GDPR🇪🇺EU

Data Breach? Here Is Exactly What to Do in the Next 72 Hours

12 min read

GDPR gives you 72 hours to notify your supervisory authority after discovering a data breach — or face separate fines on top of the breach itself. This is the step-by-step response plan every business needs before a breach happens.

Data Breach? Here Is Exactly What to Do in the Next 72 Hours

The Clock Starts the Moment You Become Aware

Under GDPR Article 33, when a personal data breach occurs, the controller must notify the competent supervisory authority within 72 hours of becoming aware of it — unless the breach is unlikely to result in a risk to individuals' rights and freedoms.

That 72-hour window is not when the breach is confirmed. It is not when the full investigation is complete. It starts when you have reasonable certainty that a breach has likely occurred.

Missing the deadline is a separate GDPR violation, carrying fines of up to €10 million or 2% of global annual turnover — in addition to any fines for the breach itself.

The businesses that handle breaches well are not the ones that are luckiest. They are the ones that have a plan written down before anything goes wrong.

What Counts as a Personal Data Breach?

A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

This includes:

  • A hacker gaining access to your customer database
  • An employee emailing a list of client details to the wrong recipient
  • A lost or stolen laptop containing unencrypted personal data
  • Accidental deletion of personal data with no backup
  • A cloud storage misconfiguration exposing files to the public
  • A ransomware attack encrypting personal data

    • It does not automatically include every security incident. If an unauthorised person attempts to access data but fails, or if data is encrypted and the key is not compromised, a notifiable breach may not have occurred — but you must still assess and document the incident.

    Three Types of Breach — Different Responses

    Confidentiality breach: Unauthorised or accidental disclosure of personal data (e.g. email sent to wrong recipient, database accessed by unauthorised party)

    Integrity breach: Unauthorised or accidental alteration of personal data (e.g. data modified by an attacker, records corrupted)

    Availability breach: Accidental or unauthorised loss of access to or destruction of personal data (e.g. ransomware encrypting data, accidental deletion, server failure with no backup)

    Each type requires the same initial assessment: what data was affected, how many people, and what is the likely risk to those individuals?

    The 72-Hour Response Plan

    Hour 0-4: Contain and Assess

    Immediate containment:

  • Isolate affected systems to prevent further data exposure
  • Revoke access credentials if compromised
  • Preserve evidence — do not wipe affected systems immediately as this destroys forensic evidence
  • Inform your IT team, security provider, or external incident response specialist

    • Initial assessment — answer these questions:

  • What personal data was affected? (names, emails, financial data, health data, passwords, IDs)
  • How many individuals are affected?
  • How did the breach occur?
  • Is the breach ongoing or contained?
  • What categories of data subjects are affected? (customers, employees, children, vulnerable individuals)
  • What is the likely impact on those individuals? (financial loss, identity theft, reputational damage, physical risk)

    • Hour 4-24: Notify Internally and Begin Documentation

    Internal notification:

  • Notify your Data Protection Officer (DPO) if you have one — they must be involved immediately
  • Notify senior management and legal counsel
  • Begin your breach log (Article 33(5) requires all breaches to be documented, even those that don't require external notification)

    • Breach log entry must include:

  • Date and time breach was discovered
  • Date and time breach occurred (if known)
  • Nature of the breach (confidentiality, integrity, availability)
  • Categories and approximate number of personal data records affected
  • Categories and approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

    • This documentation is mandatory. Regulators will ask for it.

    Hour 24-48: Decide Whether Notification Is Required

    Do you need to notify your supervisory authority?

    Notification is required unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Apply this risk test:

    Notification is likely required if:

  • Financial data was exposed (risk of fraud or financial loss)
  • Login credentials were compromised (risk of account takeover)
  • Large numbers of individuals are affected
  • Special category data was involved (health, biometric, racial, religious, political data)
  • The data relates to vulnerable individuals or children
  • The data has already been misused or sold

    • Notification may not be required if:

  • The data was properly encrypted and the encryption key was not compromised
  • Only a small number of individuals were affected with minimal risk
  • The data was publicly available information with no sensitive content

    • When in doubt, notify. Regulators consistently take a less severe view of organisations that over-notify than those that underestimate risk and fail to notify.

    Which supervisory authority do you notify?

  • For EU-based businesses: the DPA of your main establishment (e.g. Cyprus Commissioner for Personal Data Protection, Irish DPC, French CNIL)
  • For UK-based businesses: the Information Commissioner's Office (ICO)
  • If you operate in multiple EU member states: notify your lead supervisory authority (determined by your main establishment)

    • Hour 48-72: Submit the Notification

    What the notification must contain (Article 33(3)):

  • Nature of the breach — including the categories and approximate number of data subjects and records affected
  • DPO contact details — or another point of contact for further information
  • Likely consequences — describe what you believe the impact will be on affected individuals
  • Measures taken or proposed — what you have done and plan to do to address the breach and mitigate its effects

    • If you do not have all information available within 72 hours — which is common in complex breaches — submit what you have and follow up. Article 33(4) explicitly permits phased notification where complete information is not available in time. Submitting an incomplete notification on time is far better than a complete notification submitted late.

    Do You Also Need to Notify Affected Individuals?

    Under GDPR Article 34, you must also notify affected individuals without undue delay (no specific timeframe, but typically within days) if the breach is likely to result in a high risk to their rights and freedoms.

    High-risk indicators:

  • Financial data exposed with risk of fraud
  • Passwords or authentication credentials compromised
  • Special category data exposed (medical, biometric, etc.)
  • Identity theft risk
  • Data of vulnerable persons or children

    • The notification to individuals must:

  • Use clear, plain language
  • Describe the nature of the breach
  • Give DPO contact details
  • Describe likely consequences
  • Describe measures taken to address the breach
  • Give practical advice on what individuals can do to protect themselves (e.g. change passwords, monitor bank statements)

    • What You Are NOT Required to Notify Individuals About

    You do not need to notify individuals if:

  • You implemented appropriate encryption and the key is safe
  • You have taken measures that eliminate the high risk to individuals
  • Individual notification would involve disproportionate effort — in which case a public communication is permitted instead

    • After the 72 Hours: The Longer Response

    Once the immediate notification is handled, focus on:

    Root cause analysis — what caused the breach and how can it be prevented?

    Remediation — patching vulnerabilities, updating access controls, improving encryption, staff training

    Policy review — does the breach reveal gaps in your data protection policies, incident response procedures, or vendor management?

    Regulatory liaison — the supervisory authority may request further information, an audit, or corrective measures. Cooperate fully and promptly.

    Legal review — assess potential civil liability to affected individuals under GDPR Article 82, which gives data subjects the right to compensation for material and non-material damage caused by a breach

    The One Thing That Makes Everything Easier

    Every organisation that handles a breach well has one thing in common: they had a written Incident Response Plan before the breach happened.

    An IRP defines:

  • Who is responsible for managing a breach (the response team)
  • The step-by-step process from detection to notification
  • Contact details for your DPA, legal counsel, and IT security
  • Template notification letters for supervisory authorities and individuals
  • The breach log template

    • Creating this plan after a breach has already started is like writing a fire escape plan during a fire.

    Need a GDPR Incident Response Plan or Data Breach Notification Procedure? Our legal team provides ready-to-use breach response documentation customised to your organisation — delivered in 48 hours.

    TAGS
    Data BreachGDPR Article 3372 Hour RuleBreach NotificationIncident Response

    Need Legal Documents?

    Get expert-drafted legal documents customized for your business. From NDAs to GDPR policies, we've got you covered.

    View All ServicesBook Free Call
    Back to All Posts

    More Legal Updates