Reporting a Data Breach Under GDPR: Step-by-Step Actions to Safely Handle the 72-Hour Window

A data breach (referred to in the legal text as a personal data breach) is any type of security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

Typical examples from everyday business include:

• Cyberattacks & Ransomware: Encryption or exfiltration of customer data by cybercriminals.
• The classic email blunder: Accidentally sending Excel sheets containing salary or customer data to the wrong recipient.
• Hardware loss: Leaving a company laptop on the train or losing an unencrypted USB flash drive.
• Internal missteps: Unauthorized access by employees to personnel files without a legitimate reason.
• Technical glitches: Misconfigurations of cloud storage (e.g., AWS or Azure), leaving databases exposed openly on the internet.

A data breach does not automatically trigger a mandatory report. The deciding factor is always whether the incident creates a risk to the rights and freedoms of the affected individuals.

The legal foundation for crisis management in data protection rests on two central pillars:

• Art. 33 GDPR (Notification to the supervisory authority): Regulates the obligation to report a personal data breach to the competent data protection supervisory authority without undue delay – and, where feasible, not later than 72 hours after having become aware of it. This applies whenever the incident poses a risk to the affected individuals.
• Art. 34 GDPR (Communication to the data subject): Describes when you must directly inform the affected individuals (customers, employees, users). This is mandatory if the breach is likely to result in a high risk (e.g., imminent identity theft or financial loss) to their rights and freedoms.

Crucial for the start of the deadline: The 72-hour window begins at the exact moment the data breach becomes known within the company – meaning as soon as the first employee recognizes the incident as such.

Whenever a potential data breach is on the table, a structured approach makes the difference between a heavy fine and successful damage control. Proceed chronologically:

1. Immediate recording of the incident: Document the relevant facts (What happened? When was it noticed? Which categories of data are affected?).
2. Internal alerting: Forward the issue immediately to the responsible unit within the company (Data Protection Officer, IT Management, Executive Board).
3. Technical containment: Initiate emergency measures without delay (e.g., disconnect affected servers from the network, block compromised user accounts, secure backups).
4. Initial risk assessment: Conduct a first collaborative evaluation by IT and data protection to determine if there is a risk to the rights of the affected individuals.
5. Communication & deadline check: Define the next steps and prepare the report for the authority to ensure compliance with the 72-hour window.

The risk assessment is the legal sticking point. If you mistakenly evaluate the risk as "non-existent" and conceal the breach, you face severe fines.

To conduct a proper risk assessment, you must analyze the following factors:

• Nature and sensitivity of the data: Are we dealing with mere postal addresses or highly sensitive details like health data, passwords, credit card, or bank account information?
• Extent of damage: How likely and how severe are the potential consequences for the individuals (e.g., phishing waves, identity theft, professional loss of reputation)?
• Circle of recipients: Is the data in the hands of known, trustworthy third parties (e.g., mistakenly emailed to a long-term partner who guarantees its deletion), or has it been placed on the darknet by cybercriminals?
• Effectiveness of protective measures: Was the data so strongly encrypted (e.g., AES-256) that it is technically completely unreadable to unauthorized third parties? If so, there is usually no risk.

Practical tip: The line between a "normal" and a "high" risk is fluid and can hardly be assessed with legal certainty by laypersons in an emergency. If a wrong decision is made here, managing directors can be held personally liable. In order not to lose time during the critical 72-hour window, smart companies utilize digital compliance platforms like heyData. With an external Data Protection Officer by your side, the risk assessment can be professionalized immediately, ensuring you make the right choice in an emergency and file the report in a legally compliant manner.

Regardless of whether a data breach ultimately turns out to be reportable or not: According to Art. 33(5) GDPR, a strict internal documentation obligation applies to every single personal data breach. In the event of an official audit by the authorities, you must be able to present this "record of sins" seamlessly.

The documentation must strictly include:

• The exact facts of the incident and its effects.
• The affected categories of data and the number of individuals concerned.
• The remedial measures taken to mitigate damage.
• The justification for why the incident was reported, or conversely, why it was not reported.

The official notification to the competent state data protection authority is generally carried out via the online reporting portals of the respective state authority (depending on the federal state in which the company's registered office is located).

If the risk assessment reveals a high risk for the affected individuals, Art. 34 GDPR comes into play. You must inform the data subjects without undue delay and in clear, plain language.

The notification to the affected individuals must include the following elements:

• A clear description of the nature of the personal data breach.
• The contact details of the Data Protection Officer for further inquiries.
• The likely consequences of the incident for the individual.
• Concrete recommendations for action: What can the affected individuals do to protect themselves (e.g., change passwords, check bank statements, remain vigilant regarding suspicious calls)?

A structured process prevents errors under time pressure. The following instruments should be kept ready to hand in your data protection manual:

• Data breach checklist: A clear protocol initiated by the IT department upon the very first suspicion.
• Sample notification letters: Prepared text templates for communication with the affected individuals, ensuring no time is lost wording things in an emergency.
• The internal data protection incident log: A standardized template to fulfill the statutory documentation requirements.
• Cyber incident response platforms: Software-supported workflows that automatically manage the notification chain within the company.

In the year 2026, stricter European IT security laws such as NIS2 (for critical and important sectors) or DORA (for the financial market) apply alongside the GDPR. These often require parallel initial reports to the BSI within just 24 hours in the event of IT security incidents.

You can only prevent chaos in an emergency through proactive preparation:

• Regular employee awareness: Most data breaches happen due to the human factor (phishing, misdirected mail). Continuous training is the best prevention.
• Clear reporting cascades: Every employee must know: Who do I contact if I suspect that data has leaked?
• Tabletop simulations: Run through an emergency scenario (e.g., a ransomware attack on a Friday afternoon) as a simulation involving IT management, the Data Protection Officer, and executive leadership.

Reporting a data breach under GDPR within the deadline is a complex process under time pressure, but it is absolutely manageable with the right preparation. Closing the technical security gap, the legal risk assessment, and formal documentation must go hand in hand. Those who establish clear responsibilities, utilize prepared checklists, and rely on professional, technology-backed support can transform a potential existential crisis into a cleanly managed compliance process.

What happens if I discover a data breach only after 100 hours?

The GDPR's 72-hour window only begins upon actual discovery ("gaining knowledge"). As soon as you or an employee in the company knows beyond doubt that a breach has occurred, the clock starts ticking. The time span between the actual incident and its discovery is not legally held against you as a missed deadline – unless the company acted with gross negligence by failing to monitor its IT systems.

Do Saturdays and Sundays count toward the 72-hour deadline?

Yes. The GDPR does not distinguish between working days, public holidays, and weekends. The 72 hours run strictly according to the calendar. If you discover a breach on a Friday afternoon, the report must be submitted to the authority by Monday afternoon at the latest. An emergency workflow for the weekend is therefore mandatory for every company.

Do I have to submit the report to the authority completely all at once?

No. If all details have not yet been clarified shortly after the incident, Art. 33(4) GDPR explicitly allows for a phased report (reporting in phases). It is crucial that you submit the core facts within the 72 hours and indicate that you will provide further information as soon as IT forensics yield new insights.

Can I avoid a fine if I report the breach voluntarily?

Self-reporting does not offer absolute protection against fines, but it is viewed extremely positively by data protection authorities and acts as a strong mitigating factor. Conversely, intentionally concealing or delaying the report of a demonstrably reportable data breach almost always leads to drastically higher sanctions and reputational damage.

Who bears the ultimate responsibility for the report within the company?

The ultimate legal responsibility rests non-transferably with the executive management (the legal representative of the data controller). The Data Protection Officer serves in an advisory and supportive role, but cannot solely make the strategic and liability-relevant decision regarding whether to report.