GDPR Data Breach Notification: Your 72-Hour Action Plan

Why 72 Hours Changes Everything

Article 33 of the GDPR requires data controllers to notify their supervisory authority of a personal data breach within 72 hours of becoming aware of it. This is not a soft target — it is a hard deadline that regulators enforce. The Irish DPC fined Meta 17 million euros in part for delayed breach notification. The UK ICO has repeatedly cited notification failures as aggravating factors in penalty calculations.

The 72-hour window begins when you become 'aware' of the breach, which regulators interpret broadly. You are considered aware when you have a reasonable degree of certainty that a security incident has compromised personal data — not when your forensic investigation is complete. Waiting for full details before starting the clock is a compliance failure, not a prudent strategy.

For most organisations, 72 hours is not enough time to investigate a breach, assess its scope, determine which individuals are affected, draft notifications, obtain legal review, and submit to the supervisory authority — unless you have a process in place before the breach occurs. This guide walks through building that process.

Hour 0-4: Detection and Initial Triage

The first four hours after breach detection set the trajectory for your entire response. The immediate priority is confirming whether a breach has occurred and activating your incident response team.

Confirmation means answering three questions: Has personal data been compromised? Is the breach ongoing or contained? What category of breach is it — confidentiality (unauthorised access), integrity (unauthorised alteration), or availability (loss of access to data)? You do not need full answers yet, but you need enough to determine whether this is a personal data breach under Article 4(12) of the GDPR.

Activate your breach response team immediately. This should be a predefined group with clear roles: an incident commander who owns the response, a technical lead who directs containment and investigation, a legal or DPO representative who manages regulatory obligations, and a communications lead who handles internal and external messaging. If these roles are not defined before the breach, you will lose critical hours debating who does what.

Document everything from this point forward. Every action taken, every decision made, every finding — timestamped and attributed. This log serves double duty: it guides your response in real time and demonstrates to regulators that you acted diligently.

Hour 4-12: Containment and Scope Assessment

Once the breach is confirmed and your team is activated, the focus shifts to containment and understanding the scope. Containment means stopping the breach from expanding — revoking compromised credentials, isolating affected systems, blocking exfiltration channels, or patching the exploited vulnerability. Containment does not mean forensic investigation; it means stopping the bleeding.

Parallel to containment, begin scoping the breach. Identify which systems were affected, what personal data they contain, how many data subjects are potentially impacted, and whether special category data (health, biometric, genetic, political opinions) is involved. Special category data significantly raises the risk assessment and may trigger additional obligations.

Start building your notification timeline. Under GDPR, you must notify the supervisory authority within 72 hours unless the breach is 'unlikely to result in a risk to the rights and freedoms of natural persons.' This exception is narrow — if there is any reasonable possibility that individuals could be harmed, you must notify. Encrypted data that was exfiltrated may qualify for the exception if the encryption key was not compromised, but this must be a documented assessment, not an assumption.

If you are a data processor who discovers the breach, your obligation under Article 33(2) is to notify the data controller 'without undue delay.' This means immediately, not at the end of your investigation. The controller's 72-hour clock starts when the processor notifies them, so delay in processor-to-controller notification directly compresses the controller's response window.

Hour 12-36: Investigation and Risk Assessment

With containment in place, deepen your investigation. The goal during this phase is to answer the questions your supervisory authority notification will require: the nature of the breach, the categories and approximate number of data subjects affected, the categories of personal data records involved, the likely consequences, and the measures taken or proposed to address the breach.

Conduct your risk assessment using the factors regulators actually evaluate. The type of breach matters — exfiltration by a malicious actor is higher risk than accidental disclosure to a trusted party. The sensitivity of the data matters — financial data or health records carry higher risk than email addresses alone. The volume of records matters. Whether the data is in a form that is easily usable by an attacker matters — structured databases with clear field labels are higher risk than encrypted backups.

Assess the likely consequences for affected individuals. Could this breach lead to identity theft, financial loss, discrimination, reputational damage, or loss of confidentiality of data protected by professional secrecy? The more severe the potential consequences, the stronger your obligation to notify individuals directly under Article 34.

Document your risk assessment methodology and conclusions. If you determine that notification to the supervisory authority is not required because the risk is unlikely, you must still document that decision and the reasoning. Article 33(5) requires controllers to document all breaches regardless of whether they are reported — the supervisory authority can review this documentation at any time.

Hour 36-60: Preparing the Notification

Your supervisory authority notification must contain specific information defined in Article 33(3). Draft this using the template your supervisory authority provides — most DPAs publish standard breach notification forms on their websites.

The notification must describe the nature of the personal data breach, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned. Provide the name and contact details of your Data Protection Officer or other contact point. Describe the likely consequences of the breach. Describe the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

The GDPR explicitly acknowledges that you may not have all information within 72 hours. Article 33(4) permits information to be provided in phases — submit what you know now and supplement it as your investigation progresses. Regulators consistently say they prefer a timely partial notification over a late complete one. A phased notification is not a sign of incompetence; a late notification is a compliance failure.

Prepare your notification to individuals under Article 34 in parallel if your risk assessment indicates that the breach is 'likely to result in a high risk to the rights and freedoms' of the affected people. The individual notification must use clear and plain language, describe the nature of the breach, provide DPO contact details, describe likely consequences, and describe the measures taken. Unlike the supervisory authority notification, there is no 72-hour deadline for individual notification — but it must be made 'without undue delay', which regulators interpret as days, not weeks.

Hour 60-72: Review, Submit, and Communicate

Use the final window for legal review, internal approval, and submission. Your DPO should review the notification for accuracy and completeness. Legal counsel should review it for any privilege or litigation risk considerations — breach notifications can become evidence in subsequent enforcement actions or civil claims.

Submit the notification to the correct supervisory authority. Under GDPR's one-stop-shop mechanism, this is the DPA of your main establishment in the EU. If you are not established in the EU, notify the DPA of each member state where affected data subjects are located. If you operate across multiple jurisdictions, confirm which DPA is your lead authority before the breach — resolving this question under time pressure wastes hours you do not have.

Communicate internally. Your executive team, board, and relevant department heads should be briefed on the breach, its scope, and the response actions taken. If you are a public company, assess whether the breach triggers securities disclosure obligations — material cybersecurity incidents may require disclosure under SEC rules or equivalent requirements in other jurisdictions.

If individual notification is required, send it through a channel that reaches the affected individuals directly. Email is the most common mechanism, but if email addresses were compromised in the breach, you may need to use alternative channels such as postal mail, in-app notifications, or a public announcement.

After the 72 Hours: Follow-Up and Remediation

Submitting the notification is not the end of the process. Regulators expect ongoing communication as your investigation progresses. Supplement your initial notification with additional details as they become available — updated numbers of affected individuals, revised risk assessments, and additional remediation measures.

Conduct a thorough post-incident review. Identify the root cause of the breach, not just the proximate cause. If the breach was caused by a phishing attack, the root cause is not 'an employee clicked a link' — it may be insufficient email filtering, lack of multi-factor authentication, over-provisioned access, or inadequate security awareness training. Your remediation plan should address the root cause.

Update your breach response procedures based on lessons learned. What worked well? What caused delays? Were the right people involved at the right time? Did your documentation practices hold up under pressure? Feed these insights back into your incident response plan so the next breach — and there will be a next one — is handled more effectively.

Retain all breach documentation for a minimum period that satisfies your supervisory authority's expectations and your own statute of limitations exposure. Five years is a common baseline, but check your specific jurisdictional requirements. This documentation includes your incident log, risk assessment, notifications sent, individual communications, remediation actions, and post-incident review findings.

Building the Process Before You Need It

The organisations that handle breach notification well are those that invested in the process before a breach occurred. At minimum, your pre-breach preparation should include a documented breach response plan with named roles and contact details, tested at least annually through tabletop exercises.

Maintain a pre-drafted notification template that can be populated with incident-specific details. Establish a relationship with your supervisory authority before you need to report — many DPAs offer pre-breach consultation or guidance. Know your DPA's preferred notification channel and format.

Ensure your technical infrastructure supports rapid breach assessment. You cannot determine which data subjects are affected within 72 hours if you do not have data mapping, access logging, and monitoring in place. Your data inventory, maintained for ROPA compliance, is the foundation for breach scope assessment — if it is outdated or incomplete, your breach response will be as well.

Finally, integrate breach notification into your vendor management process. Your data processing agreements should include specific breach notification timeframes for processors — the GDPR says 'without undue delay', but your contracts should specify a concrete window, ideally 24 hours or less, to preserve your own 72-hour timeline.