When does the GDPR 72-hour clock start?

Under GDPR Article 33, the 72-hour clock starts when the controller becomes aware of a personal-data breach, not when a full investigation is complete.

What if I do not have all the facts within 72 hours?

You can submit an initial notification with the information available and update the supervisory authority as the investigation progresses. Regulators expect structured, documented response rather than perfect information.

Who should lead breach decisions?

A pre-designated crisis team that is separate from the technical investigation team, using predefined severity tiers and a real-time evidence log to make notification and communication decisions.

GDPR · Incident Response

The 72-Hour Trap: Why Most Companies Fail GDPR Breach Response

Updated April 2026 · ~6 min read · For security leaders, DPOs, and incident commanders

The biggest mistake companies make after a cyberattack? They think 72 hours is enough time. It is not — at least not without preparation.

The reality of a breach timeline

Hour 0–24

You do not fully understand the attack yet.
Systems are unstable.
Teams are overwhelmed and pulled in four directions at once.

Hour 24–48

You are still gathering incomplete data.
Leadership wants answers faster than facts can be confirmed.
Legal and regulatory exposure is increasing by the hour.

Hour 48–72

By this point you are expected to:

notify the supervisory authority,
assess impact to data subjects,
justify your response with evidence.

Why most companies fail it

Because they try to:

investigate and respond simultaneously, using the same people,
make decisions without a pre-agreed framework,
avoid escalation for too long, hoping the problem contains itself.

What regulators actually expect (under GDPR)

You do not need perfect information. You need:

a documented risk assessment,
a justified notification decision,
a clear timeline of what was known, when.

The winning approach

1. Separate investigation from decision-making

The crisis team is not the technical team. Investigators dig into root cause; the crisis team uses whatever facts exist right now to make notification, communication, and recovery decisions.

2. Use predefined severity levels

Low / Medium / High impact tiers, each pre-linked to specific actions, roles, and escalation paths. When the incident hits, you classify and act — you do not design the playbook under fire.

3. Document everything in real time

Every decision. Every assumption. Every piece of information and the timestamp it arrived. This log is the evidence that will be read by regulators, insurers, and plaintiffs later.

Key insight

Speed beats perfection. Regulators reward structured response over delayed accuracy.

Bottom line

The 72-hour rule is not about time. It is about preparedness.

Pressure-test your 72-hour response