Is this a legal certification?

No. This tool provides readiness guidance only. It is not legal advice, certification, or a formal compliance audit. Always consult with a qualified legal professional for definitive compliance status.

How long does the assessment take?

Most users complete the assessment in under 10 minutes, depending on the complexity of your organization.

Yes. All answers are processed locally in your browser. We do not store your responses on any server.

Do I need to be an expert to answer these questions?

No. The questions are designed for business owners and managers. If you don't know an answer, you can indicate your confidence level.

Back to blog

GDPR5 min readFebruary 15, 2026

The 72-Hour Rule: How to Report a GDPR Data Breach Without Triggering Additional Penalties

By Dr. Viktor Hausmann

A data breach occurs on Friday evening. Under GDPR Article 33, your organisation has 72 hours — including weekends and public holidays — to notify your supervisory authority. Missing this deadline compounds the violation. This guide covers the notification process, what regulators scrutinise most closely, and how to prepare your response capability before an incident occurs.

What Counts as a Data Breach?

A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. This includes everything from a laptop theft to a misconfigured database, a ransomware attack to an employee emailing the wrong file.

The 72-Hour Timeline

The clock starts when you become "aware" of the breach. This means the moment any employee, contractor, or processor discovers the incident and recognizes it involves personal data. Having an incident response plan in place is critical because time spent figuring out your process is time lost.

What to Report

Your notification to the DPA should include: the nature of the breach, categories and approximate number of individuals affected, contact details of your DPO or point of contact, likely consequences of the breach, and measures taken or proposed to mitigate its effects.

When to Notify Individuals

If the breach is likely to result in a high risk to the rights and freedoms of individuals, you must also notify them directly without undue delay. The notification should be in clear, plain language and include the same information provided to the DPA, plus specific advice on what they can do to protect themselves.

Building Your Response Capability

Preparation is the difference between a controlled response and a regulatory crisis. Our assessment evaluates your breach readiness across detection, classification, notification, and recovery — and identifies gaps before an incident tests your procedures.

Ready to check your compliance?

Run our free GDPR & NIS2 readiness assessment and get personalized recommendations in minutes.

Start Free Assessment