When a data breach happens, you have exactly 72 hours to notify your supervisory authority under GDPR. That clock starts the moment you "become aware" of the breach โ not when you finish investigating it. Without a prepared response plan, those 72 hours disappear fast.
What Counts as a Data Breach?
A personal data breach is any security incident that leads to unauthorized access, loss, destruction, or disclosure of personal data. This includes:
- Cyber attacks: Ransomware, SQL injection, credential stuffing
- Accidental disclosure: Sending data to the wrong recipient, misconfigured cloud storage
- Lost devices: Unencrypted laptops, phones, or USB drives with personal data
- Insider threats: Employees accessing data beyond their authorization
- Third-party breaches: A vendor or processor suffers a breach affecting your data
- Website compromises: Supply chain attacks that inject malicious scripts
The 72-Hour Timeline
| Time | Action | Responsibility |
|---|---|---|
| Hour 0 | Breach detected and confirmed | IT / Security team |
| Hours 0-4 | Activate response team, contain the breach | Incident Commander |
| Hours 4-12 | Assess scope: what data, how many people, what risk | Security + Legal |
| Hours 12-24 | Determine notification obligations | DPO / Legal |
| Hours 24-48 | Prepare notification to supervisory authority | DPO / Legal |
| Hours 48-72 | Submit notification, begin individual notifications if needed | DPO |
| Post-72h | Continue investigation, update notification if needed | Full team |
What to Report to the Supervisory Authority
GDPR Article 33 requires the notification to include:
- Nature of the breach (type, categories and approximate number of data subjects affected)
- Name and contact details of the DPO or contact point
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate effects
When to Notify Individuals
You must also notify affected individuals directly (GDPR Article 34) when the breach is "likely to result in a high risk to their rights and freedoms." This includes:
- Financial data exposure (payment cards, bank details)
- Login credentials compromised
- Health or sensitive data disclosed
- Identity theft risk (combined name + address + date of birth)
Building Your Response Plan
1. Establish the Response Team
- Incident Commander: Overall coordination
- IT/Security Lead: Technical investigation and containment
- DPO/Privacy Lead: Regulatory assessment and notifications
- Legal Counsel: Legal exposure and communication review
- Communications: Customer and media communications
- Management: Decision-making authority
2. Create Playbooks
Pre-written playbooks for common scenarios save critical hours:
- Ransomware attack playbook
- Website compromise playbook
- Credential leak playbook
- Third-party vendor breach playbook
- Accidental data disclosure playbook
3. Prepare Templates
- Supervisory authority notification form (most DPAs provide online portals)
- Individual notification email template
- Internal communication template
- Media statement template (for high-profile breaches)
4. Practice
Run tabletop exercises at least annually. Simulate a breach scenario and walk through the response process. Time how long each step takes and identify bottlenecks.
Prevention Is Better Than Response
Most website breaches exploit known vulnerabilities. Proactive measures include:
- Implement security headers to prevent common attacks
- Audit third-party scripts for supply chain risks
- Configure email authentication to prevent phishing
- Set up continuous monitoring to detect changes
- Minimize data collection to reduce breach impact
Run a free PrivacyChecker scan to identify security vulnerabilities on your website before attackers do. Prevention costs a fraction of breach response.