Data Breach Notification

Data breach notification obligations are central to modern data protection law. Under GDPR Articles 33 and 34, data controllers must notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals. If the breach is likely to result in a high risk, the controller must also communicate the breach directly to affected individuals without undue delay. The notification must include the nature of the breach, categories and approximate number of individuals affected, contact details of the Data Protection Officer, likely consequences, and measures taken or proposed to address the breach.

NIS2 extends breach notification requirements to essential and important entities, mandating early warning within 24 hours, incident notification within 72 hours, and a final report within one month. SOC 2 engagements evaluate whether organizations have incident response and notification procedures in place as part of their security and availability criteria. ISO 27001 Annex A control A.5.24 specifically addresses information security incident management planning and preparation, including communication procedures. In technology due diligence, assessors review breach notification readiness as a key indicator of security operations maturity.

Preparing for effective breach notification requires advance planning rather than ad hoc response. Organizations should establish a breach response team with clear roles and responsibilities, create notification templates that can be quickly customized, define criteria for assessing whether a breach meets the notification threshold, maintain up-to-date contact information for relevant supervisory authorities, and practice the notification process through tabletop exercises. Data processors have their own obligation to notify the controller without undue delay upon discovering a breach, which should be clearly addressed in data processing agreements. Maintaining a breach register that documents all incidents — including those that do not meet the notification threshold — demonstrates accountability and helps identify systemic issues that need to be addressed.