Skip to main content

Breach Notification

72-Hour GDPR Compliance (Articles 33 & 34)

⚠️ CRITICAL: 72-HOUR DEADLINE

You have 72 hours from when you become aware of a breach to notify the supervisory authority (Article 33). Failure can result in fines up to €10 million or 2% of global turnover.

0-72h
Notify Authority
If High Risk
Notify Data Subjects
Document
All Breaches

Quick Response Guide

  1. 1
    Log the breach IMMEDIATELY
    Create breach record in platform → Auto-starts 72-hour countdown timer
  2. 2
    Document details
    Nature, categories of data, approximate number affected, consequences
  3. 3
    Auto-notify supervisory authority
    Platform generates Article 33 notification → Sends via email/API to your DPA
  4. 4
    Notify data subjects (if high risk)
    Platform auto-sends emails to affected individuals (Article 34)

What Must You Report? (Article 33(3))

1. Nature of Breach

What happened (e.g., ransomware, unauthorized access, data loss)

2. DPO Contact Details

Name and contact details of your Data Protection Officer

3. Likely Consequences

Description of probable consequences of the breach

4. Measures Taken

Measures taken or proposed to address and mitigate

5. Categories of Data

Types of personal data affected

6. Number Affected

Approximate number of data subjects concerned

When to Notify Data Subjects (Article 34)

⚠️ REQUIRED: If High Risk to Rights and Freedoms

You must notify affected individuals "without undue delay" if breach likely to result in high risk.

Examples: Identity theft, financial loss, reputational damage, loss of confidentiality

⚠️ EXCEPTIONS: You Don't Need to Notify If...

  • • Data was encrypted/pseudonymized and key remains secure
  • • You took subsequent measures to eliminate high risk
  • • It would involve disproportionate effort (public communication instead)

Common CCO Scenarios

🚨 Ransomware Attack

Scenario: Database encrypted, customer data inaccessible

Actions:

  1. 1. Log breach in platform (starts 72hr timer)
  2. 2. Document: 50K customers affected, names, emails, addresses
  3. 3. Auto-notify supervisory authority
  4. 4. Auto-email all 50K affected customers (Article 34)
  5. 5. Implement recovery measures

✅ Timeline: All notifications within 24-48 hours

📧 Accidental Email Disclosure

Scenario: Employee sends customer list to wrong recipient

Actions:

  1. 1. Log breach immediately
  2. 2. Document: 100 customers, low-medium risk
  3. 3. Notify authority within 72hrs
  4. 4. May not need to notify data subjects if recipient deletes

💻 Laptop Theft (Encrypted)

Scenario: Employee laptop stolen, but full-disk encryption enabled

Actions:

  1. 1. Log breach (good practice)
  2. 2. Document: Data encrypted, key secure, no risk
  3. 3. May NOT need to notify authority (Article 34(3)(a) exception)
  4. 4. No data subject notification required

✅ Key: Must document why notification not required

How Our Platform Helps

72-Hour Timer

Auto-starts countdown when breach logged, sends alerts at 48hrs, 60hrs, 70hrs

Auto-Email Notifications

Sends Article 33 notification to supervisory authority + Article 34 to data subjects

📋 Auto-Documentation

Captures all 6 required Article 33(3) fields + breach timeline + measures taken

📊 Audit Trail

Complete record of all breaches (even if not notified) for supervisory authority inspection

Frequently Asked Questions

When does the 72-hour clock start?

When you "become aware" of the breach - not when it occurred.

Example: Breach happens Monday, you discover it Thursday → Clock starts Thursday

⚠️ "Becoming aware" = when you have reasonable certainty a breach occurred

What if I don't have all information within 72 hours?

Article 33(4) allows you to provide information in phases:

  1. Initial notification with known details (within 72hrs)
  2. Follow-up with additional information as it becomes available

💡 Tip: Better to notify early with partial info than miss the 72-hour deadline

Do I need to document breaches that don't require notification?

YES - Article 33(5) requires documentation of ALL breaches, including:

  • Facts of the breach
  • Effects and consequences
  • Remedial action taken

✅ Supervisory authority can audit your breach log at any time

Ready to Manage Breaches?

Automate 72-hour breach notifications with countdown timers and auto-email to supervisory authority and data subjects.

Manage BreachesCompliance Hub

Emergency Breach Detected? Act NOW

Log the breach immediately in the platform. The 72-hour clock is ticking. Every minute counts.