GDPR Data Breach Notification: The 72-Hour Rule

A GDPR data breach notification is one of the most time-sensitive obligations any organisation faces under European data protection law. When a personal data breach occurs, the clock starts immediately: controllers have just 72 hours to notify their supervisory authority unless the breach is unlikely to result in a risk to individuals. Despite the apparent simplicity of this rule, breach notification failures remain among the most common reasons for regulatory penalties across the European Economic Area.

This guide explains the GDPR data breach notification framework in practical terms, covering who must notify, what the notification must contain, when the 72-hour deadline starts, and how to build an internal process that keeps your organisation compliant.

What Counts as a Personal Data Breach?

Before examining the notification process, it is essential to understand what qualifies as a personal data breach. Article 4(12) GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Breach categories defined by the EDPB

The EDPB Guidelines on personal data breach notification classify breaches into three categories:

• Confidentiality breach – unauthorised or accidental disclosure of, or access to, personal data. Example: a database exposed to the public internet, or an email sent to the wrong recipient.
• Integrity breach – unauthorised or accidental alteration of personal data. Example: a ransomware attack that modifies patient records before encryption.
• Availability breach – accidental or unauthorised loss of access to, or destruction of, personal data. Example: a server failure that permanently destroys customer records without backup.

A single incident can combine all three categories. According to the IBM Cost of a Data Breach Report, the average cost of a data breach globally reached USD 4.88 million, reinforcing the importance of rapid detection and response.

The 72-Hour Notification Obligation

The cornerstone of GDPR data breach notification is set out in Article 33 GDPR. The controller must notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the breach.

Starting point for the deadline

The clock begins when the controller becomes “aware” of the breach. The EDPB guidance clarifies that awareness occurs when the controller has a reasonable degree of certainty that a security incident has compromised personal data. This does not require full forensic analysis. If a processor detects a breach, it must notify the controller without undue delay under Article 33(2), and the controller’s 72-hour window starts from the moment the processor informs it.

Supervisory authorities have consistently held that organisations cannot delay awareness by failing to invest in detection capabilities. A company that takes several months to discover a breach because it lacks monitoring tools will not receive the benefit of a later start to the 72-hour period.

Required content of the notification

The notification to the supervisory authority must contain at minimum:

• The nature of the breach, including the categories and approximate number of data subjects and personal data records affected
• The name and contact details of the Data Protection Officer or other contact point (see the DPO definition and missions for more detail)
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

If all information is not available at the time of initial notification, the GDPR allows it to be provided in phases without undue further delay.

When Must You Also Notify Data Subjects?

Article 34 GDPR imposes a separate obligation to notify the affected individuals directly when a breach is likely to result in a high risk to their rights and freedoms. The threshold for notifying data subjects is higher than for notifying the supervisory authority.

The assessment depends on factors such as the type of personal data compromised, the volume of records, the severity of potential consequences, and whether technical measures such as encryption were in place. Breaches involving financial data, health data, or identity documents almost always cross the high-risk threshold. The CNIL’s breach notification guidance emphasises that where special category data under Article 9 is involved, the presumption should generally be that communication to data subjects is required.

Article 34(3) provides three exceptions where communication to data subjects is not required: (a) the data was rendered unintelligible through encryption or similar measures, (b) subsequent measures have ensured that the high risk is no longer likely to materialise, or © the communication would involve disproportionate effort, in which case a public communication must be made instead.

Building an Internal Breach Response Process

Having a documented breach response procedure is not merely best practice – it is an implicit requirement of the accountability principle and the broader obligation of privacy by design. Organisations that lack a structured response process are far more likely to miss the 72-hour deadline.

Essential elements of a breach response plan

An effective breach response plan should include the following components:

1. Detection and escalation procedures. Define how staff report suspected incidents, who receives the initial report, and how the incident is triaged.
2. Assessment protocol. Establish criteria for determining whether an incident constitutes a personal data breach, the categories of data involved, and the risk level. This assessment feeds directly into both the regulatory notification and the decision on whether to notify data subjects.
3. Notification templates. Prepare pre-drafted notification templates for both regulatory and individual notifications. Having templates ready saves critical hours during a live incident.
4. Roles and responsibilities. Assign clear ownership to specific individuals or teams, including the DPO, IT security, legal counsel, and communications.
5. Post-incident review. After every breach, conduct a lessons-learned review and update your security measures accordingly. This continuous improvement loop demonstrates compliance with GDPR requirements.

A Data Protection Impact Assessment carried out during the design phase of high-risk processing activities can also help identify breach scenarios in advance, enabling more targeted response planning.

Penalties for Notification Failures

Failure to comply with GDPR data breach notification obligations can result in significant administrative fines. Under Article 83(4)(a), infringements of the notification obligation attract fines of up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher.

Enforcement track record

Several high-profile penalties illustrate the cost of notification failures. In 2022, the Irish Data Protection Commission fined Meta EUR 17 million for failing to have adequate measures in place to demonstrate the data breaches it had notified. The ICO has issued numerous fines for delayed or incomplete notifications. National regulators have also sanctioned smaller organisations for failing to notify breaches within the 72-hour window, demonstrating that enforcement is not limited to large enterprises.

According to the DLA Piper GDPR Fines and Data Breach Survey January 2026, average daily breach notifications across the EEA jumped 22% in 2025 to 443 per day – the first time since 2018 that daily notifications exceeded 400 – highlighting both improved breach detection and the growing scale of incidents that organisations must be prepared to handle within the 72-hour window.

These cases highlight that supervisory authorities treat the notification obligation as a fundamental component of how to comply with GDPR. Beyond fines, delayed notification can increase the overall harm to data subjects, leading to further reputational and legal consequences.

How Does Breach Notification Connect to Other GDPR Obligations?

Breach notification does not exist in isolation. It connects directly to several other GDPR obligations that organisations must maintain continuously.

Your GDPR compliance checklist should treat breach preparedness as a standing item. The retention periods you apply under the storage limitation principle and your ability to respond to right of access requests all influence how effectively you can investigate and report a breach. An organisation that has implemented the right to erasure correctly will have cleaner data inventories, making breach assessment faster and more accurate.

FAQ

Is the 72-hour notification deadline absolute?

No. Article 33(1) states notification must occur “where feasible” within 72 hours. If you exceed the deadline, you must provide a reasoned justification for the delay alongside your notification. However, supervisory authorities expect the justification to be genuine and well-documented. Routine administrative delays will not be accepted as valid reasons.

Do processors notify the supervisory authority directly?

Processors must notify the controller without undue delay after becoming aware of a personal data breach, as required by Article 33(2). Processors do not notify the supervisory authority directly – that obligation rests with the controller. The data processing agreement between controller and processor should specify the exact notification procedures and contact points to avoid delays.

Does every breach require regulatory notification?

No. Notification to the supervisory authority is required only where the breach is likely to result in a risk to the rights and freedoms of natural persons. If the breach poses no such risk – for example, an encrypted device is lost but the encryption is robust and the key has not been compromised – you must still document the breach internally but are not required to notify the authority. The internal record must include the facts of the breach, its effects, and the remedial action taken.