Loading...
GDPR
GDPR Breach Response Requirements
The 72-hour challenge: Complete guide to GDPR breach notification, risk assessment, reporting requirements, and avoiding massive penalties.
17 min read
GDPR Compliance
The Stakes Are Enormous
GDPR Article 33 requires breach notification to Data Protection Authorities within 72 hours of becoming aware. Failure to comply can result in fines up to €20 million or 4% of global annual revenue, whichever is greater. In 2023, Amazon was fined €746 million for GDPR violations. Your incident response plan MUST account for this deadline.
72h
Notification deadline
€20M
Maximum fine
4%
Or % of revenue
What Qualifies as a "Personal Data Breach"?
GDPR defines a personal data breach as: "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data." This is broader than you might think:
Confidentiality Breach
- Unauthorized access to personal data
- Data exfiltration by attacker
- Accidental public disclosure
- Employee accessing data without authorization
Integrity Breach
- Personal data altered or corrupted
- Ransomware encryption
- Database records modified
- Data manipulation
Availability Breach
- DDoS preventing access to data
- System failure making data inaccessible
- Ransomware locking systems
- Accidental deletion of data
Physical Breaches
- Laptop stolen containing personal data
- Paper records lost or stolen
- USB drive misplaced
- Improper disposal of records
The 72-Hour Timeline
Tick-tock: What must happen and when
1
Hour 0
Become Aware of Breach
Clock starts when organization becomes aware a breach has occurred
- Immediate incident response activation
- Appoint GDPR breach response lead
- Begin preliminary assessment
- Preserve evidence and logs
2
Hours 0-24
Initial Assessment & Containment
Understand scope and contain the breach
- Determine what personal data affected
- Identify number of individuals impacted
- Assess likely consequences for individuals
- Contain the breach (stop data loss)
- Engage legal counsel and DPO
3
Hours 24-48
Risk Assessment & Decision
Determine if notification is required
- Conduct formal risk assessment
- Determine likelihood and severity
- Decide: Notify DPA or document exception?
- If notifying: Draft notification
- If not notifying: Document reasoning
4
Hour 72
DPA Notification Deadline
MUST notify DPA by this point if breach poses risk
- Submit notification to relevant DPA
- Provide all required information
- If info incomplete: Explain why and when available
- Keep documentation of notification
5
Post-72 Hours
Individual Notification (If Required)
If high risk to individuals, notify them "without undue delay"
- Prepare individual notifications
- Send to all affected individuals
- Provide clear advice on protective measures
- Set up support channels for questions
Breach Risk Assessment: Do You Need to Notify?
Not all breaches require DPA notification - but you must document your reasoning. Article 33 requires notification only if the breach is "likely to result in a risk to the rights and freedoms of natural persons." You must assess both likelihood and severity:
Low Risk (May Not Require Notification)
- ✓Data already encrypted with strong encryption
- ✓Data already public information
- ✓Breach immediately contained before data access
- ✓Minimal data exposed (e.g., email addresses only)
- ✓Very small number of individuals affected
IMPORTANT:
Even if not notifying DPA, you MUST document your reasoning in breach register
High Risk (MUST Notify DPA + Individuals)
- !Sensitive personal data exposed (health, financial, biometric)
- !Data of vulnerable individuals (children, patients)
- !Large-scale breach (many individuals affected)
- !Risk of identity theft or fraud
- !Risk of discrimination or reputational damage
MANDATORY:
High risk breaches require notification to BOTH DPA (within 72 hours) AND affected individuals (without undue delay)
What to Include in DPA Notification
Article 33 specifies required information
1
1. Nature of the Breach
Must Include:
- Description of what happened
- Categories of personal data affected
- Approximate number of individuals affected
- Approximate number of records affected
Example:
"Unauthorized access to customer database via SQL injection. Affected data: names, email addresses, hashed passwords. Approximately 50,000 individuals, 75,000 records."
2
2. Contact Details
Must Include:
- Name and contact of Data Protection Officer
- Or other relevant contact point
- Phone, email, physical address
Example:
"Contact: Jane Smith, Data Protection Officer, dpo@company.com, +44 20 1234 5678"
3
3. Likely Consequences
Must Include:
- Describe likely impact on individuals
- Potential for identity theft, financial loss, etc.
- Risk of discrimination or other harm
Example:
"Risk of account takeover due to exposed credentials. Low risk of financial loss as payment data not exposed. Users advised to change passwords immediately."
4
4. Measures Taken
Must Include:
- Actions taken to address the breach
- Actions to mitigate adverse effects
- Technical and organizational measures
Example:
"Database patched within 2 hours. All affected passwords reset. Multi-factor authentication deployed. Security audit initiated. Users notified with guidance."
Incomplete Information?
If you don't have all information by the 72-hour deadline, you can still submit notification with: (1) What you know so far, (2) Why information is incomplete, (3) When you'll provide the rest. It's better to notify on time with incomplete info than to miss the deadline.
Individual Notification Requirements
When and how to notify affected people. If the breach is likely to result in a high risk to individuals, you must notify them directly (in addition to the DPA). The notification must be in clear and plain language:
What to Tell Individuals
- Nature of the breach in plain language
- Categories of personal data affected
- DPO or contact point for more information
- Likely consequences of the breach
- Measures taken to address the breach
- Recommendations to mitigate harm (change password, monitor accounts, etc.)
How to Notify
- Direct communication when possible (email, letter)
- If impracticable: Public communication via website, press release
- "Without undue delay" - no specific deadline but must be prompt
- Must be equally effective as DPA notification
- Document all communications
- Provide support channel for questions
Documentation Requirements
You must maintain a breach register for ALL breaches. Article 33(5) requires organizations to document ALL personal data breaches (even those not reported to DPA). DPAs can request to see your breach register at any time:
Breach Register Must Include:
Date and time of breach
When breach occurred and when discovered
Facts of the breach
What happened, how it happened, root cause
Effects of the breach
Data affected, individuals impacted, harm caused
Remedial action taken
Containment, eradication, recovery, prevention measures
Notification decision
Why DPA was or was not notified
Risk assessment
Likelihood and severity analysis, high risk determination
Penalties for Non-Compliance
The financial stakes are enormous
Maximum Fines
€20 Million
OR
4% of Revenue
Whichever is greater
Recent Examples
Amazon€746M
Data processing violations
WhatsApp€225M
Transparency violations
Google€90M
Cookie consent violations
British Airways€22M
Breach notification failure
Practice the 72-Hour Challenge
Most organizations fail GDPR breach response without practice. Tabletop exercises are the best way to validate your GDPR breach response procedures. Key scenarios to test:
Ransomware with Customer Data
Assess risk, determine notification requirement, meet 72-hour deadline
Employee Laptop Stolen
Determine if encrypted, assess risk, document exception reasoning
Phishing with Credential Theft
Scope determination, high-risk assessment, individual notification
Cloud Misconfiguration
Discovery timing, DPA selection, cross-border complications
Test Your GDPR Breach Response
Breakpoint provides GDPR-specific breach scenarios with 72-hour countdown timers, DPA notification templates, and risk assessment frameworks. Practice before you need it.