GDPR Breach Notification: 72-Hour Rule & Requirements

Breach Notification

Breach notification is the legal obligation to report a personal data breach to the relevant supervisory authority and, in cases of high risk, to the affected individuals. Under GDPR, notification to the authority must occur within 72 hours of becoming aware of the breach.

GDPRprivacybreachArticle 33Article 3472 hours

Why It Matters

Data breaches are inevitable — even well-prepared organizations will experience them. What matters is how you respond. Late or inadequate breach notification is a standalone GDPR violation with its own penalties, separate from any fines for the breach itself. Regulators have fined organizations for reporting too late, even when the underlying breach was relatively minor.

The 72-Hour Rule

Under Article 33, controllers must notify their supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a breach — unless the breach is unlikely to result in a risk to individuals.

"Becoming aware" means when the controller has a reasonable degree of certainty that a breach has occurred. A processor must notify its controller "without undue delay" (no specific hour limit).

What Must the Notification Contain?

The notification to the supervisory authority must include:

Nature of the breach — what happened, categories and approximate number of individuals and records affected
DPO contact details — or other contact point for further information
Likely consequences — what risks the breach poses to affected individuals
Measures taken — steps already taken or proposed to address the breach and mitigate its effects

If all information is not available within 72 hours, it can be provided in phases.

When Must Individuals Be Notified?

Under Article 34, if the breach is likely to result in a high risk to the rights and freedoms of individuals, those individuals must also be notified without undue delay. The communication must be in clear, plain language.

Exceptions: notification to individuals is not required if:

Appropriate technical measures (e.g., encryption) rendered the data unintelligible
Subsequent measures ensure the high risk is no longer likely
Individual notification would involve disproportionate effort (public communication may suffice)

Common Breach Examples

Email sent to wrong recipient with personal data attached
Ransomware attack encrypting databases containing personal data
Lost or stolen unencrypted laptop or USB drive
Unauthorized access to a database by an employee or external attacker
Accidental publication of personal data on a website

Key Regulation

GDPR Article 33 — notification to supervisory authority
GDPR Article 34 — communication to affected individuals
EDPB Guidelines on breach notification (WP 250) — detailed guidance and examples

Breach Notification

GDPRprivacybreachArticle 33Article 3472 hours

Breach Notification

Why It Matters

The 72-Hour Rule

What Must the Notification Contain?

When Must Individuals Be Notified?

Common Breach Examples

Key Regulation

GDPR vs UK GDPR: Key Differences, Transfer Mechanisms, and Practical Implications in 2026

What Is a Privacy Impact Assessment (PIA)? Complete Guide for 2026

GDPR Training for Employees: The Complete Guide for 2026

Want more than the definition?

Breach Notification

Why It Matters

The 72-Hour Rule

What Must the Notification Contain?

When Must Individuals Be Notified?

Common Breach Examples

Key Regulation

GDPR vs UK GDPR: Key Differences, Transfer Mechanisms, and Practical Implications in 2026

What Is a Privacy Impact Assessment (PIA)? Complete Guide for 2026

GDPR Training for Employees: The Complete Guide for 2026

Want more than the definition?