Data Breach Notification

GDPR's data breach notification requirements are among the most consequential — and most time-sensitive — compliance obligations organisations face. The 72-hour rule is strict, breach definitions are broad, and fines for notification failures are substantial. This guide covers everything needed to respond correctly.

What Counts as a Personal Data Breach?

GDPR Article 4(12) defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."

This definition is deliberately broad and covers three categories of breach:

Confidentiality breaches — unauthorised disclosure or access to personal data:

• A hacker gaining access to a customer database
• An employee emailing personal data to the wrong recipient
• A laptop containing unencrypted personal data being stolen
• A third-party processor exposing data through a misconfigured database
• An insider leak of customer records

Integrity breaches — unauthorised alteration of personal data:

• Ransomware encrypting personal data, preventing the controller from accessing it
• Accidental modification of records without a backup to restore from

Availability breaches — accidental or unauthorised loss of access to personal data:

• Permanent deletion of personal data without a backup
• A service outage that makes critical personal data unavailable where its availability is essential to service delivery

A critical point: a breach does not require malicious intent. A staff member accidentally deleting a customer database, or an email sent to the wrong recipient, both qualify as personal data breaches under GDPR.

The 72-Hour Rule: Notification to the Supervisory Authority

Under GDPR Article 33, when a personal data breach occurs, the controller must notify the competent supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become aware of it."

The 72-hour clock starts when the controller becomes aware of the breach — not when the breach actually occurred. If a breach occurred three weeks ago but was discovered today, the 72-hour window begins from the moment of discovery. This distinction is important for internal processes: the speed of internal incident detection directly determines how much time remains for notification.

What the Notification Must Include

GDPR Article 33(3) specifies the mandatory contents of supervisory authority notifications:

1. Nature of the breach — including the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records concerned
2. Contact details of the Data Protection Officer (or other designated contact for further information)
3. Likely consequences of the breach — the probable impact on affected individuals
4. Measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

Phased Notification

If all information is not available within 72 hours, the EDPB and most national supervisory authorities accept phased notification. An initial report within the deadline can be followed by supplementary information as the investigation progresses.

This is particularly relevant for complex incidents — ransomware attacks, supply chain breaches, or incidents where the full scope takes days or weeks to establish. The initial notification should clearly state that the investigation is ongoing and commit to a timeframe for follow-up information.

When Supervisory Authority Notification Is NOT Required

Not every breach requires notification to the supervisory authority. Article 33(1) creates an exception where the breach "is unlikely to result in a risk to the rights and freedoms of natural persons."

Factors that reduce risk and may support not notifying:

• The data was encrypted with a strong key and the key was not compromised
• The data was fully anonymised before the breach
• The breach involved only pseudonymised data where re-identification is practically impossible
• The data was already publicly available
• The breach involved only internal administrative data with no likely impact on individuals
• Prompt action resulted in the data being recovered before it could be accessed

Factors that increase risk and make notification necessary:

• Special category data was involved (health, financial, criminal records, biometric data, children's data)
• Data was in plaintext (unencrypted)
• A large number of individuals are affected
• The data could enable identity theft, fraud or financial harm
• The breach involved vulnerable individuals
• The data has already been published or sold by an attacker

When in doubt, notify. Supervisory authorities consistently advise erring on the side of notification — the consequences of notifying an unnecessary breach are administrative; the consequences of failing to notify a required breach can include significant fines.

Notification to Affected Individuals

GDPR Article 34 creates a separate obligation to notify affected individuals directly — but only when the breach "is likely to result in a high risk to the rights and freedoms of natural persons."

The threshold here is higher than for supervisory authority notification: "high risk" not merely "risk." The notification must be made "without undue delay" — there is no fixed 72-hour window for individual notification, but it should follow as soon as practicable after the high-risk determination.

What Notifications to Individuals Must Include

• A description of the nature of the breach in plain language
• Contact details of the DPO or another designated point of contact
• A description of the likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects
• Practical advice for individuals to protect themselves — for example, changing passwords, monitoring accounts, or placing fraud alerts

Notification must be direct — individual communications by email, letter or SMS are required. A general notice on the company website does not constitute individual notification, unless direct contact is disproportionate in effort (for example, where contact details are unknown for a large number of affected individuals). In that case, a public communication may supplement or replace direct contact.

Exceptions to Individual Notification

Article 34(3) provides three circumstances where individual notification is not required even for high-risk breaches:

1. Appropriate technical protection measures were applied — specifically, the data was encrypted and the encryption key was not compromised
2. Subsequent measures have been taken that effectively eliminate the high risk before notification would be required
3. Notification to every individual would involve disproportionate effort — in which case a public communication must be made instead

Internal Record-Keeping Obligations

GDPR Article 33(5) requires controllers to document all personal data breaches, "including the facts relating to the personal data breach, its effects and the remedial action taken." This obligation applies to every breach — including those that do not meet the threshold for supervisory authority notification.

A breach register or incident log should record, at minimum:

• Date and time of discovery (and date the breach occurred, if known)
• Nature and description of the breach (category and type)
• Categories and approximate number of data subjects affected
• Categories and approximate number of personal data records affected
• Risk level assessment and the notification decision (with reasoning)
• Measures taken in response and timeline
• Communications sent — to supervisory authority and/or affected individuals, with dates

This record is the primary evidence base for demonstrating compliance with GDPR's accountability principle. Supervisory authorities can request it at any time, including during investigations of other matters.

Building a Breach Response Plan

Every organisation that processes personal data should have a documented breach response plan in place before an incident occurs. A complete plan addresses:

1. Incident identification: How staff report suspected breaches — a named internal contact, a reporting email address or ticketing system. Staff must know that suspected incidents, not just confirmed breaches, should be reported immediately.
2. Initial assessment: Who assesses severity and applies the risk framework. The assessment determines whether the 72-hour clock has started and at what priority to treat the incident.
3. Containment: Immediate steps to limit ongoing exposure — isolating affected systems, revoking compromised credentials, disabling affected integrations.
4. Investigation: Establishing what happened, when, what data was affected, and how many individuals are involved. The investigation scope determines the content of notifications.
5. Notification decision: Applying the risk assessment to determine notification obligations — supervisory authority, individuals, or both. Documenting the reasoning.
6. Notification execution: Pre-drafted templates for supervisory authority and individual notifications. The supervisory authority reporting portal for the relevant national DPA should be identified in advance.
7. Record-keeping: Maintaining the breach register entry in real time throughout the incident.
8. Post-incident review: Updating security measures and processes to prevent recurrence. Reviewing whether the incident reveals gaps in the privacy by design framework.

For a broader overview of GDPR obligations, including the underlying principles and lawful bases for processing, see the GDPR compliance guide. For data protection measures that reduce the severity and notification obligation of breaches, see the privacy by design guide.