GDPR Article 33: Notify Supervisory Authorities of Data Breaches Within 72 Hours
A data breach discovered today must be reported to your supervisory authority by tomorrow—or you'll need to document why. GDPR Article 33 sets a strict 72-hour notification window that applies to controllers and their processors alike. Missing this deadline without justification creates regulatory risk and potential fines.
What this means
GDPR Article 33 mandates that when a personal data breach occurs, your organization must notify the competent supervisory authority without undue delay, and where feasible, within 72 hours of first becoming aware of the breach. If notification cannot be completed within 72 hours, you must document the specific reasons for the delay. Data processors have a separate obligation to notify their controllers immediately upon discovering a breach, enabling controllers to meet their own 72-hour deadline. This requirement applies regardless of breach severity, making early detection and rapid response critical compliance activities.
How to comply
- 1.Establish a data breach detection and response procedure that identifies breaches within hours, not days
- 2.Document the exact moment your organization became aware of the breach to establish the 72-hour clock
- 3.Collect breach details including affected data types, number of individuals impacted, and likely consequences
- 4.Identify your competent supervisory authority based on your organization's location and data subjects' residence
- 5.Submit breach notification to the supervisory authority through their designated channel before 72 hours elapse
- 6.If 72-hour notification is impossible, document detailed reasons for the delay in a contemporaneous record
- 7.Ensure data processors notify your organization of breaches immediately upon discovery so you can meet the controller deadline
- 8.Maintain a breach notification log including dates notified, authorities contacted, and documentation of any delays
Evidence auditors look for
- Breach detection log showing timestamp when breach was first identified
- Internal breach assessment report completed within 24 hours of discovery
- Supervisory authority notification email with timestamp showing submission within 72 hours
- Documentation of reasons for delay if notification exceeds 72 hours, including investigation scope and complexity factors
- Data processor breach notification message to controller with timestamp proving immediate notification
- Breach registry or incident management system records showing notification workflow and approvals
- Communication from supervisory authority acknowledging receipt of breach notification
- Incident response plan defining breach discovery escalation and authority notification procedures
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates breach detection logging and supervisory authority notification tracking, eliminating manual date calculations and ensuring you never miss the 72-hour deadline with built-in reminders and compliance evidence capture.
See how GRCWatch handles this control automatically
Start free trial