Under GDPR Article 33, organizations must notify their supervisory authority of a personal data breach within 72 hours of becoming aware of it. When a breach affects individuals at high risk, data subject notification is also required without undue delay. Your Secure Privacy DPO manages the full breach response process — from initial triage and risk assessment through supervisory authority notification, data subject communications, and post-breach review.
Who Is This For?
Data Protection Officers and privacy managers responsible for breach response under GDPR
IT and security teams identifying and containing data security incidents
Legal and compliance teams managing notification obligations to supervisory authorities
Organizations subject to GDPR that handle personal data and need a structured breach response process
The DPO's Role in GDPR Data Breach Response
When a personal data breach occurs, time is critical. Your Secure Privacy DPO plays a central role in ensuring your organization identifies the breach correctly, assesses its severity, meets all notification deadlines, and documents the incident in line with GDPR Article 33(5) requirements.
Data Breach Assessment Process
When a potential breach is reported, your Secure Privacy DPO follows a structured five-stage assessment:
Initial triage: Determine whether a personal data breach has occurred as defined under GDPR Article 4(12).
Risk assessment: Evaluate the likelihood and severity of risk to the rights and freedoms of affected individuals.
Scope determination: Identify the categories and approximate number of data subjects and records affected.
Containment advice: Recommend immediate technical and organizational measures to contain and limit the breach.
Notification decision: Determine whether notification to the supervisory authority and/or affected data subjects is required under GDPR Articles 33 and 34.
GDPR 72-Hour Breach Notification Requirements
GDPR sets different notification obligations depending on the risk level of the breach. The table below summarizes each notification type, when it is triggered, the applicable deadline, and required content.
Notification Type |
Trigger |
Deadline |
Required Contents |
|---|---|---|---|
Supervisory Authority (Article 33) |
Breach likely to result in risk to individuals' rights and freedoms |
72 hours from awareness |
Nature of breach, categories and numbers affected, likely consequences, measures taken or proposed |
Data Subjects (Article 34) |
Breach likely to result in high risk to individuals' rights and freedoms |
Without undue delay |
Plain language description of the breach, DPO contact details, likely consequences, measures taken and recommended to affected individuals |
No Notification Required |
Breach unlikely to result in risk to individuals |
N/A |
Document in internal breach register only — no external notification required |
What Your Secure Privacy DPO Provides During a Data Breach
Expert notification assessment
Your DPO assesses notification obligations across all applicable jurisdictions — including requirements beyond GDPR where relevant — ensuring your organization meets every applicable deadline.
Supervisory authority notification drafting
Your DPO drafts the formal notification to the relevant supervisory authority, ensuring it meets the minimum content requirements under GDPR Article 33(3).
Data subject communication drafting
Where individual notification is required under Article 34, your DPO prepares clear, plain-language communications for affected data subjects.
Containment and remediation guidance
Your DPO advises on immediate technical and organizational measures to contain the breach and reduce further exposure, working alongside your IT and security teams.
Breach register documentation
Your DPO ensures every incident is fully documented in your internal breach register, regardless of whether external notification is required.
Post-breach review
After the immediate response, your DPO conducts a structured post-breach review to identify root causes and recommend measures to prevent recurrence.
GDPR Breach Register: Article 33(5) Requirements
Regardless of whether supervisory authority notification is required, GDPR Article 33(5) mandates that all personal data breaches be documented internally. Your Secure Privacy DPO maintains a comprehensive breach register that records:
The facts of each breach, including date, nature, and scope
The effects and likely consequences for affected individuals
The remedial actions taken and any notification decisions made
The rationale for decisions not to notify where notification thresholds were not met
This register provides your organization with a complete, audit-ready record of all breach incidents for regulatory review.
Frequently Asked Questions
What is the GDPR 72-hour breach notification deadline?
Under GDPR Article 33, organizations must notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach — provided the breach is likely to result in a risk to individuals' rights and freedoms. If notification cannot be made within 72 hours, it must be accompanied by reasons for the delay.
Do all data breaches need to be reported to the supervisory authority?
No. Notification to the supervisory authority is only required when the breach is likely to result in a risk to individuals' rights and freedoms. However, all breaches — regardless of risk level — must be documented in the internal breach register under Article 33(5).
When must affected individuals be notified of a data breach?
Data subjects must be notified without undue delay when a breach is likely to result in a high risk to their rights and freedoms — a higher threshold than the supervisory authority notification trigger. Your DPO assesses this threshold as part of the breach triage process.
What if a breach involves personal data processed in multiple EU member states?
Cross-border breaches may trigger notification obligations with a lead supervisory authority under GDPR's one-stop-shop mechanism, as well as obligations to other concerned supervisory authorities. Your DPO will advise on the correct notification routing for multi-jurisdictional incidents.