Data breach notification under EU GDPR — the 72-hour rule
A personal data breach likely to result in risk to the rights and freedoms of individuals must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. The breach response procedure — detection, assessment, notification, and logging — must be established before a breach occurs. It cannot be built during one.
What is a personal data breach
Article 4(12) defines a personal data breach as a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This covers hacks, ransomware, misdirected emails, stolen laptops, accidental deletion without backup, and unauthorised internal access. Three types exist: confidentiality breach, integrity breach, and availability breach. All trigger the same documentation obligations.
When notification is required
Article 33(1) requires notification to the supervisory authority where the breach is likely to result in a risk to the rights and freedoms of natural persons. Not all breaches reach this threshold — but all breaches, including those below the threshold, must be recorded in the internal breach log. The risk assessment must be documented with the factors considered, not simply asserted.
Which supervisory authority to notify
The supervisory authority to notify is determined by the organisation’s main establishment — typically the DPA of the member state where the controller has its main establishment (under the one-stop-shop mechanism). Where the breach affects individuals across multiple member states, the lead supervisory authority notifies other concerned authorities. For organisations with no EU establishment, notification is made to the authority in the member state where the affected individuals are located.
The 72-hour requirement
The 72-hour clock runs from when the controller becomes aware of the breach — not from when the investigation is complete. Processors must notify their controller clients without undue delay; the controller’s 72-hour clock then starts. Phased notification is permitted where the full picture is not available — an initial notification within 72 hours with further information provided as soon as it is available. Reasons for any delay must accompany the notification.
Mandatory content of the notification
Article 33(3) requires: a description of the nature of the breach including categories and approximate numbers of individuals and records affected; the DPO’s or other contact point’s details; the likely consequences; and the measures taken or proposed to address the breach. Member state supervisory authorities have their own online reporting tools — CNIL in France, BSI/LfDI network in Germany, DPC in Ireland — and requirements may vary slightly in format.
Notifying individuals — Article 34
Where a breach is likely to result in a high risk to individuals, those individuals must be notified without undue delay. This is a higher threshold than the supervisory authority notification threshold. Notification must be in plain language, describing the nature of the breach, DPO contact details, likely consequences, and measures taken. Three circumstances allow individual notification to be omitted: data was encrypted; subsequent measures eliminated the risk; or direct notification would involve disproportionate effort (in which case a public communication is required instead).
Building a breach response capability
The EDPB guidance indicates that organisations should have a documented breach response plan, a maintained breach log, trained staff, and clear escalation procedures — established before any breach occurs. A tabletop simulation testing the plan against a realistic scenario is the standard benchmark for assessing whether a response plan is genuinely operational.
Note: application of EU GDPR obligations may vary under member state law. Confirm with a practitioner familiar with the relevant jurisdiction.