How to report a data breach to your supervisory authority

Under the GDPR (General Data Protection Regulation), organisations must report certain types of data breach to their supervisory authority within 72 hours of becoming aware of it.

This requirement can be relatively straightforward if you are suitably prepared. The first thing you’ll need to determine after a breach is whether the incident meets the GDPR’s criteria for reporting – i.e. does it pose a threat to the rights and freedoms of data subjects? This includes things such as identity theft or fraud.

You can find this out, and gather the necessary information for your notification, by following these six steps:


1.Situational analysis

You must give your supervisory authority as much information as you can about the context of the breach. This should include when the breach occurred, when and how you discovered it, who or what was to blame and the effects that it had on your organisation.


2. Assess the data affected

What categories of personal data are involved, and how many records have been breached?


3. Describe the incident

What are the consequences of the breach for affected data subjects? For example, if financial records are stolen, you should state that crooks might use individuals’ information to make fraudulent purchases.


4. Preventive measures and actions

Describe the actions you took, or propose to take, as a result of the breach. You should also state whether you have informed the data subjects of the breach and whether you have told or are planning to tell any other organisation.

If the breach was the result of human error, you must state whether the employee(s) responsible had received data protection training the last two years.


5. Oversight

You should include the contact details of your DPO (data protection officer) or whoever is responsible for data protection in your organisation. You should also provide your organisation’s registered address.


Who is your supervisory authority?

Each member state has its own supervisory authority:

Österreichische Datenschutzbehörde
Commission de la protection de la vie privée
Commission for Personal Data Protection
Croatian Personal Data Protection Agency
Commissioner for Personal Data Protection
Czech Republic:
The Office for Personal Data Protection
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Office of the Data Protection Ombudsman
CNIL (Commission Nationale de l’Informatique et des Libertés)
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Hellenic Data Protection Authority
National Authority for Data Protection and Freedom of Information
Republic of Ireland:
Data Protection Commissioner
Garante per la protezione dei dati personali
Data State Inspectorate
State Data Protection
Commission Nationale pour la Protection des Données
Office of the Data Protection Commissioner
Autoriteit Persoonsgegevens
GIODO (The Bureau of the Inspector General for the Protection of Personal Data)
(CNPD) Comissão Nacional de Protecção de Dados
The National Supervisory Authority for Personal Data Processing
Office for Personal Data Protection of the Slovak Republic
Information Commissioner
Agencia de Protección de Datos
United Kingdom:
The ICO (Information Commissioner’s Office)


The Data Breach Survival Guide

You can find out more about how to prepare for data breaches by reading our new guide: .

This free green paper provides in-depth advice for each step, and explains how you can reduce the risk of information security incidents.

Download now >>

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.