- GDPR Article 33: notify your supervisory authority within 72 hours of becoming aware of a breach
- Article 34: notify affected individuals without undue delay if the breach is high-risk
- The clock starts when any part of your organisation becomes aware — not just IT or legal
- Notification can be made in stages — initial notification within 72h, details to follow
A personal data breach under GDPR is not limited to hacking. It includes any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. An email sent to the wrong recipient, a lost laptop, an accidentally published spreadsheet — all can trigger breach notification obligations.
The 72-hour window is one of the most operationally demanding requirements in GDPR. Here is a tested response plan.
Related HubSecure buying path
Compliance CRM guidecompliance CRM for growing companiesCRM moduleHubSpot comparisoncompliance CRM guideGuide Librarybook a workflow demo
Related security, privacy and governance resources
Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.
Related use case
This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.
Hour 0–4: Contain and assess
- Activate your incident response team — DPO, IT security, legal, communications lead
- Contain the breach — revoke access, isolate systems, recover lost devices, stop the leak
- Preserve evidence — log files, email headers, access records. Do not destroy anything
- Document everything — time of discovery, who identified it, what actions were taken when
- Assess scope — what data was affected? How many individuals? What categories (health, financial, criminal)?
Hour 4–24: Risk assessment
Determine whether the breach is “likely to result in a risk to the rights and freedoms of natural persons.” Most breaches clear this bar and therefore require supervisory authority notification. Only low-risk breaches (e.g., encrypted data with no known decryption risk) are exempt.
Assess separately whether the breach is “likely to result in high risk” which triggers direct notification to affected individuals under Article 34. High-risk indicators include:
- Special category data exposed (health, biometric, criminal records, religion)
- Financial data that could enable fraud or identity theft
- Large number of individuals affected
- Vulnerable populations (children, patients) among those affected
- Data in the hands of a malicious actor rather than accidental disclosure
Hour 24–48: Draft notification
Article 33 requires your notification to include:
- Nature of the breach (categories and approximate number of individuals and records affected)
- Name and contact details of your DPO or other contact point
- Likely consequences of the breach
- Measures taken or proposed to address the breach, including mitigation
Phased notification is permitted: If you cannot provide all details within 72 hours, submit what you know and flag that further information will follow. Submitting an incomplete notification on time is better than a complete notification after the deadline.
Hour 48–72: Submit and notify individuals
- Submit to supervisory authority via their online portal (e.g., Datatilsynet in Norway, ICO in UK, CNIL in France)
- If high-risk: notify affected individuals in plain language explaining what happened, what data was affected, likely consequences, and steps they should take
- Document the submission including reference number and confirmation
Post-72h: Document and remediate
- Maintain a full breach register (Article 33(5) requires documentation of all breaches regardless of whether notification was required)
- Conduct root cause analysis
- Implement preventive measures and test them
- Update your incident response plan based on lessons learned
- Notify your supervisory authority of updates to the initial notification
See also: GDPR for Law Firms — GDPR for Regulated Businesses
Frequently Asked Questions
When your organisation becomes aware of the breach — not when IT confirms it, not when legal reviews it, not when the DPO is informed. If a front-line staff member discovers the breach on Friday evening, the clock starts Friday evening. This is why internal reporting procedures must be fast and clear.
The notification obligation depends on risk level, not data volume. A small breach exposing health records or financial credentials may require notification. A large breach of already-public data may not. Conduct a proper risk assessment for every breach regardless of size.
Supervisory authorities take late notifications seriously. Penalties can be significant. However, demonstrating a good-faith effort, a credible explanation for the delay, and strong remediation measures can mitigate penalties. Late notification is always better than no notification.
No. Individual notification under Article 34 is required only when the breach is 'likely to result in high risk' to individuals. This is a higher bar than the supervisory authority notification threshold. But err on the side of notifying — failing to notify individuals when required can result in larger fines.
GDPR Article 33(5) requires all organisations to maintain documentation of every personal data breach — even those that did not require supervisory authority notification. This register must include: the facts, the effects, and the remedial action taken. Regulators inspect breach registers during audits.
HubSecure provides encrypted secure data storage, access logging, and permission controls that reduce breach risk. For firms managing client data, HubSecure's audit trail means you can quickly determine exactly what data was accessed and by whom — critical for the 72-hour assessment.
See HubSecure in action
HubSecure's audit trail, Secure Vault and incident logging help you meet the 72-hour notification window — and prove it to your regulator.
See also: HubSecure DPA & EU SCCs · Security overview
Official sources and further reading
Use these public sources to verify regulatory background and terminology. HubSecure content is product guidance, not legal advice.
Credibility notes
This guide is written for product and operations evaluation, not as legal advice. For compliance obligations, confirm requirements with qualified counsel or the relevant regulator.
Related HubSecure references: Security · DPA · Subprocessors · AML/KYC glossary · RBAC glossary
Reviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.