Data Breach Notification

What to Do in the First 72 Hours

At 11:47pm on a Wednesday, a security analyst in a retail organisation notices an anomaly in their customer database access logs. By 2am Thursday they have confirmed a breach. A significant volume of personal data has been exfiltrated. The 72-hour notification clock started at the moment of confirmation. 

What happens in the next 70 hours determines whether this organisation pays a fine that threatens its existence or handles a serious incident with the professionalism that regulators and affected individuals deserve. 

This guide covers what to do, in what order, and what not to do. It is written for the DPO, the CISO, and the legal counsel who are in the room when the breach is confirmed.

The 72-hour clock under UK GDPR and EU GDPR does not start at the moment of the breach. It starts at the moment the organisation "becomes aware" of a breach. What constitutes awareness is a legal determination that your DPO and legal counsel must make together. Getting this determination wrong in either direction has consequences. 

The Regulatory Framework: What the Law Actually Requires

The notification obligations vary by jurisdiction and sector. Understanding which obligations apply before the breach occurs is essential. When the breach is confirmed is too late to be learning the rules. 

UK GDPR (Post-Brexit) 

Under UK GDPR Article 33, where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, the controller must notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of it. Where notification is not made within 72 hours, it must be accompanied by reasons for the delay. 

Not every breach triggers mandatory notification. The test is whether the breach is likely to result in risk to individuals. A breach involving encrypted data where the encryption keys were not compromised may not trigger the notification obligation. A breach involving unencrypted health data almost certainly will. 

EU GDPR (For organisations with EU operations) 

Article 33 of EU GDPR imposes the same 72-hour supervisory authority notification requirement. For organisations operating in multiple EU member states, the lead supervisory authority is determined by the location of the organisation's main establishment. Where a breach affects individuals in multiple member states, the one-stop-shop mechanism applies but cross-border notification coordination is required. 

Sector-specific requirements 

Financial services organisations regulated by the FCA are subject to additional notification requirements with different timeframes. Healthcare organisations in the UK are subject to Data Security and Protection Toolkit requirements alongside UK GDPR. Organisations subject to DORA (Digital Operational Resilience Act) for EU financial services face additional notification obligations. HIPAA-covered entities in the US have a 60-day notification requirement but breach of 500 or more individuals requires immediate notification to HHS. Know your sector-specific obligations before you need them.

If your organisation does not have a written breach notification procedure that identifies the applicable regulatory requirements, the notification thresholds, the responsible individuals, and the contact details for the relevant supervisory authority, you are not prepared for a breach. Discovering these details at 2am while the clock is running is an entirely avoidable failure. 

The 72-Hour Timeline: What Gets Done and When 

(A) Confirm and Assess:

Hour 0-2

Confirm the breach is real and not a false positive. Preserve evidence immediately, do not modify affected systems before forensic preservation. Establish a preliminary scope assessment: what data is involved, how many individuals are affected, what categories of personal data. Convene the crisis team: DPO, CISO, legal counsel, and senior management. Do not send any external communications until legal counsel is in the conversation. 

(B) Containment Decision:

Hour 2-6

Make the containment decision: isolate affected systems to stop ongoing exfiltration, or maintain monitoring to gather intelligence? This is an IR decision that intersects with the legal obligation to minimise harm to data subjects. Legal counsel and CISO must agree on the approach. Begin the formal breach record: the UK GDPR Article 30(3) breach register entry must be completed regardless of whether supervisory authority notification is required. 

(C) Legal Assessment:

Hour 6-12 

Legal counsel conducts the formal risk assessment: is this breach likely to result in a risk to the rights and freedoms of natural persons? This assessment determines whether the 72-hour notification obligation is triggered. The assessment considers: nature and sensitivity of the data, volume of individuals affected, ease of identification, special categories of personal data involved, and the likely consequences for data subjects. Document the assessment formally.

(D) Notification Decision and Draft:

Hour 12-24 

If notification is required: draft the ICO notification using the breach report form on the ICO website. The notification must include: the nature of the breach, categories and approximate number of individuals affected, categories and approximate number of personal data records, contact details of the DPO, likely consequences, measures taken or proposed. Submit the initial notification even if all information is not yet available: the ICO accepts incomplete initial notifications with a commitment to provide further information. 

(E) Ongoing Investigation:

Hour 24-48 

Forensic investigation continues to establish the full scope of the breach. Identify all affected data subjects and assess the severity of risk to each. If risk to individuals is assessed as "high", Article 34 of UK GDPR requires direct notification to affected individuals. Prepare individual notification communications if required. Continue documenting all decisions and actions in the breach record.

(F) Individual Notification Decision:

Hour 48-72 

If individual notification is required, communications must be in clear and plain language, identify the DPO contact, describe the likely consequences of the breach, and describe the measures taken to address it. For large volumes of affected individuals, consider whether public communication (press release, website notice) is appropriate alongside or instead of individual notification. Confirm ICO submission is complete and accurate. 

The Mistakes That Organisations Make 

(A) Delaying the breach assessment to gather more information 

The 72-hour clock runs from awareness, not from full understanding of the breach. Waiting for a complete forensic picture before making the notification decision is a common and costly mistake. The ICO explicitly accepts incomplete initial notifications. An accurate incomplete notification submitted within 72 hours is far better than a complete notification submitted on day five. 

(B) Notifying before legal counsel is in the conversation 

Communications made before legal counsel is involved can create legal liability that did not exist before the communication. Every external communication from the moment of breach confirmation should be reviewed by legal counsel. This includes communications to affected individuals, press enquiries, regulatory submissions, and board briefings. 

(C) Treating "no personal data confirmed" as "no personal data involved" 

Early in a breach response, the forensic picture is incomplete. Absence of confirmed evidence of personal data access is not confirmation that personal data was not accessed. The breach assessment must be made on the basis of what could plausibly have been accessed, not only on what has been confirmed accessed. Regulators have taken enforcement action against organisations that delayed notification because "we couldn't confirm personal data was taken." 

(D) Inadequate breach records 

UK GDPR Article 30(3) requires all controllers to document personal data breaches, including those that do not trigger notification obligations. The documentation must contain facts, effects, and remedial action. Organisations that cannot produce a complete breach record when the ICO investigates are in a worse position than those that notified incorrectly but documented thoroughly.

The organisation that handles a breach well is the one that had a procedure, followed it, documented everything, notified promptly, and communicated clearly. Regulators consistently apply reduced penalties to organisations that demonstrate transparency and good faith. The ones that try to minimise, delay, or conceal consistently face the harshest outcomes.