Personal Data Breach Notification to Supervisory Authority

GDPR Article 33 requires data controllers to notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it. Notification is required unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The 72 hour GDPR breach notification clock starts the moment the organization becomes aware that a personal data breach has occurred. Awareness generally means the organization has a reasonable degree of certainty that a security incident has compromised personal data.

A personal data breach under GDPR means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This includes both accidental incidents, like misconfigured databases, and malicious attacks, such as ransomware.

You determine this by conducting a GDPR notifiable breach risk assessment evaluating the type of data, the nature of the breach, and the potential consequences for data subjects. If the assessment shows the breach could lead to physical, material, or non-material damage, such as identity theft or financial loss, it poses a risk and must be reported.

A GDPR breach notification to a supervisory authority must describe the nature of the breach, the categories and approximate number of affected data subjects and records, the likely consequences, and the measures taken or proposed to mitigate adverse effects. It must also include the contact details of the Data Protection Officer or another point of contact.

Yes, if it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay. This phased approach allows organizations to meet the GDPR Article 33 breach notification requirements even while the investigation is ongoing.

If the breached data was securely encrypted and the decryption key was not compromised, the breach is generally considered unlikely to result in a risk to individuals. In such cases, you may not need to notify the supervisory authority, but you must still document the incident and your justification to meet GDPR compliance.

The data controller is legally responsible for notifying the supervisory authority under GDPR Article 33. When considering GDPR breach notification processor vs controller responsibilities, the processor must simply notify the controller without undue delay after becoming aware of a breach.

If you miss the 72-hour deadline, your notification must be accompanied by the reasons for the delay. Failing to report in a timely manner without a valid justification violates the GDPR 72 hour notification rule and can result in administrative fines and regulatory scrutiny.

Organizations must document all personal data breaches, including the facts relating to the breach, its effects, and the remedial action taken. This documentation is required to enable the supervisory authority to verify how you document breach decisions under GDPR Article 33, even if you decide the breach was unlikely to result in risk.

Meeting the 72-hour deadline depends on fast escalation, consistent triage, and having the required facts in one place. Tools like WatchDog Security's Compliance Center can help by centralizing the control requirements, prompting evidence capture (incident timelines, decision logs, drafts), and flagging gaps so teams can compile supervisory authority notifications quickly and consistently.

Regulators often focus on whether the organization can show a reasonable, consistent decision process (including why a breach was or was not notifiable). Tools like WatchDog Security's Risk Register can help by recording risk assessment outcomes, linking them to the incident record, assigning owners and due dates for follow-up actions, and producing board-level reporting that demonstrates oversight and remediation tracking.