GRC Answer

What is the GDPR 72-hour breach notification rule?

Under GDPR Article 33, a controller must notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it — unless the breach is unlikely to result in a risk to individuals. Where the breach is likely to result in a high risk, the controller must also notify affected data subjects under Article 34. The clock starts at awareness, not at the conclusion of the investigation; Article 33(4) permits phased notification as facts emerge. Every breach must be documented under Article 33(5) whether or not it meets the notification threshold.