GDPR Data Breach Response: Your 72-Hour Legal Obligation Guide (2026)
A data breach is not just a technical problem — it is a legal emergency with a countdown clock attached. Under the General Data Protection Regulation, most organisations have exactly 72 hours from the moment they become aware of a personal data breach to notify their supervisory authority. Miss that window and the fines start at €10 million or 2% of global annual turnover — whichever is higher. This guide tells you exactly what to do, in what order, and how to document it all.
Claire Beaumont
GDPR Compliance Lead · May 14, 2026 · 11 min read
Understanding the GDPR 72-Hour Notification Rule
Article 33 of the GDPR is unambiguous: a controller who becomes aware of a personal data breach must notify the competent supervisory authority — in Germany the relevant Landesbeauftragte, in France the CNIL, in the UK the ICO — without undue delay and, where feasible, within 72 hours of becoming aware. If the notification is not made within 72 hours, it must be accompanied by reasons for the delay.
The clock starts the moment your organisation has a reasonable degree of certainty that a security incident has occurred and that personal data has been affected. You do not need absolute proof. You do not need to know the full scope. Awareness of the incident — not completion of your investigation — starts the timer.
Article 34 adds a parallel obligation: if the breach is likely to result in a high risk to the rights and freedoms of the affected individuals, you must also notify those individuals directly — without undue delay. High-risk breaches include exposure of medical records, financial data, authentication credentials, or any data that could enable identity theft or discrimination.
Important: The 72-hour rule applies to controllers. Processors who discover a breach must notify the controller "without undue delay" — in practice, most DPAs expect processor notification within 24 hours so the controller can still meet the 72-hour deadline. If you are a processor, check your Data Processing Agreements now.
Non-compliance is expensive. In 2025 alone, European DPAs issued over €1.4 billion in GDPR fines. A significant portion of those fines were directly related to late or absent breach notifications. The Irish DPC, the CNIL, and the Italian Garante are all actively pursuing organisations that fail to report on time — including SMEs that previously assumed they were too small to matter.
The 5-Step GDPR Breach Response Plan
A structured response is the difference between a manageable incident and a regulatory catastrophe. The following five steps should be executed in parallel where possible — you do not have the luxury of sequential processing when operating under a 72-hour window.
Contain the breach immediately
The first priority is to stop the bleeding. This means isolating affected systems, revoking compromised credentials, blocking malicious IP addresses or accounts, and preserving forensic evidence. Do not wipe systems before logging their state — you will need that evidence for your regulatory report and potentially for legal proceedings.
Containment should begin within the first hour of detection. Assign a named incident commander with authority to take technical action without waiting for management approval chains. Every minute of delay during active exfiltration increases the scope of the breach.
Assess the scope and risk level
Once containment is in progress, begin your risk assessment. You need to determine: which categories of personal data were affected (special category data triggers higher obligations), approximately how many data subjects are involved, whether the data was encrypted at rest, whether the breach involved exfiltration or only unauthorised access, and the likely consequences for affected individuals.
The EDPB (European Data Protection Board) has published risk assessment guidelines and a breach severity calculator. Use them. DPAs expect you to document your risk assessment methodology — "we checked and it seemed fine" will not satisfy an audit.
Notify your Data Protection Officer and legal counsel
Your DPO must be involved immediately. Under Article 39, the DPO's role includes advising on data protection obligations and acting as the point of contact with supervisory authorities. If you do not have an in-house DPO (mandatory for public authorities, large-scale processors, or handlers of special category data), your external DPO or legal counsel must be looped in within the first two hours.
Legal privilege applies to communications with your lawyers about the breach, which may be important if litigation follows. Document every decision and who made it.
Notify the supervisory authority within 72 hours
File your notification through the official portal of your lead supervisory authority. For organisations with a main establishment in Germany, this will be the relevant Landesbeauftragte. The notification must include:
- ✓ Nature of the breach and categories of data affected
- ✓ Approximate number of individuals affected
- ✓ Contact details of the DPO or other contact point
- ✓ Likely consequences of the breach
- ✓ Measures taken or proposed to address the breach
You can submit an initial notification with partial information and supplement it later — this is explicitly permitted under Article 33(4). Do not delay filing because your investigation is incomplete.
Notify affected individuals if required
If your risk assessment concludes that the breach is likely to result in high risk to individuals, you must notify them directly. The communication must be in clear and plain language. It must describe the nature of the breach, include your DPO contact details, explain the likely consequences, and describe what steps you are taking to mitigate harm.
Organisations that communicate openly and quickly consistently receive more lenient treatment from DPAs than those who attempt to minimise or conceal the incident. Transparency is both a legal requirement and a strategic advantage.
Get your GDPR breach response plan — we set it up in 48 hours
Most organisations discover they have no documented breach response procedure when they are already inside a live incident. Don't let that be you. WebGuard's compliance team builds and tests your bespoke GDPR breach response plan — policies, templates, DPA notification workflows, and staff training — in 48 hours.
Get your breach response plan →DPA Notification Checklist: What to Prepare Before You File
Filing an incomplete or poorly prepared notification makes a bad situation worse. Use this checklist before you submit:
Incident Details
- ✓ Date and time breach was detected
- ✓ Date and time breach is estimated to have begun
- ✓ Type of breach (confidentiality, integrity, availability)
- ✓ Attack vector or cause (ransomware, insider, misconfiguration, etc.)
- ✓ Systems and data stores affected
Data & Subject Scope
- ✓ Categories of personal data involved
- ✓ Whether special category data (Art. 9) is affected
- ✓ Approximate number of data subjects affected
- ✓ Whether data was encrypted, pseudonymised, or in plaintext
- ✓ Nationalities of affected individuals (cross-border implications)
Organisational Response
- ✓ Containment measures taken
- ✓ Ongoing investigation status and timeline
- ✓ Remediation measures planned or in progress
- ✓ Whether law enforcement has been notified
- ✓ Whether affected individuals have been or will be notified
Contact & Documentation
- ✓ DPO name, email, and phone number
- ✓ Lead supervisory authority (one-stop-shop mechanism)
- ✓ Internal incident log with timestamps
- ✓ Reason for any delay beyond 72 hours (if applicable)
- ✓ Reference to your breach register (Art. 33(5) obligation)
Article 33(5) requires controllers to document all personal data breaches, regardless of whether they are reportable to the supervisory authority. Your breach register is subject to DPA audit at any time.
Five Mistakes That Turn a Breach Into a Fine
Waiting until the investigation is complete before notifying
The GDPR does not require a complete investigation before notification. It requires notification when you become aware. Waiting for forensics to finish while the 72-hour clock runs down is the single most common compliance failure — and one DPAs fine heavily.
Notifying only the IT team internally
Breach response is not an IT function — it is an organisational function. Failure to escalate to the DPO, legal counsel, and senior management within hours is a systemic governance failure that supervisory authorities take seriously.
Destroying or overwriting evidence before documenting it
Under pressure, IT teams sometimes wipe compromised systems to restore service quickly. Without forensic evidence, you cannot accurately complete your DPA notification, cannot identify the full scope of affected data, and may underestimate your obligations to notify individuals.
Using vague or downplaying language in DPA notifications
Phrases like "a small number of records may have been accessed" when 50,000 records were confirmed exfiltrated are a red flag to regulators. Inaccurate notifications can result in additional sanctions for lack of transparency.
Having no documented breach response procedure before an incident
Article 32 requires organisations to implement appropriate technical and organisational measures, which explicitly includes procedures for regularly testing, assessing, and evaluating the effectiveness of your security measures. No documented incident response plan is a prima facie Art. 32 violation, even before a breach occurs.
After the 72 Hours: Post-Breach Obligations and Recovery
Meeting the 72-hour notification deadline is the beginning of your obligations, not the end. Supervisory authorities will typically follow up with requests for additional information, updates on your investigation, and evidence of your remediation measures. Expect to receive formal questions within two to four weeks of filing.
Your post-breach obligations include maintaining your breach register with full incident documentation, providing supplementary information to the DPA as your investigation progresses, implementing technical and organisational improvements to prevent recurrence, and conducting a formal lessons-learned review.
Finally: use the breach as a forcing function. Organisations that treat breaches as pure crises miss the opportunity to identify systemic vulnerabilities, update their Record of Processing Activities, retrain staff, and upgrade their technical controls. The cost of prevention is always a fraction of the cost of a breach — and DPAs look more favourably on organisations that demonstrate genuine improvement.
Frequently Asked Questions
Do I have to notify the DPA for every data breach, even minor ones?
No. Article 33(1) requires DPA notification only when the breach is "likely to result in a risk to the rights and freedoms of natural persons." Low-risk breaches do not trigger the notification obligation. However, you must still document all breaches in your internal breach register under Article 33(5), and you must document your risk rationale for any breach you decide not to report.
What happens if we miss the 72-hour deadline?
Missing the deadline does not automatically result in a fine, but it does trigger an elevated level of regulatory scrutiny. You must submit the notification with a documented explanation for the delay. DPAs assess whether the delay was justified or reflects organisational dysfunction. Notify as soon as possible and be transparent about the reasons for the delay.
We are a small business with fewer than 50 employees. Are we exempt from the 72-hour rule?
No. The GDPR does not provide a size-based exemption for breach notification obligations. The 72-hour rule applies to all controllers regardless of company size, industry, or revenue. DPAs across Europe have increasingly targeted SMEs in their enforcement actions, specifically because many small organisations assume they are below the regulatory radar.
Protect your business from GDPR fines — book a free compliance review
WebGuard's GDPR compliance team has helped over 200 European businesses build robust breach response procedures, achieve regulatory readiness, and navigate live incidents without catastrophic fines. Our free compliance review identifies your biggest exposure areas and delivers a prioritised remediation roadmap — at no cost and no obligation.
Book your free compliance review →No commitment. No upsell pressure. Just actionable GDPR guidance.