Deep-dive · Respond 5.2

The 72-hour clock

Engineers are usually the first to see the anomaly, so engineers usually start the clock. The catch is when it starts: not at the breach, but at the moment you are reasonably sure personal data was compromised. Scroll to run the clock.

The ruleThe clock starts at awareness with reasonable certainty, not at the breach. Notify the lead supervisory authority within 72 hours (phased if needed); tell affected individuals too when risk is high.
72hto notify the authority
!
Breach occurspublic S3, DELETE FROM users, a lost laptop
Awareness — the clock startsreasonable certainty data was compromised
33
Notify the supervisory authoritywithin 72h · Art. 33 · phased if needed
34
Tell individuals, if high riskwithout undue delay · Art. 34
Step 1 · what counts

A breach is broader than a hack

It is not only "a hacker stole the database." A misconfigured S3 bucket, an accidental DELETE FROM users with no backup, or a laptop of customer emails left in a taxi all count (Art. 4(12)).

Step 2 · not here

The clock does not start at the breach

It is 72 hours from awareness, not from the incident. The flip side: "we didn't look at the alert" is wilful blindness, and it does not reset the clock either.

Step 3 · the start line

Awareness starts the clock

You are aware once you have a reasonable degree of certainty that an incident led to personal data being compromised. In practice, the moment an engineer writes "looks like the DB was exfiltrated" in Slack is when the clock can be argued to start. A short investigation to reach certainty is allowed; stalling is not.

Step 4 · the deadline

Notify the authority within 72 hours

Notify your lead supervisory authority (Art. 33). If you do not have the full picture at hour 72, notify with what you have and supplement later; Art. 33(4) explicitly permits phased notification.

Step 5 · the contents

What the notification must contain

Art. 33(3): the nature of the breach with approximate numbers of subjects and records affected, the DPO contact point, the likely consequences, and the measures taken or proposed to mitigate.

Step 6 · tell the people

High risk means telling individuals too

When the breach is likely to result in high risk to individuals, communicate to them without undue delay (Art. 34). Exemptions: the data was strongly encrypted with keys intact, the risk was mitigated afterwards, or contacting everyone is disproportionate (use a public notice instead).

Step 7 · the judgement calls

The threshold, and one authority

You may skip notifying the authority only if the breach is unlikely to risk people's rights and freedoms, and you must document that assessment for every incident. For cross-border processing, notify your one lead authority, not all 27.