A gdpr data breach notification failure is one of the fastest ways to turn a security incident into a regulatory crisis. Under Articles 33 and 34 of the GDPR, controllers face a hard 72-hour deadline to report qualifying breaches to their supervisory authority – and in many cases must also communicate directly with affected individuals. According to the DLA Piper GDPR Fines and Data Breach Survey 2026, supervisory authorities across the EEA processed over 130,000 breach notifications in a single year, with a significant proportion arriving late or incomplete.
This playbook translates the legal requirements into an operational incident response process for DPOs, CISOs, and incident response teams who need to move from detection to notification without delay.
What Triggers the 72-Hour Clock?
The obligation to file a gdpr data breach notification begins the moment the controller becomes “aware” of a personal data breach. Awareness, as defined by the EDPB Guidelines on personal data breach notification, does not require certainty – it requires a reasonable degree of confidence that a security incident has compromised personal data.
The clock starts when an employee, a processor, or an automated system generates credible evidence that personal data has been exposed, altered, or lost. Common trigger points include a SIEM alert confirming unauthorised access, a processor notifying the controller under Article 33(2) GDPR, a customer complaint reporting receipt of another person’s data, or an internal audit revealing an inadvertent publication. Supervisory authorities have consistently rejected the argument that awareness was delayed because the organisation lacked monitoring tools.
The deadline runs continuously, including weekends and public holidays. If your team confirms a breach at 14:00 on a Friday, the notification must reach the supervisory authority by 14:00 on Monday. If full information is not available within 72 hours, Article 33(4) permits phased notification: submit what you have now, then supplement without undue further delay.
Step-by-Step Incident Response Process
An effective breach response requires pre-established roles, templates, and escalation paths. The following process covers detection through notification and post-incident review.
Step 1: Detect, contain, and classify
The first priority is stopping the breach from expanding – isolate affected systems, revoke compromised credentials, and preserve forensic evidence. The 2025 IBM Cost of a Data Breach Report found that organisations containing a breach in under 200 days spent an average of USD 1.02 million less than those that took longer. Document every containment action with timestamps.
Simultaneously, classify the incident against the three EDPB breach categories: confidentiality breach (unauthorised disclosure or access), integrity breach (unauthorised alteration), or availability breach (loss of access or destruction of data). Determine the categories of data affected, the approximate number of data subjects, and whether encryption or pseudonymisation was in place.
Step 2: Assess risk to data subjects
This is the pivotal decision point. The GDPR imposes two distinct thresholds:
- Notification to the supervisory authority (Article 33): required unless the breach is “unlikely to result in a risk” to individuals.
- Communication to data subjects (Article 34): required when the breach is “likely to result in a high risk” to individuals.
In practice, the vast majority of personal data breaches cross the first threshold. For the high-risk assessment, consider the sensitivity of the data, the volume of affected individuals, and whether the data could enable identity theft or financial fraud. Breaches involving special category data under Article 9 almost always meet the high-risk threshold. A data protection impact assessment conducted before processing begins can substantially accelerate this analysis during an incident.
Step 3: Notify the authority, communicate with data subjects, and document
Under Article 33(3), the supervisory authority notification must include:
| Required element | Detail |
|---|---|
| Nature of the breach | Categories and approximate number of data subjects and records |
| DPO contact | Name and contact details of the DPO or designated contact |
| Likely consequences | Description of anticipated impact on data subjects |
| Remedial measures | Actions taken or proposed to address the breach and mitigate effects |
Most supervisory authorities provide online notification portals. Prepare templates in advance and integrate them into your GDPR compliance checklist so incident responders are not drafting from scratch under pressure. If the notification is filed after 72 hours, Article 33(1) requires the controller to provide reasons for the delay.
When the breach meets the Article 34 high-risk threshold, communicate with affected individuals in clear, plain language describing the breach, its likely consequences, and recommended protective actions. Article 34(3) provides three exceptions: (a) encryption rendered the data unintelligible, (b) subsequent measures eliminated the high risk, or © direct communication would require disproportionate effort, in which case a public communication is required.
For organisations managing complex data processing agreements, the contractual notification chain between controllers and processors must also be activated.
Finally, Article 33(5) requires an internal breach register documenting every breach, its effects, and remedial actions – regardless of whether notification was required. Maintain this register as part of your broader record of processing activities (ROPA). Legiscope’s data breach management tracking can centralise this documentation, linking incidents to affected processing activities and generating the audit trail supervisory authorities expect.
What Happens When Organisations Get It Wrong?
Enforcement data makes the cost of failure concrete. Supervisory authorities have issued substantial fines specifically for breach notification failures, distinct from fines for the underlying security deficiency.
Meta Platforms – EUR 91 million (2024). The Irish Data Protection Commission fined Meta after discovering that Facebook user passwords had been stored in plaintext. The fine addressed multiple violations, including failure to notify within the required timeframe and inadequate documentation under Article 33(5).
Booking.com – EUR 475,000 (2021). The Dutch Autoriteit Persoonsgegevens fined Booking.com for notifying a breach 22 days late. The breach involved unauthorised access to data of over 4,000 customers, including credit card details. The authority emphasised that internal investigation delays do not suspend the clock.
Vodafone Spain – EUR 3.94 million (2021). The AEPD imposed a fine after Vodafone Spain failed to implement adequate breach detection and notification processes, resulting in repeated failures to report breaches within the required timeframe.
These cases illustrate a consistent pattern: supervisory authorities treat the notification obligation as a standalone compliance requirement. A failure in the gdpr data breach notification process generates independent liability even where the underlying breach was not egregious.
Preparing Before a Breach Occurs
The 72-hour window is too short to build a process from scratch. The EDPB found in its 2023 coordinated enforcement action that organisations with tested incident response plans notified breaches an average of 40% faster than those without.
Effective preparation includes:
- Pre-drafted notification templates aligned with Article 33(3) requirements and tailored to your supervisory authority’s portal
- Defined escalation paths specifying who evaluates awareness, who authorises notification, and who communicates with data subjects
- Processor contracts with specific hour-based SLAs for breach notification rather than vague “without undue delay” language – see our data processing agreement guide
- Tabletop exercises simulating breach scenarios at least annually, involving legal, IT, communications, and senior management
- A current data inventory so the incident response team can rapidly determine what data was affected and how many individuals are involved
Integrating breach response into your broader GDPR requirements programme ensures notification is not treated as an afterthought bolted onto security operations.
Processor Notification Obligations
Processors do not notify the supervisory authority directly. Under Article 33(2), a processor that becomes aware of a breach must notify the controller without undue delay. The controller then bears the 72-hour obligation. Supervisory authorities have held controllers responsible when processor delays caused late notification, reinforcing the need for contractual SLAs with specific timeframes.
FAQ
What qualifies as a personal data breach under GDPR?
Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This covers confidentiality breaches, integrity breaches, and availability breaches. A ransomware attack, a misdirected email, or a database left exposed on the internet all qualify.
Can the 72-hour deadline be extended?
The GDPR does not provide a formal extension. Article 33(4) allows information to be provided in phases, and supervisory authorities accept phased notifications for complex incidents, but they expect the initial notification within 72 hours even if incomplete. Late notifications must include reasons for the delay.
When is notifying data subjects required?
Communication to data subjects under Article 34 is required only when the breach is likely to result in a high risk to their rights and freedoms. Breaches involving health data, financial information, or identity documents typically meet this threshold. Breaches where data was encrypted with uncompromised keys generally do not.
What is the penalty for failing to notify a breach on time?
Under Article 83(4)(a), fines of up to EUR 10 million or 2% of annual global turnover apply, whichever is higher. In practice, fines for notification failures have ranged from tens of thousands of euros to over EUR 90 million depending on severity and negligence.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
