GDPR requires notification of breach within 72 hours

October 17, 2018

Article 33 of the GDPR requires notification of a data breach to be made to the relevant supervisory authority within 72 hours of becoming aware of the breach.




Not every breach needs to be reported to the relevant EU privacy commissioner though; if a breach contains non personally identifiable data - data that does not cause a risk of any type to any EU natural persons - then reporting in this way is not required.


Article 34 of the GDPR also requires the breach to be reported to all EU natural persons whose private data has been compromised by the breach.  In order to do this, the contact details of all EU natural persons will need to be accurate, and indeed, this is a requirement of the GDPR, such as outlined in Article 5.


Appropriate data classification techniques create a significant advantage in the case where a breach needs to be reported:


"Not knowing the location of enterprise sensitive data hampers the ability to identify enterprise data at risk, thereby compromising the enterprise’s ability to design an effective cyber security strategy. Not knowing the location also hampers the ability of the enterprise to rapidly and properly respond to a data breach, which is an existing and emerging regulatory requirement in many jurisdictions and can result in significant fines and penalties."

Pearce, G. "Boosting Cyber Security With Data Governance and Enterprise Data Management". ISACA Journal Vol 3, 2017. Read the full peer-reviewed article at


There are data governance tools that provide such functionality, and in large organizations, there is probably little choice given that the enterprise data asset is very large and very dispersed. 

Please reload

Our Recent Posts

Please reload


Please reload


Please reload

©2018 by Canadian GDPR Compliance