How to report a data breach under the GDPR

The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 and will supersede all EU member states’ current national data protection laws, bringing a standardised approach to data protection throughout the EU.

One of the main changes under the GDPR is that all organisations must report a personal data breach to their supervisory authority within 72 hours, and in some cases to the individuals affected.

What is a personal data breach?

A personal data breach refers to a breach of security that can lead to the destruction, loss, alteration and unauthorised disclosure of, or access to, personal data. So a breach is more than just losing personal data.

How to report a breach

A breach must be reported to the relevant supervisory authority within 72 hours of an organisation becoming aware of it. Depending on the scale of the breach, it may be impossible to investigate a breach fully within the given timeframe, so organisations will be allowed to provide information in phases.

What information should be included in a notification?

The information that should be included in a notification of a data breach is:

  • The type of personal data breach, including:
    • The type and estimated number of individuals affected; and
    • The type and estimated number of personal data records concerned.
  • The name and contact details of a point of contact where further information can be obtained, such as that of the data protection officer (DPO);
  • The possible outcomes of the personal data breach; and
  • A list of measures taken or being taken to deal with the breach and appropriate measures taken to mitigate any adverse effects.

When do the individuals affected have to be notified?

If a breach is likely to result in a high risk to the rights and freedoms of individuals, those affected must be notified directly.

This is when the need to notify an individual outweighs the need to notify the relevant supervisory authority.

Learn more from our experts about the steps involved in reporting a data breach and how your organisation can put them in place to meet the deadline with our five-day Certified EU GDPR Foundation and Practitioner Combination Course, which is held in various European locations.


  1. Martin Leitch 25th March 2018
    • Niall McCreanor 25th April 2018
  2. Mark 26th July 2018
    • conserned 20th October 2019
      • Jessica Belton 21st October 2019
  3. stephen Deacon 16th September 2018
  4. Andrew 18th October 2018
    • Sophie Meunier 23rd January 2019
  5. Charlie 24th May 2019
    • Jessica Belton 27th May 2019
  6. Gill Taylor 11th June 2019
    • Jessica Belton 13th June 2019
  7. david scott 25th June 2019
    • Jessica Belton 27th June 2019
  8. Tony McGrandles 19th July 2019
    • Jessica Belton 25th July 2019

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.