TL;DR
  • The 72-hour clock for GDPR supervisory authority notification (Article 33) starts the moment your organisation becomes aware of a breach — not when you finish investigating it.
  • Hours 0–4: contain the incident and convene your response team. Do not delete anything. Preserve all logs.
  • Hours 4–24: notify leadership and legal counsel, formally declare an incident, begin evidence preservation, and make a preliminary breach determination.
  • Hours 24–48: file your supervisory authority notification if personal data is confirmed affected. Incomplete notifications are acceptable; you can supplement later.
  • Hours 48–72: communicate with affected clients, publish your remediation plan, and begin post-incident review.

At 11:47 on a Tuesday morning, a partner at a 22-person accounting firm receives a call from a client asking why their accountant’s email address just sent them a link to a Google Drive folder they don’t recognise. The partner opens their own email and sees the same outbound message — sent to 340 contacts — from an account they didn’t touch. The email contains a phishing link. The account has been compromised.

This is the moment the 72-hour clock starts. Not when IT finishes the forensic review. Not when the partner finishes the call. Not when the full scope of the breach is understood. Under GDPR Article 33, the clock begins at the point of awareness — and the obligation to notify your supervisory data protection authority within 72 hours is non-negotiable unless you can demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

For most professional services firms — accountants, lawyers, financial advisers, HR consultancies — a compromised email account almost certainly qualifies. Client names, financial positions, legal matters, and personal correspondence are exactly the categories of data that regulators consider high risk. The question is not whether you need to act. The question is how to act correctly under time pressure, with incomplete information, while simultaneously managing client relationships and attempting to contain the underlying incident.

This guide gives you a concrete, hour-by-hour framework for the first 72 hours. It is not a substitute for legal counsel — engage your DPO or data protection solicitor immediately — but it is a practical starting point for firms that have never navigated a breach response before.

Hours 0–4: Contain and assess

The instinct in the first minutes of a breach discovery is to start fixing things. Resist it. Remediation that destroys evidence can be as damaging as the breach itself, particularly if you later need to demonstrate to a regulator what happened and what was affected. The goal of the first four hours is not to fix the problem — it is to stop the bleeding while preserving everything you will need later.

ACTION 1

Isolate affected systems without destroying state

If a user account is compromised, revoke active sessions and disable the account — but do not delete it. If a system is behaving anomalously, isolate it from the network but do not wipe or reimage it. Forensic investigation requires the original state. Take screenshots or exports of anything you can see now: active sessions, recent login locations, outbound message logs, unusual OAuth grants.

ACTION 2

Preserve logs immediately

Cloud service logs — Google Workspace audit logs, Microsoft 365 Unified Audit Log, AWS CloudTrail — have default retention windows. Microsoft 365 retains audit logs for 90 days on most plans, 180 days on E3/E5. If you are on a lower plan, some logs are gone within 30 days. Export everything you can access right now: login events, file access events, email send events, permission changes. These are your evidence chain.

ACTION 3

Convene your incident response team

Even if your “incident response team” is two partners and an IT support contact, get them on a call within the first hour. Assign roles: one person owns technical containment, one person owns communication (internal and external), one person owns the regulatory documentation trail. If you have a Data Protection Officer or data protection legal adviser, call them now — they need to be in the loop before any external communication happens.

ACTION 4

Make a preliminary scope assessment

You will not have complete information. That is expected. What you need at hour 4 is a preliminary answer to three questions: What systems or accounts were affected? What categories of personal data might those systems contain? How many individuals could be affected? “We believe the compromised email account contained correspondence relating to approximately 300 clients, including names, email addresses, and references to financial matters” is a sufficient preliminary assessment. You will refine it.

Do not notify clients before you notify your supervisory authority. This is a common and costly mistake. Client notification without regulatory coordination can complicate your legal position, create inconsistent messaging, and in some jurisdictions, constitute a separate compliance failure. Get legal counsel involved before any external communication goes out.

Hours 4–24: Notify leadership, engage legal, preserve evidence

By hour 4 you should have basic containment in place and a preliminary scope assessment. The next phase is about getting the right people informed and building the formal record that will underpin your regulatory notification. This phase is as much about documentation discipline as it is about technical investigation.

Formally declare the incident in writing. Send an internal notification to senior leadership and your legal team that states: the date and time the incident was discovered, who discovered it, the preliminary scope assessment, the containment actions taken so far, and the names of the people assigned to the response. This email or document becomes the start of your incident timeline — a contemporaneous record that regulators will request and that demonstrates you took the matter seriously from the moment of discovery.

Your legal counsel or DPO will need to make a formal determination: does this breach require notification to the supervisory authority under GDPR Article 33? The test is whether the breach is “likely to result in a risk to the rights and freedoms of natural persons.” In practice, for professional services firms, any breach involving client personal data — names, financial details, matter references, correspondence — will meet this threshold. Assume notification is required until your legal adviser confirms otherwise.

Continue your technical investigation in parallel. The goal is to answer: How did the attacker gain access? What is the full scope of data potentially accessed or exfiltrated? Is the attacker still present in your environment? The answers will form the core of your supervisory authority notification. Document every finding as you go, with timestamps. Create a running incident log — a shared document that all response team members update in real time with what they discovered, when, and what action was taken.

Hours 4–24 checklist
  • Formal incident declaration sent to leadership and legal in writing, with timestamp
  • DPO or data protection legal adviser engaged and confirmed in the loop
  • All available audit logs exported and stored in a secure, write-protected location
  • Running incident log created and shared with response team
  • Technical investigation underway: attack vector, scope, persistence check
  • Preliminary breach determination made by legal adviser (notify / no notify)
  • Draft of supervisory authority notification begun (even if incomplete)
  • No external communication has gone out without legal sign-off

Hours 24–48: Regulatory notification under GDPR Article 33

GDPR Article 33 requires notification to your supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” The critical word is “feasible.” The regulation explicitly acknowledges that you may not have complete information within 72 hours, and it allows for phased notification: you notify within 72 hours with what you know, and you supplement with additional information as the investigation progresses.

This means you should not wait until the investigation is complete before filing. An incomplete notification submitted within 72 hours is far better than a complete notification submitted at hour 80. Regulators understand that investigations take time. What they do not accept is using incomplete information as a reason to delay filing.

The Article 33 notification must contain, to the extent possible:

Most EU supervisory authorities — the ICO in the UK, the DPC in Ireland, the BfDI in Germany, Datatilsynet in Norway — have online notification portals. In the UK, the ICO’s breach report form is available at ico.org.uk and takes approximately 30–45 minutes to complete. File in the jurisdiction where your organisation is established, or where your affected clients are based if you operate across borders.

Template: Supervisory authority notification summary paragraph

On [DATE] at approximately [TIME], we became aware that an employee email account at [ORGANISATION NAME] had been accessed without authorisation. Preliminary investigation indicates the account was compromised via [ATTACK VECTOR, e.g., credential phishing] and was accessed between approximately [START TIME] and [CONTAINMENT TIME]. The affected account contained correspondence with approximately [NUMBER] individuals, including personal data in the categories of [CATEGORIES, e.g., names, email addresses, references to financial matters]. We have no evidence at this stage that data was exfiltrated, but we cannot exclude this possibility pending full forensic review. Containment measures implemented include: [LIST ACTIONS]. We are continuing our investigation and will supplement this notification as further information becomes available.

After filing, your supervisory authority may contact you with follow-up questions or request a supplementary report. Respond promptly. Regulators distinguish between organisations that engage cooperatively and those that are evasive — the former consistently receive more favourable outcomes in enforcement decisions.

Hours 48–72: Client communication and remediation plan

GDPR Article 34 requires you to notify affected individuals “without undue delay” when the breach is likely to result in a high risk to their rights and freedoms. This is a higher threshold than the supervisory authority notification — not every notifiable breach requires individual notification — but for most professional services breaches involving client personal data, the threshold will be met.

Your legal adviser will confirm whether individual notification is required. If it is, the notification to affected clients must describe in clear and plain language: the nature of the breach, the name and contact details of your DPO or contact point, the likely consequences of the breach, and the measures taken or proposed to address it and mitigate adverse effects. It must not minimise the incident, make promises you cannot keep, or request any action from the client that is not genuinely necessary.

Template: Client breach notification letter

Dear [CLIENT NAME],

I am writing to inform you of a security incident affecting [ORGANISATION NAME] that may have involved your personal data. We take this matter extremely seriously and want to provide you with full transparency about what happened and what we are doing about it.

What happened: On [DATE], we discovered that an employee email account had been accessed without authorisation. The account contained correspondence relating to our work for you, including [SPECIFIC DATA CATEGORIES, e.g., your name, email address, and references to your financial matters with us].

What we have done: We immediately secured the affected account, revoked active sessions, and began a forensic investigation. We have notified the [SUPERVISORY AUTHORITY] as required by law. We have engaged independent cybersecurity specialists to review the full scope of the incident.

What this means for you: We have no evidence that your data was copied or misused. However, we recommend that you [SPECIFIC ADVICE, e.g., be alert to phishing emails, report any suspicious contact claiming to be from us]. Please do not hesitate to contact [CONTACT NAME] at [EMAIL / PHONE] with any questions or concerns.

We apologise sincerely for this incident and for any concern it causes you.

Alongside client communication, publish your remediation plan internally and communicate it to your supervisory authority as a supplement to your original notification. The remediation plan should address the root cause: if the breach was caused by credential phishing, the plan should include MFA enforcement, phishing simulation training, and a review of email security controls. Vague commitments to “improve security” are not sufficient — regulators want to see specific, time-bound actions.

REMEDIATION

What a credible remediation plan contains

Root cause analysis (specific, technical), immediate containment measures already taken, medium-term controls being implemented with target dates, process changes to prevent recurrence (procurement gate, access review cadence, incident response plan update), and a named owner accountable for each action. Submit this to your supervisory authority as a supplementary notification within 30 days of the incident.

After 72 hours: The post-incident phase

Once the immediate response window closes, the work does not stop — it shifts. You enter a phase of ongoing investigation, supplementary regulatory reporting, and internal process improvement. Most supervisory authorities expect a final incident report within 30 days, even if you have been communicating throughout. Begin drafting this report at the end of the 72-hour window, incorporating everything you have learned.

Conduct a post-incident review with your full response team within five business days. The review should assess not just what happened technically but how the response process performed. Were the right people notified quickly enough? Did the incident log capture everything needed? Was the supervisory authority notification filed on time? Were clients notified with the right level of detail and care? Each gap in the response process is a process improvement item for your updated incident response plan.

The firms that handle breach response most effectively are not those that never have breaches — they are those that have invested in the infrastructure to detect, contain, document, and report incidents before an incident occurs. That infrastructure includes a documented incident response plan with assigned roles, an audit trail system that captures user activity in real time, a reliable log retention policy, and DPA agreements already in place with all vendors who process personal data. When the 11:47 Tuesday morning call comes, the firms with that infrastructure spend their first four hours responding. The firms without it spend their first four hours searching for information they should already have had.

The one preparation that saves the most time: Maintain a current data map — a document that records what personal data your firm holds, where it is stored, which systems process it, and which third-party vendors have access. A breach response with a current data map takes hours to scope. A breach response without one takes days. The data map is also a core requirement under GDPR Article 30 (records of processing activities). If you do not have one, build it before you need it.

Built-in audit trails and incident response infrastructure

HubSecure maintains a real-time audit log of all user actions, a complete data map of every data category in your environment, and automated supervisory authority notification workflows. When a breach occurs, the evidence chain is already built. The 72-hour clock is manageable.

Reserve your founding seat