What Is a Data Breach Notification Deadline Under GDPR?
Under GDPR, a controller must notify the relevant supervisory authority within 72 hours of becoming aware of a reportable personal data breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. If notification is delayed, the controller must explain why.
The GDPR breach notification deadline is generally 72 hours from the point a controller becomes aware of a reportable personal data breach. That does not mean every security incident must be reported, but if the breach is likely to result in a risk to individuals’ rights and freedoms, the supervisory authority must be notified without undue delay and, where feasible, within that 72-hour window.
What Counts as a Personal Data Breach Under GDPR?
Under GDPR, a personal data breach is not limited to a hacker stealing a database. It can involve a breach of:
- confidentiality — unauthorized disclosure or access
- integrity — unauthorized alteration
- availability — accidental or unlawful loss, destruction, or loss of access
So a reportable event might include:
- ransomware affecting access to personal data
- an email sent to the wrong recipient
- exposed cloud storage
- a lost device containing personal data
- insider misuse
- accidental deletion without recoverability
This matters because many teams think only data theft triggers GDPR reporting. It does not.
When Does the 72-Hour Clock Start?
The key phrase is “becoming aware.”
In practice, the clock starts when the controller has a reasonable degree of certainty that:
- a personal data breach has occurred
- personal data is affected
- the breach may meet the reporting threshold
The clock does not necessarily start:
- when the attacker first gained access
- when a suspicious alert first appears
- when the compromise technically began but has not yet been understood
That distinction is important. You may detect a problem late, but once the organization is aware of a reportable breach, the deadline becomes very short.
Who Has To Notify the Supervisory Authority?
The controller carries the main legal duty to notify the supervisory authority.
A processor usually does not notify the authority directly unless contracts or specific legal arrangements say otherwise. Instead, the processor must notify the controller without undue delay after becoming aware of the breach.
This is why controller-processor agreements should clearly define:
- incident escalation timelines
- reporting contacts
- evidence-sharing requirements
- responsibilities during breach assessment
For related guidance, see: - What Counts as a Personal Data Breach Under GDPR? - Controller vs Processor: Who Reports a Breach?
When Do Affected Individuals Need To Be Notified?
This is a separate question from authority notification.
If the personal data breach is likely to result in a high risk to individuals’ rights and freedoms, the controller must also inform affected data subjects without undue delay.
So there are really two thresholds to assess:
Notification to the supervisory authority
Triggered when the breach is likely to result in a risk to individuals’ rights and freedoms.
Notification to affected individuals
Triggered when the breach is likely to result in a high risk to individuals’ rights and freedoms.
These are related, but not identical, obligations.
What If You Do Not Have All the Facts Within 72 Hours?
GDPR does not require perfect certainty before the first notification. If the breach is reportable, the safer approach is usually to notify within the deadline using the facts currently available, then provide updates as the investigation develops.
Early investigations are often incomplete. You may still be determining:
- the exact number of affected people
- the categories of personal data involved
- whether exfiltration actually occurred
- how long the exposure lasted
- which regulators or jurisdictions are implicated
A staged notification is often more defensible than waiting too long for a complete picture.
What Should the Notification Include?
A notification to the supervisory authority should generally describe:
- the nature of the personal data breach
- categories and approximate number of affected data subjects
- categories and approximate number of personal data records involved
- likely consequences of the breach
- measures taken or proposed to address it
- contact details for the data protection officer or other contact point
If some of that information is not yet known, it can usually be supplemented later.
What If the Breach Is Not Reportable?
Not every personal data breach must be reported to the authority.
If the breach is unlikely to result in a risk to individuals’ rights and freedoms, supervisory authority notification may not be required. However, the organization should still document:
- the incident itself
- the reasoning behind the decision
- the risk assessment performed
- any containment or remediation steps taken
That documentation matters if a regulator later asks why no report was made.
Practical Steps To Meet the GDPR Breach Notification Deadline
Knowing the 72-hour rule is not enough. Organizations need a process that can support it.
Build incident triage around personal data impact
Security teams should quickly ask:
- Was personal data involved?
- What type of breach occurred: confidentiality, integrity, or availability?
- Which people may be affected?
- What harm could realistically follow?
Coordinate privacy, legal, and security early
A delay often happens because teams investigate in parallel without a clear owner. Assign roles in advance for:
- technical investigation
- regulatory assessment
- communications
- decision logging
Preserve evidence while the assessment is still forming
Logs, timelines, system snapshots, and notification records all matter later. If endpoint compromise is suspected, a cleanup tool such as Malwarebytes may be useful during containment on affected user systems, but evidence preservation should come first.
Secure the accounts involved in the incident
Many reportable breaches begin with compromised user accounts, reused passwords, or mailbox takeover. Using a password manager like 1Password can help reduce password reuse and improve credential hygiene across teams.
Common Misconceptions
“Every security incident must be reported under GDPR.”
False. GDPR applies to personal data breaches, not every technical event. Even then, not every personal data breach is automatically reportable.
“The 72-hour clock starts when the attack begins.”
Incorrect. The clock starts when the controller becomes aware of a reportable personal data breach.
“If we do not know everything yet, we should wait.”
Usually not. If notification is required, submit within 72 hours where feasible and add details later.
“Only data theft counts as a GDPR breach.”
False. Unauthorized disclosure, alteration, destruction, or loss of access to personal data can all qualify.
Final Takeaway
Under GDPR, the headline deadline is 72 hours from awareness of a reportable personal data breach for notifying the supervisory authority. The hard part is not memorizing the number. It is quickly deciding whether the breach creates a risk to individuals’ rights and freedoms, documenting that decision, and notifying with the facts available at the time.
Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.