GDPR7 min read
Data Breach Notification: The 72-Hour Rule
GDPR requires organizations to report certain personal data breaches to supervisory authorities within 72 hours of becoming aware of the breach. Late or missed notifications can result in additional penalties beyond those related to the breach itself.
Key Takeaways
| Point | Summary |
|---|---|
| 72-hour deadline | Report to supervisory authority within 72 hours of becoming aware of a breach |
| When to notify authority | Any breach likely to result in risk to individuals' rights and freedoms |
| When to notify individuals | Breaches likely to result in HIGH risk to individuals |
| Breach types | Confidentiality (unauthorized access), Integrity (data altered), Availability (data lost/destroyed) |
| Document all breaches | Even those not reported must be logged in your breach register |
Quick Answer: Report data breaches to your supervisory authority within 72 hours if they pose risk to individuals. Notify affected individuals directly if the risk is high. Document ALL breaches in a breach register, even those not requiring notification.
What is a Personal Data Breach?
A breach occurs when there's a security incident affecting personal data:
Types of Personal Data Breaches:
Confidentiality Breach:
- Unauthorized access to data
- Data disclosed to wrong recipient
- Hacking or phishing attacks
- Lost or stolen devices with data
Integrity Breach:
- Data altered without authorization
- Corruption of personal data
- Tampering with records
- Malware modifying data
Availability Breach:
- Data lost or destroyed
- Ransomware encryption
- System failures losing data
- Accidental deletion
- Data made inaccessible
Breach Examples
| Incident | Type | Reportable? |
|---|---|---|
| Hacker accesses customer database | Confidentiality | Yes |
| Email sent to wrong recipient with personal data | Confidentiality | Depends on risk |
| Ransomware encrypts user data | Availability | Yes, unless backup restores |
| Laptop with unencrypted data stolen | Confidentiality | Yes |
| Bug accidentally deletes user profiles | Availability/Integrity | Yes |
| Phishing attack compromises credentials | Confidentiality | Yes |
| Employee peeks at ex-partner's records | Confidentiality | Depends on scale/harm |
| Server crash destroys backup data | Availability | Yes |
The Notification Decision
Not every breach requires notification. Use this framework:
Breach Notification Decision Tree:
Personal data breach occurred?
- No → Document internally, no notification needed
- Yes → Continue assessment
Risk to individuals' rights and freedoms?
- Unlikely → Document internally, no DPA notification
- Risk exists → Notify supervisory authority within 72 hours
High risk to individuals?
- No → Authority notification only
- Yes → Also notify affected individuals without undue delay
Risk Assessment Factors
| Factor | Higher Risk | Lower Risk |
|---|---|---|
| Data Type | Financial, health, ID numbers | Names only |
| Volume | Many individuals affected | Few affected |
| Identifiability | Directly identifiable | Pseudonymized |
| Encryption | Unencrypted | Properly encrypted |
| Context | Sensitive context | Non-sensitive |
| Harm Potential | Identity theft, discrimination | Minimal impact |
| Vulnerability | Children, vulnerable groups | General population |
Notification Timelines
| Notification | Deadline | Recipient |
|---|---|---|
| Supervisory Authority | 72 hours from awareness | Data Protection Authority |
| Individuals (if high risk) | Without undue delay | Affected data subjects |
| Processor to Controller | Without undue delay | Controller organization |
What "72 Hours" Means
- Clock starts when you become "aware" of the breach
- "Aware" = reasonable certainty a breach has occurred
- Weekends and holidays count
- Can notify in phases if information evolves
- Must explain any delay over 72 hours
Notifying the Supervisory Authority
Information Required
| Element | Details to Provide |
|---|---|
| Nature of Breach | What happened |
| Categories of Data | Types of personal data involved |
| Categories of Subjects | Types of people affected |
| Approximate Numbers | Data subjects and records |
| DPO/Contact Details | Who to contact for questions |
| Consequences | Likely consequences of breach |
| Measures Taken | Actions to address and mitigate |
Notification Template
Data Breach Notification to Supervisory Authority
────────────────────────────────────────────────────────
Organization: [Your Company Name]
Reference: [Breach Reference Number]
Date: [Notification Date]
Time of Awareness: [When you became aware]
1. Nature of the Breach
[Description of what happened]
2. Data Categories Affected
- [e.g., Names, email addresses]
- [e.g., Financial information]
3. Data Subjects Affected
- Category: [e.g., Customers]
- Approximate number: [Number]
- Records affected: [Number]
4. Contact Details
- DPO/Privacy Contact: [Name]
- Email: [Email]
- Phone: [Phone]
5. Likely Consequences
[Assessment of potential harm]
6. Measures Taken/Proposed
- Immediate: [Actions taken]
- Remediation: [Planned actions]
- Prevention: [Future measures]
Notifying Affected Individuals
When a breach poses high risk, you must notify individuals.
When Individual Notification Required
| Scenario | Individual Notification |
|---|---|
| Unencrypted sensitive data exposed | Yes |
| Financial data compromised | Yes |
| Login credentials leaked | Yes |
| Health information accessed | Yes |
| Data encrypted (key not compromised) | Usually no |
| Anonymous/pseudonymous data | Usually no |
What to Tell Individuals
| Element | Content |
|---|---|
| What Happened | Plain language description |
| Data Affected | What data about them was involved |
| Consequences | Potential impacts on them |
| Measures Taken | What you're doing about it |
| Their Actions | What they should do (change password, etc.) |
| Contact | How to reach you with questions |
Individual Notification Template
Subject: Important Security Notice from [Company]
Dear [Customer/User],
We are writing to inform you about a security incident
that may have affected your personal information.
What Happened:
[Clear description of the breach]
What Information Was Involved:
[Specific data types affected]
What We Are Doing:
[Steps you're taking to address the breach]
What You Can Do:
[Recommended actions for the individual]
For More Information:
[Contact details and resources]
We sincerely apologize for this incident and are
committed to protecting your information.
[Signature]
Exceptions to Individual Notification
You may not need to notify individuals if:
- Data protected: Encryption or measures rendered data unintelligible
- Risk eliminated: Subsequent measures eliminated the risk
- Disproportionate effort: Public communication instead (but this is rare and risky)
Breach Response Process
Incident Response Workflow
Breach Response Timeline:
Hour 0: Detection
- Incident detected or reported
- Initial assessment begins
- Incident response team activated
Hours 0-24: Containment
- Stop ongoing breach
- Preserve evidence
- Assess scope and impact
- Document everything
Hours 24-48: Assessment
- Determine if personal data affected
- Identify data subjects impacted
- Assess risk level
- Decide on notification requirements
Hours 48-72: Notification Prep
- Prepare authority notification
- Draft individual communications (if needed)
- Legal review
- Management approval
Hour 72: Authority Notification
- Submit to supervisory authority
- Begin individual notifications
- Continue investigation
Post-72 Hours: Follow-Up
- Complete investigation
- Submit supplementary information
- Implement remediation
- Update documentation
Internal Documentation
Even if no external notification is required, document:
| Element | Record |
|---|---|
| Facts of Breach | What happened, when, how |
| Effects | Scope and impact |
| Remedial Actions | What you did |
| Decision Rationale | Why you did/didn't notify |
| Timeline | Key dates and times |
| Lessons Learned | How to prevent recurrence |
Building Breach Readiness
Preparation Checklist
Policies and Procedures:
- Incident response plan documented
- Breach assessment criteria defined
- Notification templates prepared
- Escalation procedures clear
Team Readiness:
- Incident response team identified
- Roles and responsibilities assigned
- Contact list maintained
- Regular training conducted
Technical Capabilities:
- Detection mechanisms in place
- Forensic capability available
- Logging and audit trails enabled
- Backup and recovery tested
Communication:
- DPA contact information current
- Customer communication channels ready
- Legal counsel accessible
- PR/communications prepared
Common Mistakes
| Mistake | Consequence | Prevention |
|---|---|---|
| Missing 72-hour window | Additional fines | Clear escalation process |
| Incomplete notification | Authority follow-up | Use complete templates |
| Over-notifying | Unnecessary alarm | Proper risk assessment |
| Under-notifying | Regulatory action | Err on side of caution |
| Poor individual communication | Reputation damage | Clear, empathetic messaging |
| No documentation | Can't demonstrate compliance | Document everything |
How Bastion Helps
Effective breach response requires preparation before incidents occur—the middle of a breach is not the time to build your response capability. Working with experienced partners helps ensure you're ready when incidents happen.
| Challenge | How We Help |
|---|---|
| Incident Response Planning | Pre-built response procedures tailored to your organization |
| Breach Assessment | Expert guidance on evaluating risk and notification requirements |
| Notification Preparation | Templates and review support for authority and individual communications |
| Authority Communication | Experience supporting organizations through DPA interactions |
| Post-Breach Remediation | Recommendations for security improvements and preventing recurrence |
Having expert support available during breach situations helps ensure notifications meet requirements and communications are handled appropriately—reducing regulatory risk and reputational impact.
Looking for help with breach response preparedness? Talk to our team →