Breach Notification Overview

GDPR Articles 33 and 34 establish mandatory breach notification requirements. When a personal data breach occurs, controllers must act swiftly - notifying the supervisory authority within 72 hours and, in high-risk cases, notifying affected individuals without undue delay.

The 72-Hour Clock

The 72-hour notification window starts from when you become "aware" of a breach - not when the breach occurred. Awareness means having a reasonable degree of certainty that a security incident has compromised personal data.

What Constitutes a Personal Data Breach

GDPR defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data."

Three Types of Breaches

Confidentiality Breach

Unauthorised or accidental disclosure of, or access to, personal data.

  • Hacker gains access to customer database
  • Email sent to wrong recipient containing personal data
  • Lost or stolen laptop with unencrypted data
  • Employee accesses records without authorisation

Integrity Breach

Unauthorised or accidental alteration of personal data.

  • Ransomware encrypting personal data
  • Malicious modification of records
  • Accidental data corruption

Availability Breach

Accidental or unauthorised loss of access to, or destruction of, personal data.

  • Permanent loss of data without backup
  • Power outage causing data loss
  • Accidental deletion of records
  • DDoS attack preventing access to systems

The 72-Hour Rule Explained

Controllers must notify the supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become aware" of a breach likely to result in a risk to individuals' rights and freedoms.

When Does "Awareness" Start?

You are considered "aware" when you have a reasonable degree of certainty that a security incident has compromised personal data. This is typically when:

  • Initial investigation confirms personal data was affected
  • Security team verifies the incident involved personal data
  • Evidence clearly indicates data compromise (even if full scope unknown)

Awareness does not require complete certainty about the breach scope. If you reasonably believe personal data has been compromised, the clock starts.

What If 72 Hours Is Not Enough?

The GDPR recognises that complete information may not always be available within 72 hours. You should:

  • Notify within 72 hours with available information
  • Provide reasons for any delay
  • Submit additional information in phases as it becomes available
  • Document why the delay was unavoidable

When to Notify the Supervisory Authority

Not every breach requires notification. You must notify when the breach is "likely to result in a risk to the rights and freedoms of natural persons."

Risk Assessment Factors

Factor Higher Risk Lower Risk
Data type Special category, financial, ID numbers Basic contact information only
Volume Large number of individuals affected Very limited records
Identifiability Easily identifiable individuals Pseudonymised or encrypted data
Severity of consequences Could cause damage, distress, discrimination Minimal practical impact
Vulnerable individuals Children, patients, employees General public

When Notification May Not Be Required

Notification is not required when the breach is "unlikely to result in a risk." Examples:

  • Encrypted device lost, and encryption is strong with no key compromise
  • Immediate recovery before any access (e.g., email recalled successfully)
  • Data rendered unintelligible to unauthorised parties
  • Breach limited to data already publicly available

Even if you decide not to notify, you must document the breach, your reasoning, and the justification for not notifying. Regulators can audit these records.

What to Include in DPA Notification

Article 33(3) specifies the minimum content for supervisory authority notification:

Required Information

  • Nature of the breach: Description including categories and approximate numbers of individuals and records affected
  • DPO contact: Name and contact details of DPO or other contact point
  • Likely consequences: Description of likely consequences of the breach
  • Measures taken: Description of measures taken or proposed to address the breach, including mitigation

Practical Notification Template

Most supervisory authorities provide online notification forms. Ensure you capture:

  • When the breach occurred and when you became aware
  • How the breach happened (if known)
  • What data was affected
  • How many individuals affected (or estimate)
  • What you have done to contain the breach
  • What you plan to do to prevent recurrence
  • Whether you are notifying individuals

Notifying Affected Individuals

When a breach is "likely to result in a high risk to the rights and freedoms" of individuals, you must also notify them directly - not just the supervisory authority.

When Individual Notification Is Required

The threshold is higher than DPA notification: "high risk" rather than just "risk." Consider:

  • Significant potential for identity theft or fraud
  • Sensitive data (health, financial, legal) exposed
  • Clear potential for discrimination or reputational damage
  • Risk of physical harm

What to Tell Individuals

The communication must:

  • Use clear, plain language
  • Describe the nature of the breach
  • Provide DPO or contact point details
  • Explain likely consequences
  • Describe measures taken and what individuals can do to protect themselves

Exemptions from Individual Notification

You may not need to notify individuals if:

  • Data was encrypted and encryption key not compromised
  • Subsequent measures ensure high risk no longer likely to materialise
  • Individual notification would require disproportionate effort (use public communication instead)

Processor Obligations

If you are a data processor, your obligations differ:

Processor Breach Responsibilities

  • Notify the controller "without undue delay" after becoming aware
  • No direct notification to supervisory authority (that is the controller's duty)
  • Provide all information necessary for controller to fulfil notification obligations
  • Assist controller with breach response as per contract terms
Contract Tip

Processor agreements should specify breach notification timeframes. Many controllers require faster notification than "without undue delay" - commonly 24 or 48 hours.

Breach Response Checklist

Use this checklist when a potential breach is identified:

Immediate Actions (Hour 0-4)

  • Contain the breach (stop ongoing access, isolate systems)
  • Preserve evidence (logs, screenshots, forensic images)
  • Assemble incident response team
  • Begin initial assessment of scope and impact
  • Document the time you became "aware"

Assessment Phase (Hour 4-24)

  • Determine what personal data was affected
  • Estimate number of individuals affected
  • Assess risk to individuals' rights and freedoms
  • Identify applicable supervisory authority
  • Prepare initial notification content

Notification Phase (Hour 24-72)

  • Submit notification to supervisory authority (if required)
  • Determine if individual notification required
  • Draft individual notification communications
  • Coordinate with legal, PR, and customer service

Post-Notification Actions

  • Continue investigation and provide updates to DPA
  • Send individual notifications
  • Implement remediation measures
  • Conduct root cause analysis
  • Update security measures to prevent recurrence
  • Complete breach register documentation

Documentation Requirements

Maintain records of all breaches, including:

  • Facts surrounding the breach
  • Effects and consequences
  • Remedial actions taken
  • Reasoning for notification decisions
  • Timeline of events and responses
GDPR Privacy Data Breach