GDPR Data Breach Notification Requirements in 2026

GDPR Data Breach Notification Requirements in 2026

Updated: July 2026 

GDPR data breach notification requirements mandate that organisations report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. These legal obligations, established under Articles 33 and 34 of the General Data Protection Regulation, apply to all organisations that process the personal data of EU residents, regardless of their location.

What This Guide Covers

The content covers notification timelines, required information, risk assessment criteria, and step-by-step compliance procedures for GDPR breach notifications. General cybersecurity measures, non-EU data protection laws, and broader data protection strategies are outside its scope.

Who This Is For

The content is written for data protection officers, compliance managers, legal teams, and business owners responsible for GDPR compliance in organisations of any size, whether handling a first data breach or refining existing breach response procedures.

Why This Matters

Failure to comply with personal data breach notification requirements can result in fines of up to €10 million or 2% of the company’s global turnover, whichever is higher. Beyond financial penalties, non-compliance can lead to reputational damage, legal liability, and increased regulatory scrutiny, all of which can severely impact business operations.

What You’ll Learn:

The 72-hour notification timeline and when it starts counting

Mandatory information required in breach reports to supervisory authorities

Risk assessment criteria for determining notification obligations to data subjects

Step-by-step notification procedures for both authorities and affected individuals

Who to contact if you have any GDPR-related questions

What is a personal data breach under GDPR?

A personal data breach under GDPR is defined as any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

This definition encompasses both external incidents, such as cyberattacks, and internal mishaps, including accidental disclosure. The scope is intentionally broad, covering any compromise of personal data security, whether caused by malicious actors or human error.

Personal data breaches affect three key areas of data security: confidentiality, integrity, and availability. These categories matter for accurate breach identification and determining the appropriate response under GDPR notification requirements.

What are the three types of personal data breach?

Confidentiality breaches occur when there is unauthorised disclosure of or access to personal data. Common examples include emails sent to the wrong recipients containing confidential medical details, hacking incidents that expose customer databases, or employees accessing patient records without authorisation.

Integrity breaches involve unauthorised alteration or corruption of personal data records. This connects to notification requirements because ransomware attacks, system errors that corrupt databases, or malicious modification of personal data all compromise data accuracy and may trigger reporting obligations.

Availability breaches result in the accidental or unlawful destruction, or temporary/permanent loss of access to, personal data. Building on the previous breach types, this category includes system outages that prevent access to personal data, permanent data deletion, and hardware failures that make personal data records inaccessible.

What are common data breach scenarios under GDPR?

Cyber attacks represent the most visible category, including phishing campaigns targeting employee credentials, malware infections affecting systems that contain personal data, and ransomware attacks that encrypt personal data records and demand payment for their restoration.

Human error incidents demonstrate how everyday activities can trigger notification requirements. These scenarios include sending emails with personal data to incorrect recipients, losing devices containing unencrypted personal data, or improperly disposing of documents containing personal information.

Technical failures include system crashes that affect the availability of personal data, database corruption that compromises data integrity, and cloud service outages that prevent access to personal data transmitted or stored online. Building on the breach types defined above, these scenarios illustrate how real-world incidents align with the GDPR definitions and may trigger notification obligations depending on the risk assessment outcomes.

What are the GDPR breach notification timelines and legal requirements?

The GDPR establishes a dual notification system requiring organisations to report qualifying breaches to supervisory authorities under Article 33 and, in certain circumstances, directly inform affected data subjects under Article 34.

What is the 72-hour supervisory authority notification rule?

The 72-hour countdown starts when the organisation has sufficient awareness that a personal data breach has likely occurred, not necessarily when full technical details are known.

Organisations must identify the supervisory authority competent for their jurisdiction, typically the authority of their main establishment within the EU or, for non-EU organisations, where the breach affects EU residents. This geographic scope determination affects which online form and procedures apply for notification submission.

Exception: No notification is required if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. This risk assessment must be documented and justified, as supervisory authorities may review decisions not to report.

When must organisations notify data subjects of a breach?

Article 34 triggers individual notification obligations when a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. This creates a higher threshold than supervisory authority notification, requiring an assessment of potential adverse consequences such as identity theft, financial fraud, or discrimination.

Data subject notification must occur without undue delay after the data controller becomes aware of the high-risk breach. Unlike supervisory authority reporting, there is no specific 72-hour deadline, but organisations cannot delay unnecessarily once the high-risk determination is made.

Communication with affected individuals must use clear, plain language to describe the nature of the personal data breach and to recommend protective actions. This explicit connection to supervisory authority notification means organisations often face dual reporting obligations with overlapping timelines but different risk thresholds.

What information must a GDPR breach notification include?

Supervisory authority notifications must include the nature of the breach, the categories of data subjects involved, the approximate number of data subjects affected, and the personal data records affected. Organisations must provide contact details for their data protection officer or another designated point of contact for breach communications.

The required content also covers the likely consequences of a personal data breach, describing the potential impacts on the rights and freedoms of affected individuals. Finally, notifications must detail measures taken or proposed to address the breach and mitigate possible adverse effects.

Data subject notifications should present similar information in plain language, focusing on practical guidance that data subjects can use to protect themselves from potential adverse consequences of a breach.

How does the GDPR breach notification process work?

The steps below cover the requirements of Articles 33 and 34, from breach discovery through to final reporting, providing procedures that organisations can build into their breach response plans.

How do you notify a supervisory authority of a data breach?

When to use this: Any personal data breach that is likely to pose a risk to individuals’ rights and freedoms requires notification to the supervisory authority under Article 33.

1. Breach containment and initial assessment within hours of becoming aware: Immediately secure affected systems and begin a preliminary evaluation of the personal data affected and the potential scope of unauthorised disclosure or access.

2. Risk assessment determination for notification requirements: Evaluate whether the breach is unlikely to pose risk (no notification), likely to pose risk (supervisory authority notification), or high risk (dual notification requirement).

3. Gather the mandatory information required under Article 33(3): document categories and the approximate number of data subjects concerned, personal data records affected, the nature of the breach, and a preliminary assessment of likely consequences.

4. Submit notification to the relevant supervisory authority within 72 hours via official online form: Include all available information and clearly indicate if additional details will follow as the investigation progresses.

5. Provide additional information in phases if not available within the initial 72-hour window: GDPR allows phased reporting under Article 33(4) to avoid undue further delay in initial notification.

6. Document the entire process and maintain records as per Article 33(5): Create comprehensive documentation of breach details, the rationale for the risk assessment, notification decisions, and measures taken for potential review by the supervisory authority.

How do you assess whether a data breach requires notification?

Risk LevelSupervisory Authority NotificationData Subject Notification
Unlikely RiskNo notification requiredDocument decision rationale
RiskRequired within 72 hoursNot required
High RiskRequired within 72 hoursRequired without undue delay

This assessment framework helps organisations determine the appropriate notification obligations based on factors such as the nature of the personal data involved, the approximate number of affected individuals, the potential for identity theft or financial harm, and the involvement of vulnerable individuals, including children or patients.

What are the common challenges in GDPR breach notification?

These challenges address frequent compliance obstacles organisations encounter when implementing GDPR breach notification requirements in real-world scenarios.

How do organisations determine when the 72-hour clock starts?

Solution: Establish clear incident detection procedures with defined escalation paths and awareness triggers. Awareness occurs when personnel with the authority to act on breaches receive credible information about a security incident affecting personal data.

Document the awareness timeline and decision-making process for audit purposes, as supervisory authorities may scrutinise when the 72-hour countdown began during investigations.

What happens when full breach details are unavailable within 72 hours?

Solution: Submit initial notification with available information and provide additional details in phases as investigation progresses. GDPR specifically allows phased reporting under Article 33(4) to prevent undue further delay in meeting initial deadlines.

Clearly indicate which information is preliminary in your notification and provide realistic timelines for updates to help supervisory authorities facilitate decision-making about any required follow-up actions.

How do cross-border breaches affect notification obligations?

Solution: Identify the supervisory authority competent for your organisation using the one-stop-shop mechanism for organisations with EU establishments, or notify the authority in the member state where the breach affects residents for non-EU organisations operating in multiple member states.

Maintain current contact details for relevant supervisory authorities and understand jurisdictional rules, as incorrect notification routing can delay compliance and complicate regulatory responses.

Conclusion

GDPR data breach notification requirements establish strict timelines, commencing with a 72-hour notification to the supervisory authority. Additional obligations apply to high-risk breaches that affect individuals. Success requires solid breach-detection capabilities, clear risk-assessment frameworks, and clear reporting procedures that enable compliance even during crises.

How We Can Help

Dealing with a GDPR data breach can be challenging, but the expert team at GDPRLocal.com is here to guide you through every step.

Immediate Breach Assessment and Containment: GDPRLocal.com helps you quickly identify the scope and nature of the personal data breach, enabling you to contain the incident and prevent further data loss or damage.

Risk Assessment and Reporting: Our specialists conduct thorough risk assessments to determine the potential adverse effects on data subjects and advise whether notification to the relevant supervisory authority and affected individuals is required. We help prepare and submit accurate breach notifications within the mandatory 72-hour timeframe.

Comprehensive Documentation: GDPRLocal.com supports you in documenting breach details, decision-making processes, and remedial actions, ensuring accountability and readiness for any supervisory authority review.

Remedial Action Planning: Our team recommends and helps implement effective remedial measures to reduce the impact of the breach and prevent future occurrences, including improving your breach management process.

Training and Preparedness: Beyond incident response, GDPRLocal.com offers training for your staff to recognise personal data breaches and maintain consistent breach detection and reporting procedures, thereby strengthening your organisation’s overall data protection posture.

Frequently Asked Questions

Do you have to report every data breach to the supervisory authority?

No. Notification is required only where the breach is likely to pose a risk to individuals’ rights and freedoms. If an assessment concludes the risk is unlikely (for example, because the data was encrypted or the exposure was immediately contained), no notification is needed. You must document the decision and the reasoning behind it, as the supervisory authority may request a review.

How long do you need to keep records of data breaches under GDPR?

Article 33(5) requires data controllers to document all personal data breaches, including those that did not require notification. There is no fixed retention period specified in the GDPR itself, but supervisory authorities generally expect records to be kept for a minimum of three years, and some recommend five. The record should cover the facts of the breach, its effects, and the remedial action taken.

What happens if you miss the 72-hour notification deadline?

Late notification is penalised at the supervisory authority’s discretion. Notify as soon as possible after becoming aware and explain the delay in the submission itself. Supervisory authorities weigh the circumstances, the severity of the breach, and whether the late notification caused further harm. Deliberate or repeated failures carry a higher enforcement risk, with penalties of up to €10 million or 2% of annual global turnover.

Ana Mishova

About the Author

Ana Mishova

Sales and Business Development Consultant — GDPRLocal

Ana focuses on helping organisations understand their compliance obligations and find the right data protection solutions. At GDPRLocal she works closely with businesses of all sizes, making GDPR and privacy compliance clear, practical, and accessible.