Data Breach

GDPR 72-hour breach notification — what it means and how to comply

4 min read ·26 April 2026 ·By Trust Center

One of the most operationally demanding aspects of GDPR is the 72-hour breach notification requirement. Many businesses misunderstand when it applies, what they need to report, and what the consequences are for missing the deadline.

What triggers the notification obligation

Not every security incident triggers a notification obligation. GDPR Article 33 requires notification when a personal data breach is "likely to result in a risk to the rights and freedoms of natural persons." This means:

  • High-risk scenarios requiring notification: Customer passwords exposed, financial data accessed, medical or health data leaked, data that could enable identity theft, data used for targeted attacks or discrimination
  • Lower-risk scenarios where notification may not be required: An encrypted laptop is lost with no evidence of decryption, a backup file is accidentally emailed to the wrong internal recipient with no external access, technical data with no personal information is exposed

When in doubt, notify. Regulators treat late or missing notifications more harshly than precautionary notifications.

When does the 72 hours start

The clock starts when you, as the controller, "become aware" of the breach. This has been interpreted to mean when you have a reasonable degree of certainty that a breach has occurred — not when you first suspect something is wrong, and not when the breach originally happened.

If your processor (e.g., your hosting company) becomes aware of a breach, they must notify you "without undue delay" — which triggers your 72-hour window.

What to include in the notification

Under GDPR Article 33, your notification to the supervisory authority must include:

  • The nature of the breach and approximate number of individuals affected
  • The categories and approximate number of personal data records affected
  • The name and contact details of your Data Protection Officer or other contact
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach and mitigate its effects

You can submit an initial report with partial information and supplement it later. The ICO's online reporting tool at report.ico.org.uk is designed for this.

What happens if you miss the 72-hour deadline

If you notify after 72 hours, you must explain the delay. Late notification is not automatically a fine, but it is a factor the regulator considers. The ICO's published guidance indicates they take a risk-based, proportionate approach to enforcement and will consider whether you had adequate processes in place to detect breaches quickly.

Notifying affected individuals

If the breach is "likely to result in a high risk" to individuals, you must also notify them "without undue delay" under Article 34 — this is separate from and in addition to the regulatory notification. The notification must describe the breach in plain language and tell them what steps they can take to protect themselves.

Preparing for the obligation

The only way to reliably meet a 72-hour deadline is to have a breach detection and response process in place before a breach occurs. This means: security monitoring on your systems, clear internal escalation paths so staff know who to tell when they spot something suspicious, and a documented incident response plan that everyone who handles personal data has read.

Ready to simplify your compliance?

Trust Center manages your privacy policies, cookie consent, and DSARs — one platform, all your brands, always up to date.

Get early access →

Related articles

Data Breach

What to do if your website is hacked — a data breach response guide

If your website is hacked or customer data is exposed, you have legal obligations that must be met within hours. Here is what to do and in what order.

5 min read · 26 April 2026