GDPR breach notification is the process by which organisations report a personal data breach to their supervisory authority, and where necessary to affected individuals, under the EU General Data Protection Regulation (EU Regulation 2016/679), which has applied since 25 May 2018. Getting this process right is one of the most time-critical obligations in the whole regulation, because the clock starts running the moment you become aware of a qualifying incident.
This article is general guidance only and is not legal advice.
What counts as a personal data breach?
Under the GDPR, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It is broader than a “hack”: a lost laptop, an email sent to the wrong recipient, ransomware that encrypts records, or a misconfigured database can all qualify.
Breaches are commonly grouped into three overlapping types, which help you assess impact:
- Confidentiality breach — unauthorised or accidental disclosure of, or access to, personal data.
- Integrity breach — unauthorised or accidental alteration of personal data.
- Availability breach — accidental or unauthorised loss of access to, or destruction of, personal data.
The 72-hour GDPR breach notification rule
The headline requirement is the 72-hour deadline. A controller must notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it. If notification is made later than 72 hours, it must be accompanied by reasons for the delay.
The 72 hours run in calendar time, not working hours, so weekends and public holidays count. “Awareness” generally means the point at which you have a reasonable degree of certainty that a security incident has led to personal data being compromised, not the moment a vague alert first appears.
Notification to the authority is only required when the breach is likely to result in a risk to the rights and freedoms of natural persons. If a breach is unlikely to result in such a risk, you are not obliged to notify the authority, but you must still document it internally.
When you must also notify individuals
A separate, higher threshold applies to informing affected data subjects. When a breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must communicate the breach to those individuals without undue delay, in clear and plain language.
There are limited exceptions — for example, where the data was rendered unintelligible through measures such as strong encryption, where you have taken subsequent measures ensuring the high risk is no longer likely to materialise, or where individual communication would involve disproportionate effort (in which case a public communication may be used instead).
Who notifies whom: controllers and processors
Notification duties differ depending on your role. The table below summarises the core GDPR breach notification obligations.
| Party | Primary obligation | Timing |
|---|---|---|
| Processor | Notify the controller of a breach it becomes aware of | Without undue delay |
| Controller | Notify the supervisory authority (where risk is likely) | Without undue delay, and where feasible within 72 hours |
| Controller | Communicate to affected data subjects (where high risk is likely) | Without undue delay |
| Controller | Document all breaches internally, regardless of notification | On an ongoing basis |
A processor does not usually notify the authority directly; its job is to alert the controller promptly so the controller can meet its own deadlines. Contracts between controllers and processors should spell out these timelines clearly.
What a notification must contain
The GDPR sets out the minimum information a notification to the authority should include. Where you cannot provide everything at once, you may supply it in phases without further undue delay.
- A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned.
- The name and contact details of the data protection officer or other contact point.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach and mitigate its effects.
Building a breach response plan
Because 72 hours is short, preparation matters more than reaction. A practical response plan aligns with the GDPR’s accountability principle and typically covers detection, internal escalation, risk assessment, notification decisions, and documentation. Maintaining an internal breach register also supports your records of processing and demonstrates compliance if a regulator asks.
For the authoritative text of the regulation and its recitals, consult the full GDPR reference at gdpr-info.eu.
Frequently asked questions
Does every breach have to be reported within 72 hours?
No. You must notify the supervisory authority only where the breach is likely to result in a risk to individuals’ rights and freedoms. Lower-risk breaches still need to be documented internally, but do not require regulator notification.
When does the 72-hour clock start?
It starts when the controller becomes “aware” of the breach — the point at which you have reasonable certainty that a security incident has compromised personal data, not the first ambiguous alert.
What happens if we get GDPR breach notification wrong?
Failing to notify correctly can lead to enforcement action. Depending on the infringement, fines can reach up to 20 million euro or 4% of total worldwide annual turnover, whichever is higher, alongside reputational harm.
Do we tell affected individuals every time?
Only when the breach is likely to result in a high risk to those individuals, and subject to limited exceptions such as data being unintelligible through encryption or the high risk having been mitigated.

Related guides
- Complete GDPR compliance guide for organisations
- GDPR requirements checklist for practical readiness
- Understanding GDPR data subject rights
Our editable GDPR (EU Regulation 2016/679) toolkit gives you ready-to-use breach response procedures, notification templates and a breach register so you can act within 72 hours with confidence. Explore the GDPR toolkit and put your notification process on a compliant footing today.

