within 72 hours. You should:
- Notify within 72 hours with available information
- Provide reasons for any delay
- Submit additional information in phases as it becomes available
- Document why the delay was unavoidable
When to Notify the Supervisory Authority
Not every breach requires notification. You must notify when the breach is "likely to result in a risk to the rights and freedoms of natural persons."
Risk Assessment Factors
| Factor | Higher Risk | Lower Risk |
|---|---|---|
| Data type | Special category, financial, ID numbers | Basic contact information only |
| Volume | Large number of individuals affected | Very limited records |
| Identifiability | Easily identifiable individuals | Pseudonymised or encrypted data |
| Severity of consequences | Could cause damage, distress, discrimination | Minimal practical impact |
| Vulnerable individuals | Children, patients, employees | General public |
When Notification May Not Be Required
Notification is not required when the breach is "unlikely to result in a risk." Examples:
- Encrypted device lost, and encryption is strong with no key compromise
- Immediate recovery before any access (e.g., email recalled successfully)
- Data rendered unintelligible to unauthorised parties
- Breach limited to data already publicly available
Even if you decide not to notify, you must document the breach, your reasoning, and the justification for not notifying. Regulators can audit these records.
What to Include in DPA Notification
Article 33(3) specifies the minimum content for supervisory authority notification:
Required Information
- Nature of the breach: Description including categories and approximate numbers of individuals and records affected
- DPO contact: Name and contact details of DPO or other contact point
- Likely consequences: Description of likely consequences of the breach
- Measures taken: Description of measures taken or proposed to address the breach, including mitigation
Practical Notification Template
Most supervisory authorities provide online notification forms. Ensure you capture:
- When the breach occurred and when you became aware
- How the breach happened (if known)
- What data was affected
- How many individuals affected (or estimate)
- What you have done to contain the breach
- What you plan to do to prevent recurrence
- Whether you are notifying individuals
Notifying Affected Individuals
When a breach is "likely to result in a high risk to the rights and freedoms" of individuals, you must also notify them directly - not just the supervisory authority.
When Individual Notification Is Required
The threshold is higher than DPA notification: "high risk" rather than just "risk." Consider:
- Significant potential for identity theft or fraud
- Sensitive data (health, financial, legal) exposed
- Clear potential for discrimination or reputational damage
- Risk of physical harm
What to Tell Individuals
The communication must:
- Use clear, plain language
- Describe the nature of the breach
- Provide DPO or contact point details
- Explain likely consequences
- Describe measures taken and what individuals can do to protect themselves
Exemptions from Individual Notification
You may not need to notify individuals if:
- Data was encrypted and encryption key not compromised
- Subsequent measures ensure high risk no longer likely to materialise
- Individual notification would require disproportionate effort (use public communication instead)
Processor Obligations
If you are a data processor, your obligations differ:
Processor Breach Responsibilities
- Notify the controller "without undue delay" after becoming aware
- No direct notification to supervisory authority (that is the controller's duty)
- Provide all information necessary for controller to fulfil notification obligations
- Assist controller with breach response as per contract terms
Processor agreements should specify breach notification timeframes. Many controllers require faster notification than "without undue delay" - commonly 24 or 48 hours.
Breach Response Checklist
Use this checklist when a potential breach is identified:
Immediate Actions (Hour 0-4)
- Contain the breach (stop ongoing access, isolate systems)
- Preserve evidence (logs, screenshots, forensic images)
- Assemble incident response team
- Begin initial assessment of scope and impact
- Document the time you became "aware"
Assessment Phase (Hour 4-24)
- Determine what personal data was affected
- Estimate number of individuals affected
- Assess risk to individuals' rights and freedoms
- Identify applicable supervisory authority
- Prepare initial notification content
Notification Phase (Hour 24-72)
- Submit notification to supervisory authority (if required)
- Determine if individual notification required
- Draft individual notification communications
- Coordinate with legal, PR, and customer service
Post-Notification Actions
- Continue investigation and provide updates to DPA
- Send individual notifications
- Implement remediation measures
- Conduct root cause analysis
- Update security measures to prevent recurrence
- Complete breach register documentation
Documentation Requirements
Maintain records of all breaches, including:
- Facts surrounding the breach
- Effects and consequences
- Remedial actions taken
- Reasoning for notification decisions
- Timeline of events and responses
Frequently Asked Questions
When does the 72-hour clock start?
The 72-hour clock starts from when the organisation becomes "aware" of the breach — not from when the breach occurred. Awareness means having a reasonable degree of certainty that a security incident has compromised personal data.
Do all breaches need to be reported to the authority?
No, only breaches that are likely to result in a risk to individuals' rights and freedoms must be notified to the supervisory authority. However, all breaches — whether notified or not — must be documented internally in a breach register as required by Article 33(5).
What information must the notification contain?
The notification must include the nature of the breach (categories and approximate numbers affected), the DPO or contact point details, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its effects.
What happens if we miss the 72-hour deadline?
If the 72-hour deadline is missed, the notification must include reasons for the delay. Failure to notify is itself a separate violation under GDPR, carrying potential fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher.
When must individuals be notified of a data breach?
Individuals must be notified without undue delay when the breach is likely to result in a HIGH risk to their rights and freedoms. This is a higher threshold than DPA notification. Exemptions apply if data was encrypted, subsequent measures eliminated the risk, or individual notification would require disproportionate effort.