GDPR Data Breach Notification Requirements
GDPR data breach notification requirements mandate that organisations report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. These legal obligations, established under Articles 33 and 34 of the General Data Protection Regulation, apply to all organisations that process the personal data of EU residents, regardless of their location.
What This Guide Covers
This guide provides a comprehensive breakdown of notification timelines, required information, risk assessment criteria, and step-by-step compliance procedures for GDPR breach notifications. This does NOT cover general cybersecurity measures, non-EU data protection laws, or broader data protection strategies beyond notification requirements.
Who This Is For
This guide is designed for data protection officers, compliance managers, legal teams, and business owners responsible for GDPR compliance in organisations of any size. Whether you’re handling your first data breach or refining existing breach response procedures, you’ll find actionable compliance guidance and practical implementation steps.
Why This Matters
Failure to comply with personal data breach notification requirements can result in fines of up to €10 million or 2% of the company’s global turnover, whichever is higher. Beyond financial penalties, non-compliance can lead to reputational damage, legal liability, and increased regulatory scrutiny, all of which can severely impact business operations.
What You’ll Learn:
• The 72-hour notification timeline and when it starts counting
• Mandatory information required in breach reports to supervisory authorities
• Risk assessment criteria for determining notification obligations to data subjects
• Step-by-step notification procedures for both authorities and affected individuals
Personal Data Breaches
A personal data breach under GDPR is defined as any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
This definition encompasses both external incidents, such as cyberattacks, and internal mishaps, including accidental disclosure. The scope is intentionally broad, covering any compromise of personal data security, whether caused by malicious actors or human error.
Personal data breaches affect three key areas of data security: confidentiality, integrity, and availability of personal data. Understanding these categories is crucial for accurate breach identification and determining the appropriate response under GDPR notification requirements.
Types of Personal Data Breaches
Confidentiality breaches occur when there is unauthorised disclosure of or access to personal data. Common examples include emails sent to the wrong recipients containing confidential medical details, hacking incidents that expose customer databases, or employees accessing patient records without authorisation.
Integrity breaches involve unauthorised alteration or corruption of personal data records. This connects to notification requirements because ransomware attacks, system errors that corrupt databases, or malicious modification of personal data all compromise data accuracy and may trigger reporting obligations.
Availability breaches result in the accidental or unlawful destruction, or temporary/permanent loss of access to, personal data. Building on the previous breach types, this category includes system outages that prevent access to personal data, permanent data deletion, and hardware failures that make personal data records inaccessible.
Common Breach Scenarios and Examples
Cyber attacks represent the most visible category, including phishing campaigns targeting employee credentials, malware infections affecting systems that contain personal data, and ransomware attacks that encrypt personal data records and demand payment for their restoration.
Human error incidents demonstrate how everyday activities can trigger notification requirements. These scenarios include sending emails with personal data to incorrect recipients, losing devices containing unencrypted personal data, or improperly disposing of documents containing personal information.
Technical failures encompass system crashes that affect personal data availability, database corruption that compromises data integrity, and cloud service outages that prevent access to personal data transmitted or stored online. Building on breach types defined above, these scenarios illustrate how real incidents fit GDPR definitions and may trigger notification obligations depending on risk assessment outcomes.
GDPR Notification Timeline and Legal Requirements
The GDPR establishes a dual notification system requiring organisations to report qualifying breaches to supervisory authorities under Article 33 and, in certain circumstances, directly inform affected data subjects under Article 34.
72-Hour Supervisory Authority Notification Rule
The 72-hour countdown starts when the organisation has sufficient awareness that a personal data breach has likely occurred, not necessarily when full technical details are known.
Organisations must identify the supervisory authority competent for their jurisdiction, typically the authority of their main establishment within the EU or, for non-EU organisations, where the breach affects EU residents. This geographic scope determination affects which online form and procedures apply for notification submission.
Exception: No notification is required if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. This risk assessment must be documented and justified, as supervisory authorities may review decisions not to report.
Data Subject Notification Requirements
Article 34 triggers individual notification obligations when a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. This creates a higher threshold than supervisory authority notification, requiring an assessment of potential adverse consequences such as identity theft, financial fraud, or discrimination.
Data subject notification must occur without undue delay after the data controller becomes aware of the high-risk breach. Unlike supervisory authority reporting, there is no specific 72-hour deadline, but organisations cannot delay unnecessarily once the high-risk determination is made.
Communication with affected individuals must use clear and plain language to describe the nature of the personal data breach and recommend protective actions. This explicit connection to supervisory authority notification means organisations often face dual reporting obligations with overlapping timelines but different risk thresholds.
Mandatory Information for Breach Notifications
Supervisory authority notifications must include the nature of the breach, with categories and the approximate number of data subjects concerned and personal data records affected. Organisations must provide contact details for their data protection officer or another designated contact point for breach communications.
The required content also covers the likely consequences of a personal data breach, describing the potential impacts on the rights and freedoms of affected individuals. Finally, notifications must detail measures taken or proposed to address the breach and mitigate possible adverse effects.
Data subject notifications should present similar information in plain language, focusing on practical guidance that data subjects can use to protect themselves from potential adverse consequences of a breach.
Step-by-Step Notification Process
This section covers the practical implementation of the requirements of Articles 33 and 34, from breach discovery through to final reporting, providing actionable procedures that organisations can integrate into their breach response plans.
Step-by-Step: Supervisory Authority Notification Process
When to use this: Any personal data breach likely to result in a risk to individuals’ rights and freedoms requires notification to the supervisory authority under Article 33.
1. Breach containment and initial assessment within hours of becoming aware: Immediately secure affected systems and begin a preliminary evaluation of the personal data affected and the potential scope of unauthorised disclosure or access.
2. Risk assessment determination for notification requirements: Evaluate whether the breach is unlikely to result in risk (no notification), likely to result in risk (supervisory authority notification), or high risk (dual notification requirement).
3. Gather mandatory information required under Article 33(3): Document categories and approximate number of data subjects concerned, personal data records affected, nature of the breach, and preliminary assessment of likely consequences.
4. Submit notification to the relevant supervisory authority within 72 hours via official online form: Include all available information and clearly indicate if additional details will follow as the investigation progresses.
5. Provide additional information in phases if not available within the initial 72-hour window: GDPR allows phased reporting under Article 33(4) to avoid undue further delay in initial notification.
6. Document the entire process and maintain records as per Article 33(5): Create comprehensive documentation of breach details, risk assessment rationale, notification decisions, and measures taken for potential review by the supervisory authority.
Risk Assessment: High Risk vs. Risk Thresholds
| Risk Level | Supervisory Authority Notification | Data Subject Notification |
| Unlikely Risk | No notification required | Document decision rationale |
| Risk | Required within 72 hours | Not required |
| High Risk | Required within 72 hours | Required without undue delay |
This assessment framework helps organisations determine the appropriate notification obligations based on factors such as the nature of the personal data involved, the approximate number of affected individuals, the potential for identity theft or financial harm, and the involvement of vulnerable individuals, including children or patients.
Common Challenges and Solutions
These challenges address frequent compliance obstacles organisations encounter when implementing GDPR breach notification requirements in real-world scenarios.
Challenge 1: Determining When an Organisation “Becomes Aware” of a Breach
Solution: Establish clear incident detection procedures with defined escalation paths and awareness triggers. Awareness occurs when personnel with the authority to act on breaches receive credible information about a security incident affecting personal data.
Document the awareness timeline and decision-making process for audit purposes, as supervisory authorities may scrutinise when the 72-hour countdown began during investigations.
Challenge 2: Incomplete Information Within 72-Hour Window
Solution: Submit initial notification with available information and provide additional details in phases as investigation progresses – GDPR specifically allows phased reporting under Article 33(4) to prevent undue further delay in meeting initial deadlines.
Clearly indicate which information is preliminary in your notification and provide realistic timelines for updates to help supervisory authorities facilitate decision-making about any required follow-up actions.
Challenge 3: Cross-Border Notification Requirements
Solution: Identify the supervisory authority competent for your organisation using the one-stop-shop mechanism for organisations with EU establishments, or notify the authority where the breach affects residents for non-EU organisations operating in multiple member states.
Maintain current contact details for relevant supervisory authorities and understand jurisdictional rules, as incorrect notification routing can delay compliance and complicate regulatory responses.
Conclusion and Next Steps
GDPR data breach notification requirements establish strict timelines, commencing with a 72-hour notification to the supervisory authority. Additional obligations apply to high-risk breaches that affect individuals. Success requires solid breach detection capabilities, clear risk assessment frameworks, and streamlined reporting procedures that enable compliance even during times of crisis.
How We Can Help
Dealing with a GDPR data breach can be challenging, but the expert team at GDPRLocal.com is here to guide you through every step.
Immediate Breach Assessment and Containment: GDPRLocal.com helps you quickly identify the scope and nature of the personal data breach, enabling you to contain the incident and prevent further data loss or damage.
Risk Assessment and Reporting: Our specialists conduct thorough risk assessments to determine the potential adverse effects on data subjects and advise whether notification to the relevant supervisory authority and affected individuals is required. We help prepare and submit accurate breach notifications within the mandatory 72-hour timeframe.
Comprehensive Documentation: GDPRLocal.com supports you in documenting the breach details, decision-making processes, and remedial actions taken, ensuring accountability and readiness for any supervisory authority review.
Remedial Action Planning: Our team recommends and helps implement effective remedial measures to reduce the impact of the breach and prevent future occurrences, including enhancing your breach management process.
Training and Preparedness: Beyond incident response, GDPRLocal.com offers training for your staff on recognizing personal data breaches and maintaining robust breach detection and reporting procedures, thereby strengthening your organization’s overall data protection posture.