The 72-hour breach notification deadline under GDPR isn't just tight—it's designed to catch unprepared businesses off guard. Learn exactly what triggers the requirement, what information you must provide, and how to build a breach response framework that turns panic into process. Includes hour-by-hour action timeline and real cases showing what regulators actually scrutinize.

Here's the thing about GDPR's 72-hour breach notification requirement: it's not designed to be comfortable. It's designed to force businesses to have systems in place before something goes wrong.

I've watched companies scramble when they discover a breach, only to realize they don't even know where to start with notification. The 72-hour clock doesn't care if you're unprepared. It doesn't pause while you figure out what information you need or who you're supposed to contact.

But here's what I've also seen: businesses that approach breach notification as a planning exercise rather than a crisis response handle incidents dramatically better. They spend less time in panic mode and more time actually addressing the issue.

This guide breaks down exactly what you need to know about GDPR's breach notification requirements—not just the legal theory, but the practical implementation that keeps your business protected when minutes matter.

What Triggers the 72-Hour Notification Requirement?

Let's start with the most important question: when does the 72-hour clock actually start ticking?

Understanding "Personal Data Breach" Under GDPR

GDPR Article 4(12) defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."

That's broader than most people think. A breach isn't just a hacker stealing customer databases. It includes:

Confidentiality breaches: Unauthorized access or disclosure of personal data. A misconfigured cloud storage bucket that exposes customer records? That's a breach. An employee accidentally sending an email to the wrong recipient with personal data attached? Also a breach.

Integrity breaches: Unauthorized alteration of personal data. If someone modifies customer records without authorization, or ransomware corrupts your database, you're dealing with a breach.

Availability breaches: Loss of access to personal data. This includes accidental deletion, ransomware that locks you out of systems, or hardware failures that make data permanently inaccessible.

Here's what catches businesses off guard: GDPR doesn't require malicious intent. Accidents count. Employee mistakes count. System failures count.

The Risk Threshold That Actually Matters

Not every breach triggers the 72-hour notification requirement to supervisory authorities. GDPR Article 33 requires notification "unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons."

This is where businesses often get paralyzed. What constitutes "unlikely to result in a risk"?

The European Data Protection Board (EDPB) provides guidance:

Low risk scenarios (generally don't require notification):

  • Data was already public
  • Data was properly encrypted and the encryption key wasn't compromised
  • The breach was contained before any actual access or disclosure occurred
  • The data involved poses minimal risk (e.g., work email addresses in a B2B context)

Risk scenarios (require notification):

  • Exposure of contact details, financial information, health data, or other sensitive categories
  • Breach could lead to identity theft, fraud, discrimination, or reputational damage
  • Large scale incidents affecting many individuals
  • Special categories of personal data involved (racial/ethnic origin, political opinions, religious beliefs, health data, biometric data, etc.)

The critical point: you must be able to demonstrate your risk assessment. "We didn't think it was risky" isn't enough. You need documented reasoning.

Common Scenarios: Does It Require Notification?

Let me walk through some real-world scenarios I've encountered:

Scenario 1: Ransomware Attack Your systems are encrypted by ransomware. Customer data is still in your database but inaccessible. Answer: Almost always requires notification. This is an availability breach that prevents you from fulfilling obligations to data subjects and poses risk if the attacker accessed data before encryption.

Scenario 2: Misconfigured S3 Bucket You discover an Amazon S3 bucket containing customer data was publicly accessible for two weeks. You have no evidence anyone accessed it. Answer: Generally requires notification. Even without evidence of access, the potential for unauthorized access to personal data creates risk. The lack of access logs doesn't eliminate the risk—it means you can't prove there wasn't a risk.

Scenario 3: Lost Laptop (Encrypted) An employee loses a laptop containing customer data, but the hard drive is fully encrypted with strong encryption. Answer: Likely doesn't require notification if you can demonstrate the encryption renders the data unintelligible and the encryption key wasn't also compromised. Document this assessment thoroughly.

Scenario 4: Email to Wrong Recipient Employee sends an email with 50 customer names and email addresses to the wrong recipient, who deletes it immediately. Answer: Judgment call based on data sensitivity and context. If it's just names/emails in a business context with immediate deletion confirmed, you might assess as low risk. But document why. If it includes more sensitive data or the recipient isn't trustworthy, notification is safer.

Scenario 5: Database Intrusion You detect unauthorized access to your customer database. The attacker spent 15 minutes inside your system before being kicked out. Answer: Requires notification. Unauthorized access to personal data is a breach, and 15 minutes is plenty of time to exfiltrate data. Even if you can't prove data was copied, the risk threshold is met.

The pattern you'll notice: when in doubt, notification is the safer path. The penalty for failing to notify when required is significantly higher than the administrative burden of notification.

The 72-Hour Timeline: What Happens When

Now let's break down what actually needs to happen within those 72 hours. I'm going to be specific about timing because that's where businesses typically fail.

Hour 0-4: Discovery and Initial Assessment

The clock starts when you become aware of the breach, not when the breach occurred. This is crucial. If a breach happened three months ago but you only discovered it today, the 72-hour countdown starts today.

Immediate actions:

  1. Activate your incident response team (you do have one identified, right?). This typically includes someone from IT, legal/compliance, management, and potentially communications.

  2. Begin containment. Stop the bleeding before you do anything else. If it's unauthorized access, change credentials and close the access point. If it's ransomware, isolate affected systems. If it's a misconfiguration, fix it immediately.

  3. Preserve evidence. Don't destroy logs or evidence in your rush to contain. You'll need this for your notification and potential investigation.

  4. Make an initial risk determination. You need a quick assessment: does this likely require notification? If yes, or if you're not sure, proceed as if it does.

In my experience, businesses that take longer than 4 hours to assemble their response team are already behind. If you're starting from "who should we even call?" at this stage, you've got a problem.

Hour 4-24: Investigation and Risk Evaluation

This is your primary investigation window. You're gathering the information you'll need for notification.

Key activities:

Document the timeline: When did the breach occur? When was it discovered? What happened in between? You need specific dates and times.

Identify the scope: What personal data was affected? How many data subjects? What categories of data (names, emails, financial information, health data, etc.)?

Assess the technical circumstances: Was data encrypted? How did the breach occur? What vulnerabilities were exploited? Has the vulnerability been closed?

Evaluate the risk: What are the potential consequences for individuals? Could this lead to identity theft, financial loss, discrimination, or other harms? Is this low risk, medium risk, or high risk?

Determine affected jurisdictions: Where are the affected data subjects located? This matters for determining which supervisory authority to notify and whether multiple notifications are needed.

Here's what I tell clients: treat this like an investigation, not a cover-up. The goal isn't to minimize the breach in your mind—it's to understand it accurately. Regulators can tell when you've glossed over details or made convenient assumptions.

Hour 24-48: Documentation and Decision Making

By this point, you should have enough information to make informed decisions.

Critical decisions to make:

  1. Is notification required? Based on your risk assessment, does this meet the threshold? If you're truly uncertain, consult with privacy counsel. But remember: the 72-hour clock doesn't stop while you deliberate.

  2. Which supervisory authority? If you have an establishment in the EU, you notify your lead supervisory authority. If you're outside the EU but the breach affects EU residents, you may need to notify the supervisory authority in the relevant member state. Our GDPR territorial scope guide explains these jurisdictional complexities in detail.

  3. Will you also need to notify individuals? If the breach is likely to result in a high risk to individuals' rights and freedoms, you must also notify the affected individuals without undue delay. We'll cover this in detail below.

  4. Do you have all required information? GDPR recognizes you might not have complete information within 72 hours. Article 33(4) allows for notifications in phases—initial notification followed by updates as you learn more.

Documentation to prepare:

Start drafting your notification. Even if you're not certain you'll need to submit it, having it ready is crucial. At hour 60, you don't want to be starting from scratch.

Hour 48-72: Authority Notification Preparation and Submission

This is your final push to get the notification submitted. If you've done the previous phases right, this should be primarily about finalizing and submitting documentation.

Final preparation steps:

  1. Complete your notification form. Most supervisory authorities have specific forms or online portals. Don't wait until hour 70 to figure out their system.

  2. Review with stakeholders. Quick review with legal/compliance and management. This isn't the time for extended debate—that should have happened earlier.

  3. Submit the notification. Aim to submit with at least a few hours to spare. Technical issues, portal problems, and submission difficulties are not valid excuses for missing the deadline.

  4. Document your submission. Save confirmation emails, submission timestamps, and copies of exactly what you submitted.

If you determine notification isn't required because the risk is low, document that decision in detail. If a supervisory authority later disagrees, your documented risk assessment is your defense.

Beyond 72 Hours: Individual Notification and Follow-Up

Just because you've notified the supervisory authority doesn't mean you're done.

If the breach poses high risk to individuals, you must notify them directly. There's no specific deadline, but GDPR says "without undue delay." In practice, this typically means concurrently with or shortly after authority notification.

You may also need to provide updates to the supervisory authority as you learn more information. Initial notifications often include phrases like "investigation ongoing" or "full scope being determined." You're expected to follow up with additional details.

What Information Your Notification Must Include

GDPR Article 33(3) specifies what your notification to the supervisory authority must contain. Let's go through each requirement with practical guidance.

1. Nature of the Personal Data Breach

You must describe what happened. This isn't a one-sentence description. Include:

  • Type of breach: Confidentiality, integrity, availability, or combination?
  • How it occurred: Technical vulnerability exploited? Human error? Malicious insider? System failure?
  • Timeline: When did it happen? When was it discovered?
  • Current status: Is it contained? Ongoing? Fully resolved?

Example of good description: "On January 15, 2025, we discovered unauthorized access to our customer database through a SQL injection vulnerability in our web application. The vulnerability existed from December 1, 2024 to January 15, 2025, when it was closed. During this period, an attacker accessed customer records including names, email addresses, and encrypted passwords. The vulnerability has been patched, all credentials have been reset, and we've implemented additional security monitoring."

Example of inadequate description: "Unauthorized access to our database occurred."

See the difference? Specificity matters.

2. Categories and Approximate Number of Data Subjects Concerned

You need to specify:

  • How many individuals are affected (or approximate number if exact count isn't yet known)
  • What types of data subjects (customers, employees, children, etc.)

"Approximately 12,500 customers" is acceptable. "Lots of people" is not.

If you genuinely don't know the number yet, you can say "number of affected individuals is still being determined—estimated range is 5,000-15,000 based on preliminary investigation."

3. Categories and Approximate Number of Personal Data Records Concerned

This is about the data, not the people:

  • What types of personal data were affected (names, addresses, financial information, health data, etc.)
  • How many records (which may be different from the number of people—one person might have multiple records)

Be specific about data categories:

  • ✓ "Names, email addresses, phone numbers, shipping addresses, and order history"
  • ✗ "Contact information and transaction data"

If special categories of data are involved (health, biometric, racial/ethnic origin, political opinions, etc.), highlight this explicitly. It significantly increases the risk assessment.

4. Contact Details of the Data Protection Officer or Other Contact Point

Provide direct contact information for the person or team handling the breach response. This needs to be someone who can actually answer questions from the supervisory authority, not a generic company info@ address.

Include:

  • Name and title
  • Direct email
  • Direct phone number
  • Availability information if relevant

The supervisory authority may want to communicate quickly. Make it easy for them.

5. Likely Consequences of the Breach

This is your risk assessment. Describe the potential impact on affected individuals:

  • Could this lead to identity theft or fraud?
  • Is there risk of financial loss?
  • Could it cause discrimination or reputational damage?
  • Are there physical safety concerns?
  • Is there risk of psychological harm?

Be honest here. If you minimize obvious risks, regulators will question your entire assessment process.

Example of thorough consequence assessment: "The exposed data includes names, email addresses, and encrypted passwords. Risks include: (1) potential for phishing attacks targeting our customers using the exposed email addresses; (2) if customers reused passwords across services, possible unauthorized access to their other accounts if the encryption is compromised; (3) potential for identity theft if attackers correlate this data with other breached databases. The financial data was not exposed, which limits direct financial fraud risk."

6. Measures Taken or Proposed to Address the Breach

Detail both immediate and planned actions:

Immediate containment measures:

  • Closed the vulnerability
  • Reset all affected credentials
  • Isolated compromised systems
  • Enhanced monitoring implemented

Mitigation measures for affected individuals:

  • Notified affected individuals with guidance
  • Offering credit monitoring (if applicable)
  • Provided resources for protective actions

Preventive measures for the future:

  • Security audit being conducted
  • Additional security controls being implemented
  • Staff training being enhanced
  • Third-party security assessment commissioned

This demonstrates you're not just reporting the breach—you're actively addressing it and preventing recurrence.

What If You Don't Have All Information Yet?

GDPR explicitly recognizes you might not have complete information within 72 hours. Article 33(4) states: "Where, and in so far as, it is not possible to provide all the information at the same time, the information may be provided in phases without undue further delay."

This means you can submit an initial notification with the information you have, then follow up with additional details as you learn them.

Initial notification might say: "Investigation is ongoing. Initial assessment indicates approximately 5,000-10,000 customers affected. Full scope and data categories being determined. Update will be provided within 7 days."

But you can't just say "we don't know anything yet" and call it a notification. You need to provide what you do know and commit to providing updates.

When You Must Also Notify Affected Individuals

Notifying the supervisory authority and notifying individuals are separate requirements with different thresholds.

The High Risk Threshold

Article 34 requires individual notification "when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons."

This is a higher bar than the "risk" threshold for authority notification. The EDPB guidance suggests high risk scenarios include:

  • Special categories of data are involved (health, biometric, racial/ethnic origin, political opinions, sexual orientation, etc.)
  • Data on vulnerable individuals (children, elderly, individuals with disabilities)
  • Large-scale breach affecting many individuals
  • Breach could lead to serious consequences (identity theft, financial loss, discrimination, physical harm)
  • Combination of factors that together create high risk

Examples of when individual notification is required:

  • Health data breach that could lead to discrimination or affect access to services
  • Financial data breach that enables direct fraud
  • Breach of location data that could enable stalking or physical harm
  • Large-scale credential breach where password reuse is common
  • Breach involving children's data

Examples where authority notification is required but individual notification may not be:

  • Encrypted data breach where encryption remains strong and keys weren't compromised
  • Limited breach quickly contained with minimal potential impact
  • Data that was already public or becomes public through other means
  • Work contact information in a B2B context with limited personal impact

The documentation requirements apply here too: you must document why you decided individual notification was or wasn't required.

What Your Individual Notification Must Include

If you must notify individuals, Article 34(2) specifies requirements:

  1. Description in clear and plain language of the nature of the breach
  2. Contact details of your DPO or other contact point where more information can be obtained
  3. Likely consequences of the breach
  4. Measures taken or proposed to address the breach and mitigate potential adverse effects

Notice the emphasis on "clear and plain language." This isn't the place for legal jargon. You're communicating with customers, employees, or other individuals—not lawyers.

Example of good individual notification (excerpt):

"We're writing to inform you that we experienced a security incident that may have exposed some of your personal information.

What Happened: On January 15, we discovered that an unauthorized person gained access to our customer database through a vulnerability in our website. This person may have accessed your name, email address, phone number, and shipping address.

What We're Doing: We immediately closed the vulnerability and reset all account passwords. We've also implemented additional security monitoring and are conducting a full security audit.

What You Should Do: As a precaution, we recommend you:

  • Be alert for suspicious emails claiming to be from our company
  • Monitor your accounts for unusual activity
  • Consider changing passwords on any other sites where you used the same password

More Information: If you have questions, please contact our Privacy Team at [email/phone]. We've also prepared a FAQ at [URL]."

Exceptions to Individual Notification

Even when the risk threshold is met, you don't have to notify individuals if:

  1. Appropriate technical and organizational protection measures were applied to the compromised data, particularly measures that render data unintelligible (e.g., encryption), and those measures weren't compromised.

  2. You took subsequent measures that ensure the high risk to individuals' rights is no longer likely to materialize (e.g., you recovered all compromised data before it could be misused).

  3. Individual notification would involve disproportionate effort. In this case, you can make a public communication or similar measure instead. But this exception is narrow—high cost alone isn't enough to invoke it.

Each exception requires documentation. You're essentially arguing that despite high risk, individual notification isn't necessary or feasible for specific reasons.

Common Mistakes That Escalate Penalties

Let me share the mistakes I see most often—and that regulators punish most severely.

Mistake 1: Waiting to Investigate Before Starting the Clock

Some businesses think: "We'll investigate first, figure out exactly what happened, then start the 72-hour clock."

Wrong. The clock starts when you become aware of a breach, not when your investigation is complete.

"Becoming aware" means having sufficient information to understand that a breach likely occurred. If your monitoring system alerts you to unauthorized access, the clock has started—even if you don't yet know the full scope.

Regulators have explicitly penalized companies that delayed starting the clock while they "gathered more information." The investigation happens within the 72 hours, not before it.

Mistake 2: Inadequate Documentation of Risk Assessment

I've seen businesses submit notifications that say things like "we assessed the risk as low" without any supporting reasoning.

Regulators want to see your work. They want to understand:

  • What factors you considered
  • What information you relied on
  • What methodology you applied
  • Why you reached your conclusion

If you can't demonstrate a thorough, documented risk assessment process, regulators will assume you didn't perform one—and that's a compliance failure independent of the breach itself.

Your privacy risk assessment methodology should include breach risk evaluation as a core component.

Mistake 3: Poor Communication with the Supervisory Authority

Some businesses treat breach notification as a one-way report: "Here's our notification, goodbye."

Better approach: think of it as the start of a dialogue. The supervisory authority may have questions. They may want clarification. They may request additional information.

Be responsive. Answer questions promptly and thoroughly. If you promise to provide updates, follow through.

I've seen cases where the breach itself was relatively minor, but the company's poor communication with regulators turned it into a significant enforcement action.

Mistake 4: Notifying Individuals Without Notifying Authorities

This is backwards and creates suspicion.

If you're notifying individuals, you should have already notified (or be simultaneously notifying) the supervisory authority. Notifying customers first, then filing a report with regulators later, suggests you were trying to control the narrative before regulators got involved.

The proper order: Authority notification first (or at least simultaneously), then individual notification.

Mistake 5: Failing to Learn From the Breach

Supervisory authorities expect to see concrete actions to prevent recurrence. Generic statements like "we take security seriously" or "we're reviewing our procedures" aren't enough.

Specific actions carry weight:

  • "We've implemented multi-factor authentication"
  • "We've engaged [specific security firm] to conduct a penetration test"
  • "We've modified our data access controls to implement least-privilege principles"
  • "We've established quarterly security audits"

Show that the breach led to measurable improvements in your security posture.

Mistake 6: Inconsistent Narratives

If your notification to the supervisory authority says one thing, your notification to individuals says something different, and your public statement says something else again, you've created a credibility problem.

Ensure consistency across all communications about the breach. Different audiences may need different levels of detail, but the core facts should align.

Building Your Breach Response Framework Now

Here's the uncomfortable truth: if you're reading this after a breach has occurred, you're already behind. Breach response isn't something you figure out in real-time.

The businesses that handle breaches well do so because they prepared before anything went wrong.

Documentation You Need Before a Breach

1. Incident Response Plan

This document should specify:

  • Who comprises your incident response team
  • How team members are contacted (including after-hours)
  • Decision-making authority and escalation procedures
  • Communication protocols (internal and external)
  • Step-by-step procedures for common breach scenarios
  • Templates for notifications to authorities and individuals

If creating this from scratch feels overwhelming, you're not alone. This is exactly why tools exist to generate comprehensive breach response documentation based on your specific business operations.

2. Data Inventory and Flow Maps

You can't quickly determine what data was affected if you don't know what data you have and where it lives.

Your data inventory should document:

  • What personal data you process
  • Where it's stored (systems, databases, backup locations)
  • Who has access to it
  • What security protections apply
  • Data flows between systems and to third parties

This inventory is also required for GDPR Article 30 Records of Processing Activities—so if you haven't created one, you're already non-compliant with a separate requirement.

3. Supervisory Authority Contact Information

Know which supervisory authority you need to contact, and have their notification form or portal information readily available.

If you operate in multiple jurisdictions, document the notification requirements for each relevant authority. Don't wait until you're under pressure to figure out which regulator has jurisdiction.

4. Communication Templates

Pre-drafted templates for:

  • Authority notifications
  • Individual notifications (for various breach scenarios)
  • Internal communications
  • Media responses (if applicable)

These templates shouldn't be filled-out notifications (since you don't know what breach will occur), but they should provide structure and ensure you cover all required elements.

You'll still need to customize them for the specific breach, but having a starting framework saves critical hours.

Response Team and Communication Protocols

Identify your core response team:

  • Technical lead (usually IT/security): Leads investigation and containment
  • Legal/compliance lead: Assesses notification requirements and regulatory obligations
  • Business lead: Makes business decisions and allocation of resources
  • Communications lead: Handles internal and external communications
  • Data Protection Officer (if you have one): Coordinates overall response and supervises notification

Each person should know they're on the team and understand their responsibilities. If your "team" is one person wearing multiple hats (common in small businesses), acknowledge that and plan accordingly.

Establish clear communication protocols:

  • How do team members communicate during an incident? (Dedicated Slack channel? Email chain? Scheduled calls?)
  • How do you avoid using compromised systems for incident communication?
  • Who communicates with the supervisory authority?
  • Who approves individual notifications before they go out?

The middle of an incident is not the time to figure out these logistics.

Integration With Existing Compliance Programs

Breach response doesn't exist in isolation. It should integrate with:

Your overall GDPR compliance program: Breach notification is one element of a comprehensive compliance approach. Our GDPR compliance checklist shows how breach preparedness fits into the broader compliance picture.

Your privacy by design practices: Better design decisions upstream reduce breach likelihood downstream. Privacy by Design implementation is your first line of defense.

Your data protection impact assessments: If you've properly conducted DPIAs for high-risk processing, you've already identified potential breach scenarios and mitigation measures. Your DPIA process should inform breach response planning.

Your vendor management processes: Many breaches involve third parties. Your contracts with processors should specify breach notification obligations and procedures.

How Automated Tools Reduce Response Time

I'll be direct: comprehensive breach response documentation is complex. Creating it manually takes significant time and expertise.

This is where modern compliance tools provide real value. Platforms like PrivacyForge can generate:

  • Customized incident response plans based on your specific data processing activities
  • Pre-populated breach notification templates aligned with your operations
  • Data inventory frameworks that integrate with breach response procedures
  • Authority contact information and notification procedures for relevant jurisdictions

The value isn't just in creating the documentation—it's in ensuring it accurately reflects your business. Generic templates downloaded from the internet don't account for your specific data flows, your third-party processors, your technical infrastructure, or your operational realities.

When a breach occurs, you need documentation that actually maps to your situation. You don't have time to adapt generic templates on the fly.

Real-World Breach Notification Cases and Lessons

Let me share some instructive cases (with identifying details adjusted for confidentiality where needed).

Case Study 1: The Company That Got It Right

Scenario: A SaaS platform discovered unauthorized access to its customer database at 2:00 PM on a Tuesday. The attacker accessed approximately 8,000 customer records including names, email addresses, and encrypted passwords.

What they did well:

Hour 0: Within 30 minutes, they activated their pre-identified incident response team via their established communication channel.

Hour 2: They closed the vulnerability (a misconfigured API endpoint), changed all credentials, and preserved logs for investigation.

Hour 6: They completed initial risk assessment: concluded that authority notification was required due to the scale and the inclusion of authentication credentials.

Hour 24: They finished their detailed investigation, documenting exactly what data was accessed, when the vulnerability existed, and how many customers were affected.

Hour 48: They prepared their notification to the supervisory authority with complete information about the breach, risk assessment, and mitigation measures.

Hour 60: They submitted notification to their lead supervisory authority with 12 hours to spare.

Hour 72: They sent individual notifications to all affected customers with clear guidance on protective actions, since encrypted passwords created risk of unauthorized account access if customers reused passwords.

Outcome: The supervisory authority acknowledged the notification, asked several follow-up questions (which the company answered promptly), and closed the case with no penalty. The authority noted in their closure letter that the company's "swift and thorough response, along with pre-existing incident procedures, demonstrated appropriate security measures."

Key lesson: Having prepared documentation and procedures before the breach meant they spent their time addressing the breach, not figuring out what to do.

Case Study 2: The Company That Faced Penalties

Scenario: An e-commerce company discovered a database breach that exposed customer names, addresses, phone numbers, and partial credit card numbers (last 4 digits). The breach had existed for approximately 3 months before discovery.

What went wrong:

Days 1-5: The company spent nearly a week investigating internally without notifying the supervisory authority. Their reasoning: "We wanted to understand the full scope before notifying."

Day 6: They filed a notification to the supervisory authority, describing it as a "potential security incident" and providing minimal details.

Days 7-14: The supervisory authority requested additional information. The company's responses were slow and incomplete.

Day 15: Local media reported the breach (a customer had posted about receiving a breach notification). The company's public statement contradicted elements of their supervisory authority notification.

Day 30: The supervisory authority opened a formal investigation, noting both the breach itself and the company's "inadequate and delayed breach response."

Outcome: The company faced penalties not just for the security failures that led to the breach, but specifically for:

  • Failing to notify within 72 hours
  • Providing incomplete and inconsistent information
  • Inadequate risk assessment procedures
  • Lack of documented breach response procedures

The total penalty was €750,000—far more than the company would have faced for just the breach itself.

Key lesson: How you respond to a breach matters as much as the breach itself. Poor response can turn a manageable incident into a compliance disaster.

What Regulators Actually Scrutinize

Based on these cases and others, supervisory authorities focus on:

1. Timeliness: Did you notify within 72 hours of becoming aware? If notification was delayed, do you have documented justification?

2. Completeness: Did you provide all required information? If information was provided in phases, did you follow up appropriately?

3. Risk assessment quality: Is your assessment thorough and well-reasoned? Did you properly evaluate whether individual notification was required?

4. Preparedness: Did you have incident response procedures in place? Do you have documentation showing you were prepared?

5. Remediation: What specific actions did you take to address the breach and prevent recurrence? Are these measures adequate?

6. Transparency: Were your communications consistent across different audiences? Were you forthcoming with the supervisory authority?

Notice that most of these factors are about process and preparation, not just the technical details of the breach itself.

Your Next Steps

If you don't currently have breach response documentation and procedures in place, here's where to start:

1. Conduct a data inventory (if you haven't already). You can't respond effectively to a breach if you don't know what data you have and where it lives.

2. Identify your incident response team. Even if it's just two or three people, formally designate who responds to incidents.

3. Create basic notification templates. At minimum, draft outline structures for authority notification and individual notification that include all required elements.

4. Document your supervisory authority contact information. Know who you need to notify and how to reach them.

5. Test your procedures. Run a tabletop exercise: "What if we discovered unauthorized access to our customer database right now?" Walk through your response step by step. You'll immediately identify gaps.

But here's my honest assessment: comprehensive breach response documentation requires significant expertise and time investment. You need to understand not just your legal obligations, but how they apply to your specific business operations.

This is exactly the problem PrivacyForge solves. Our platform generates complete, customized breach notification documentation and incident response procedures based on your specific data processing activities, business operations, and applicable jurisdictions.

Instead of spending weeks trying to create this documentation yourself—or hiring expensive consultants—you can have comprehensive, accurate breach response documentation in minutes.

Because when a breach happens, you won't have time to create documentation. You'll only have time to execute it.

Start today and generate your breach response documentation today—before you need it.

This guide reflects GDPR requirements as of 2025. While comprehensive, it's educational in nature and doesn't constitute legal advice. For specific guidance on your breach response obligations, consult with qualified privacy counsel.