No part of GDPR moves faster than breach notification. When personal data is compromised, the clock starts immediately, and a fumbled response can turn a manageable incident into a regulatory and reputational crisis. Breach readiness is one of the most practical tests of GDPR compliance.
This guide explains what counts as a breach, the 72-hour rule, when you must tell individuals, what your notifications must contain, and how to build a response plan that works under pressure.
The 72-hour rule in brief
When personal data is compromised, GDPR imposes one of its most time-pressured obligations: a qualifying breach must be reported to your supervisory authority within 72 hours of becoming aware of it. Where the breach poses a high risk to individuals, you must also tell them, without undue delay.
That clock is unforgiving, and it starts the moment you become aware — not when you have finished investigating. So breach readiness has to exist before an incident, not be improvised during one.
What counts as a personal data breach
A personal data breach is broader than a hack. GDPR defines it as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
So a lost laptop, an email sent to the wrong recipient, ransomware that encrypts your data, or an employee accessing records they shouldn’t can all be breaches — not just external attacks.
Free resource
The Ultimate Guide to GDPR
Build a breach response plan that meets the 72-hour deadline with confidence.
The three types of breach
It helps to think in three categories: a confidentiality breach (unauthorised disclosure or access), an integrity breach (unauthorised alteration), and an availability breach (loss of access to or destruction of data). A single incident can involve more than one.
Ransomware, for example, is often both an availability breach (you lose access) and a potential confidentiality breach (the attacker may have copied data).
When you must notify the regulator
You must notify your supervisory authority of a breach within 72 hours unless the breach is unlikely to result in a risk to people’s rights and freedoms. The default leans toward notifying: if you are unsure whether there is a risk, you generally should report.
If you notify after 72 hours, you must explain the delay, so it is far better to report on time, even with incomplete information.
When you must notify individuals
Where a breach is likely to result in a high risk to individuals — for example exposing sensitive data, financial details or anything that could lead to fraud, discrimination or serious harm — you must inform the affected people without undue delay.
The notice should be in clear language and help people protect themselves, such as advising them to change passwords or watch for fraud.
What the regulator notification must include
A notification to the authority should describe the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences, the measures taken or proposed, and the contact point (such as your DPO) for more information.
You do not need every detail at the 72-hour mark — an initial notification with what you know is acceptable.
Phased notification is allowed
Because investigations take time, GDPR permits phased notification: report what you know within 72 hours, then provide further information as it becomes available. This is far better than missing the deadline while you investigate.
Make your initial report on time, flag that more will follow, and update the authority as your understanding improves.
The processor’s role
If a processor suffers a breach, it must notify the controller without undue delay. The controller then assesses whether the regulator and individuals need to be told and meets the 72-hour deadline.
This chain only works if your Data Processing Agreements and incident processes make the handoff fast — a slow processor notification can blow your deadline.
Handled well, this is one more building block of practical GDPR compliance.
You must record every breach
Regardless of whether a breach is notifiable, you must document it: the facts, its effects, and the action taken. This breach register is part of your accountability obligations and lets the regulator verify your compliance.
Recording near-misses and minor incidents too builds a picture of your risks and demonstrates a mature approach.
Assessing the risk
The crucial judgement is the risk assessment: how likely is harm to individuals, and how severe? Consider the type of data, how easily individuals could be identified, the number affected, and the potential consequences. This determines whether you notify the regulator, the individuals, both, or neither.
Document your reasoning either way — deciding not to notify is a decision you must be able to justify.
Build a breach response plan
The only way to meet a 72-hour deadline reliably is to prepare. A response plan should define how breaches are detected and reported internally, who assesses risk, who decides on notification, and who drafts and sends it — with clear roles and out-of-hours cover.
Rehearse the plan with tabletop exercises, because the first time you run your process should not be during a real incident.
Common breach mistakes
Frequent failings include not recognising an incident as a breach, starting the clock too late, missing the 72-hour window while investigating, failing to notify individuals when the risk is high, and not documenting non-notified breaches. Each is avoidable with a clear plan and a bias toward prompt action.
Remember that how you respond matters: regulators treat a prompt, honest, well-handled breach very differently from a concealed one.
How ISpectra helps
Breach readiness is one of the clearest tests of practical GDPR compliance. ISpectra Technologies helps organisations build breach response plans that meet the 72-hour deadline, set up detection and internal escalation, prepare notification templates, run tabletop exercises, and maintain the breach register that accountability requires.
If your breach process is untested, a short engagement will make sure you are ready before you need to be.
In one paragraph
GDPR requires you to report a qualifying personal data breach — any security incident leading to loss, alteration, or unauthorised disclosure of or access to personal data — to your supervisory authority within 72 hours of becoming aware, unless it is unlikely to pose a risk. Where the risk to individuals is high, you must also notify them without undue delay. The notification describes the breach, those affected, the likely consequences and your response; phased reporting is allowed; processors must alert controllers promptly; and you must document every breach. The only way to hit the deadline reliably is a tested response plan, prepared before an incident strikes.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
When the clock starts — “awareness”
One detail catches many organisations out: the 72 hours run from when you become aware of the breach, and awareness is interpreted broadly. You are “aware” once you have a reasonable degree of certainty that a security incident has compromised personal data — not once your investigation is complete. A short period to confirm that an incident is real and involves personal data is acceptable, but you cannot stop the clock simply because you have not finished understanding the full impact.
This is why detection and internal escalation matter so much. If a help-desk ticket or a worried employee sits in a queue for two days before anyone recognises it as a breach, much of your 72 hours is already gone. Make sure staff know how to recognise and immediately escalate a suspected breach, and that there is a clear, always-available route to the people who assess risk and decide on notification — including out of hours and at weekends, when incidents have an awkward habit of occurring.