Privacy Tech EU
GDPR 1 June 2026 7 min read

GDPR Data Breach Notification: 72-Hour Rule — Privacy Tech EU

Personal data breaches are one of the most consequential areas of GDPR compliance — both because breaches cause real harm to individuals and because the notification obligations are strict and time-sensitive. This guide covers everything organisations need to know to respond correctly.

What Counts as a Personal Data Breach?

GDPR Article 4(12) defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

This deliberately broad definition covers a wide range of incidents:

Confidentiality breaches — unauthorised disclosure or access. Examples include:

  • A hacker gaining access to a customer database
  • An employee emailing personal data to the wrong recipient
  • A laptop containing unencrypted personal data being stolen
  • A third-party processor exposing data through a misconfigured database

Integrity breaches — unauthorised alteration. Examples include:

  • Ransomware encrypting personal data, preventing the controller from accessing it
  • Accidental modification of records

Availability breaches — accidental or unauthorised loss of access. Examples include:

  • Permanent deletion of personal data without a backup
  • A service outage that makes critical personal data unavailable where its availability is essential

A key point: a breach does not require malicious intent. A staff member accidentally deleting a customer database, or an email sent to the wrong person, both qualify.

The 72-Hour Rule: Notification to the Supervisory Authority

Under GDPR Article 33, when a personal data breach occurs, the controller must notify the competent supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”

The 72-hour clock starts when the controller becomes aware of the breach — not when the breach actually occurred. This distinction matters: if a breach occurred a month ago but you only discovered it today, the 72-hour window begins today.

What Must Be Included in the Notification?

Article 33(3) specifies the mandatory contents:

  1. Nature of the breach — including the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records concerned
  2. Contact details of the DPO (or other contact point for further information)
  3. Likely consequences of the breach — the probable impact on affected individuals
  4. Measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

If all this information is not available within 72 hours, you can provide it in phases — an initial notification within the deadline, with further details supplied as soon as possible.

Phased Notification

The European Data Protection Board (EDPB) and most national supervisory authorities accept phased reporting. An initial notification within 72 hours can be followed by supplementary information as the investigation progresses. The initial notification should explain that the investigation is ongoing and commit to a timeframe for the follow-up.

This is particularly relevant for complex incidents — ransomware attacks or supply chain breaches — where the full scope takes days or weeks to establish.

When Notification Is NOT Required

Not every breach requires notification to the supervisory authority. Article 33(1) creates an exception where the breach “is unlikely to result in a risk to the rights and freedoms of natural persons.”

This exception requires careful judgment. Factors that reduce the risk (and may support not notifying) include:

  • The data was encrypted with a strong key and the key was not compromised
  • The data was anonymised before the breach
  • The breach involved only pseudonymised data where re-identification is unlikely
  • The data was already publicly available
  • The breach involved only internal administrative data with no likely impact on individuals

Factors that increase risk and make notification more likely necessary:

  • The breach involved sensitive categories of data (health, financial, criminal records, children’s data)
  • The data was in plaintext
  • A large number of individuals are affected
  • The breach involved data that could enable identity theft or fraud

When in doubt, notify. Supervisory authorities consistently advise erring on the side of notification.

Notification to Affected Individuals

GDPR Article 34 creates a separate obligation to notify affected individuals directly — but only when the breach “is likely to result in a high risk to the rights and freedoms of natural persons.”

The threshold here is higher than for supervisory authority notification: “high risk” not merely “risk.” The notification must be made “without undue delay” — the 72-hour window applies to the supervisory authority only; notification to individuals should follow as soon as practicable once the high-risk determination is made.

What Must Notifications to Individuals Include?

  • A description of the nature of the breach in plain language
  • Contact details of the DPO or another point of contact
  • A description of the likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects
  • Practical advice for individuals to protect themselves (e.g. “change your password”)

The notification must be direct — individual communications (email, letter, SMS) are required. A general notice on the company website does not constitute individual notification under Article 34, unless direct contact is “disproportionate effort” (for example, where contact details are unknown). In that case, a public communication may supplement direct notifications.

When Individual Notification Is NOT Required

Article 34(3) provides three exceptions where individual notification is not required even for high-risk breaches:

  1. Appropriate technical protection measures — the data was encrypted and the encryption remains uncompromised
  2. Subsequent measures — the controller has taken steps that eliminate the high risk to individuals before notification would be required
  3. Disproportionate effort — where contacting individuals directly would be disproportionate, a public communication may be used instead

Internal Record-Keeping Obligations

Article 33(5) requires controllers to document all breaches, “including the facts relating to the personal data breach, its effects and the remedial action taken.” This applies to every breach — including those that do not meet the threshold for notification to the supervisory authority.

A breach register or incident log should record:

  • Date and time of discovery
  • Date and time the breach occurred (if known)
  • Nature and description of the breach
  • Categories and approximate number of data subjects affected
  • Categories and approximate number of records affected
  • Assessment of risk level and notification decision
  • Measures taken in response
  • Communications sent (to supervisory authority and/or individuals)

This record must be available to supervisory authorities on request and is the primary evidence base for demonstrating compliance with GDPR’s accountability principle.

Practical Steps: Building a Breach Response Plan

Every organisation that processes personal data should have a documented breach response plan before an incident occurs. Key components:

  1. Incident identification — how staff report suspected breaches (internal reporting channel, named contact)
  2. Initial assessment — who assesses severity, what criteria are used
  3. Containment — steps to limit ongoing exposure
  4. Investigation — establishing what happened and what data was affected
  5. Notification decision — applying the risk assessment to determine notification obligations
  6. Notification execution — draft templates for supervisory authority and individual notifications
  7. Record-keeping — maintaining the breach register entry
  8. Post-incident review — updating security measures to prevent recurrence

See also our GDPR compliance guide and privacy by design guide for complementary frameworks.

FAQ

Frequently Asked Questions

When does the 72-hour notification clock start? +

The clock starts when the controller becomes aware of the breach, not when the breach occurred. Awareness means having a reasonable degree of certainty that a security incident has compromised personal data. A breach discovered weeks after it happened is still measured from the moment of discovery.

What happens if I miss the 72-hour deadline? +

Late notification is permitted but must be accompanied by reasons for the delay. Unjustified late or absent notification can itself attract enforcement action and fines under Article 83, separately from any penalty for the underlying breach, so documenting the timeline is essential.

Do I have to notify affected individuals about every breach? +

No. Individuals must be notified only when the breach is likely to result in a high risk to their rights and freedoms — a higher threshold than the supervisory authority notification. Where data was strongly encrypted or otherwise unintelligible to attackers, individual notification may not be required.

Do I need to record breaches that were not notified? +

Yes. Article 33(5) requires controllers to document all personal data breaches, including the facts, effects and remedial action, even those judged not notifiable. This internal register lets the supervisory authority verify your assessment and is a common focus of regulatory inspections.

← Back to Blog