What are the GDPR data breach notification requirements?
GDPR data breach notification requirements force organizations to act quickly when personal data confidentiality, integrity, or availability is compromised. Delays and poor documentation are common enforcement triggers.
Related guides:
Key takeaways
- A personal data breach is any breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
- Controllers must notify the supervisory authority within 72 hours of becoming aware, when the breach is likely to result in risk to individuals.
- Processors must notify the controller without undue delay after becoming aware.
- You must maintain a breach register even for incidents not reported externally.
This guide covers:
- Definition and examples of reportable breaches
- Authority notification timelines and required details
- Individual notification thresholds
- Operational playbook elements
GIF via GIPHY
What counts as a personal data breach?
| Type | Example |
|---|---|
| Confidentiality | Ransomware exfiltrating customer database |
| Integrity | Unauthorized modification of payroll records |
| Availability | Extended outage without backups exposing data loss risk |
Not every security incident is a GDPR breach—but assume breach until assessed. Document discovery time, scope, categories of data, and number of affected individuals.
Notification timelines and content
Processor → controller (Article 33(2))
Processors notify the controller without undue delay after becoming aware, providing details needed for regulatory reporting.
Controller → supervisory authority (Article 33)
| Rule | Detail |
|---|---|
| Deadline | 72 hours after becoming aware (or explain delay) |
| Threshold | Notify if breach is likely to result in a risk to rights and freedoms |
| Phased notice | Initial notification may be incomplete; provide updates as investigation proceeds |
Article 33(3) content typically includes:
- Nature of the breach (categories and approximate numbers)
- DPO or contact point
- Likely consequences
- Measures taken or proposed to address the breach
If notification is not required, document why risk was unlikely.
When to notify affected individuals
Under Article 34, communicate the breach to data subjects without undue delay when it is likely to result in a high risk to them.
| High-risk indicator | Example mitigation in notice |
|---|---|
| Financial fraud risk | Credit monitoring, password reset |
| Sensitive health data exposed | Medical identity theft guidance |
| Credentials leaked | Force password reset, MFA enrollment |
Exceptions to individual notice may apply if you implemented appropriate technical protections (e.g., encryption), subsequent measures eliminated high risk, or notice would involve disproportionate effort (public communication may substitute).
Use clear, plain language—not legalese.
Building a breach response program
- Detection — monitoring, employee reporting, vendor alerts.
- Triage — severity, data categories, legal/comms escalation.
- Containment & recovery — isolate systems, preserve forensics.
- Assessment — risk to individuals; 72-hour clock management.
- Notification — authority, individuals, contracts, insurers.
- Post-incident review — root cause, control improvements, register update.
Run tabletop exercises twice yearly. Align with ISO 27001 incident management where applicable.
Get audit-ready with SecureSlate
SecureSlate helps teams document incident controls, evidence, and remediation tasks alongside broader security and privacy programs.
FAQ
Does the 72-hour clock start at discovery or exploitation?
It starts when the controller is aware with sufficient detail to assess notification—document when awareness occurred.
Do we notify for encrypted data?
Encryption reduces risk but does not automatically eliminate notification. Assess key compromise and likelihood of re-identification.
Are ransomware attacks always reportable?
Often yes when personal data access or exfiltration is likely. Each incident requires documented risk assessment.
Disclaimer (legal note)
General information only—not legal advice. Breach notification involves jurisdiction-specific supervisory authority procedures and sector rules.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
