GDPR Data Breach: Your 72-Hour Response Playbook

Elena: Article 33 of GDPR requires you to notify your supervisory authority — the ICO in the UK, CNIL in France, BfDI in Germany — within 72 hours of becoming aware of a personal data breach that poses a risk to individuals. Sounds straightforward. In practice, it's one of the most stressful things a company can experience if they haven't prepared.

Elena: First question: what is a personal data breach? The GDPR definition is broader than most people expect — it's not just a hack. A breach is any event that leads to "the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data." This includes: a laptop with personal data left on a train, an email sent to the wrong recipient containing a client list, a developer accidentally exposing a database to the public internet, a ransomware attack.

Elena: The 72-hour clock starts when you become "aware." Not when the breach happened — when you found out. This is important because it means your internal escalation process needs to work quickly. If a developer notices something strange on a Friday afternoon and doesn't tell anyone until Monday morning, you've already used 48 hours.

Elena: What do you include in the notification? At minimum: the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, the measures you've taken or propose to take. You don't need to have all the answers — you can submit a partial notification and update it. Regulators consistently say they'd rather receive an honest incomplete notification on time than a polished one after the deadline.