Why It Matters
Data breaches are inevitable — even well-prepared organizations will experience them. What matters is how you respond. Late or inadequate breach notification is a standalone GDPR violation with its own penalties, separate from any fines for the breach itself. Regulators have fined organizations for reporting too late, even when the underlying breach was relatively minor.
The 72-Hour Rule
Under Article 33, controllers must notify their supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a breach — unless the breach is unlikely to result in a risk to individuals.
"Becoming aware" means when the controller has a reasonable degree of certainty that a breach has occurred. A processor must notify its controller "without undue delay" (no specific hour limit).
What Must the Notification Contain?
The notification to the supervisory authority must include:
- Nature of the breach — what happened, categories and approximate number of individuals and records affected
- DPO contact details — or other contact point for further information
- Likely consequences — what risks the breach poses to affected individuals
- Measures taken — steps already taken or proposed to address the breach and mitigate its effects
If all information is not available within 72 hours, it can be provided in phases.
When Must Individuals Be Notified?
Under Article 34, if the breach is likely to result in a high risk to the rights and freedoms of individuals, those individuals must also be notified without undue delay. The communication must be in clear, plain language.
Exceptions: notification to individuals is not required if:
- Appropriate technical measures (e.g., encryption) rendered the data unintelligible
- Subsequent measures ensure the high risk is no longer likely
- Individual notification would involve disproportionate effort (public communication may suffice)
Common Breach Examples
- Email sent to wrong recipient with personal data attached
- Ransomware attack encrypting databases containing personal data
- Lost or stolen unencrypted laptop or USB drive
- Unauthorized access to a database by an employee or external attacker
- Accidental publication of personal data on a website
Key Regulation
- GDPR Article 33 — notification to supervisory authority
- GDPR Article 34 — communication to affected individuals
- EDPB Guidelines on breach notification (WP 250) — detailed guidance and examples