Incident Command Platform
← All articles

GDPR 72-Hour Breach Notification Checklist

By Mark LyndPublished April 7, 202611 min read

GDPR's 72-hour clock is one of the tightest breach notification windows in the world — and it starts when you become "aware" of a breach, which is a lower bar than most US regulations. This checklist translates Article 33 into operational steps.

Any US company that processes personal data of people in the EU is in scope for GDPR Article 33. This is true even if you have no EU offices, no EU employees, and no physical presence in Europe. If an EU resident can buy from you, sign up with you, or visit your website while being tracked, you are subject to the 72-hour rule. For the broader framework, see our Incident Response Playbook.

When the Clock Starts

Article 33(1) requires notification "without undue delay and, where feasible, not later than 72 hours after having become aware." The critical phrase is "aware." The EDPB Guidelines 9/2022 define awareness as having "a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised."

In operational terms, the clock typically starts when:

The clock does not start when you first receive an alert. It also does not wait until you fully understand the scope — partial, good-faith notification is the expected behavior.

When Notification Is Required

Notification to the supervisory authority is required unless the breach "is unlikely to result in a risk to the rights and freedoms of natural persons." That is a high bar — the default assumption is that notification is required.

Notification to the data subjects themselves (Article 34) has a higher threshold: notification is required when the breach is "likely to result in a high risk."

What the Notification Must Contain

Article 33(3) lists four mandatory elements:

  1. The nature of the breach, including categories and approximate numbers of data subjects and records affected
  2. The name and contact of the DPO or other contact point
  3. The likely consequences of the breach
  4. The measures taken or proposed to address the breach and mitigate adverse effects

Phased notification is explicitly permitted under Article 33(4): "Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay."

Which Authority to Notify

Under the one-stop-shop principle, notify your lead supervisory authority — the DPA of the Member State where you have your main EU establishment. If you have no EU establishment and operate under a representative (Article 27), notify the DPA of the Member State where most affected data subjects reside, plus any DPA where affected data subjects reside.

The Operational Checklist

When Delay Beyond 72 Hours is Permitted

Article 33 allows delay beyond 72 hours only where the notification is "accompanied by reasons for the delay." This is not a safe harbor — it is an admission that you missed the deadline and an invitation to explain. Supervisory authorities are generally forgiving of late notifications made in good faith, but late notifications without good reasoning have been the basis for substantial fines.

Accountability under Article 33(5): Even if you decide no notification is required, you must document your reasoning. Regulators can audit those internal decisions. An incident command platform with a defensible record is effectively mandatory for this — see the defensible record.

Fines and Enforcement

Failure to notify under Article 33 is subject to administrative fines of up to €10 million or 2% of global annual turnover, whichever is higher (Article 83(4)(a)). Notification failures have been the basis for multiple eight-figure fines since 2019.

Related Reading

Manage the 72-hour clock with a defensible ledger

IR-OS gives you an Article 33(5) compliant audit trail — every decision, timestamped and tamper-evident.

Start free