GDPR breach notification requires organizations to report qualifying personal data breaches to supervisory authorities within 72 hours of discovering a qualifying breach and notify affected individuals when the breach poses high risk, following a standardized template now adopted across the European Union. For small and mid-sized businesses handling EU customer data, understanding these requirements is not optional. Miss the 72-hour window or submit incomplete information, and you risk fines that can reach €20 million or 4% of global annual revenue, whichever is higher.
The European Data Protection Board recently adopted a common template that makes compliance clearer but does not make it easier. You still need to know what constitutes a reportable breach, what information to gather in the chaos following an incident, and how to document your decision if you choose not to report. This article walks you through the practical steps SMBs need to take, grounded in the new unified framework.
What counts as a reportable breach under GDPR?
A breach is reportable when it results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. That definition is broad. A lost laptop with unencrypted customer files qualifies. An employee accidentally emailing a spreadsheet of client contact information to the wrong recipient qualifies. A ransomware attack that locks down your customer database qualifies.
The threshold is not severity alone. It is whether the breach creates a risk to the rights and freedoms of individuals. A stolen backup tape with encrypted data might not trigger notification if the encryption renders the data unusable. The same tape without encryption almost certainly does. You need to assess each incident, document your reasoning, and be prepared to defend your decision during an audit.
Many SMBs mistakenly assume that if they recover quickly or if no data was visibly stolen, they can skip notification. That assumption is dangerous. GDPR’s language focuses on the potential for harm, not just confirmed damage. If unauthorized access occurred, even if you cannot prove data was copied, you may still need to report.
How do you meet the 72-hour GDPR breach notification deadline?
The 72-hour clock starts when you become aware of the breach, not when it occurred. Awareness means the moment your team has a reasonable degree of certainty that a personal data breach happened. Discovering unusual server activity is not awareness. Confirming that an attacker accessed customer records is.
Meeting the deadline requires preparation before an incident occurs. You need an incident response plan that assigns roles, establishes communication paths to your supervisory authority, and pre-populates as much of the breach notification template as possible with static details like your organization’s contact information and data protection officer.
If you cannot submit a complete notification within 72 hours, GDPR allows you to provide information in phases. Submit what you know initially, then follow up with additional details as your investigation progresses. The key is to acknowledge the breach and demonstrate you are taking it seriously. Silence is not an option, and retroactive notification after the deadline has passed will be noted during any enforcement review.
For SMBs without dedicated compliance staff, this is where regulatory exposure becomes real. You cannot pause the clock while you figure out what to do. You need external support or documented processes ready to execute the moment an incident is confirmed.
What information must you include in the GDPR breach notification?
The European Data Protection Board’s common template standardizes the content supervisory authorities expect. You must describe the nature of the breach, including the categories and approximate number of individuals affected and the categories and approximate number of personal data records involved. If you processed health information for 500 patients and an attacker accessed names, birthdates, and diagnosis codes, you report those specifics.
You must identify the contact point for more information, typically your data protection officer or a designated compliance lead. You describe the likely consequences of the breach. If credit card numbers were exposed, the consequence is financial fraud risk. If employee Social Security numbers leaked, the consequence is identity theft risk.
Finally, you outline the measures you have taken or propose to take to address the breach and mitigate harm. This includes technical remediation like patching vulnerabilities, organizational steps like resetting passwords, and support offered to affected individuals like credit monitoring. Vague statements will not suffice. Supervisory authorities want concrete actions and timelines.
The new template does not reduce the work. It clarifies what incomplete looks like. If you cannot answer a field, you need to explain why and when you will provide the missing information. For SMBs, this means your breach response cannot be improvised. You need a checklist, you need access to system logs, and you need someone who can translate technical findings into regulatory language.
Do you need to notify affected individuals directly, or only the authority?
GDPR distinguishes between notification to the supervisory authority and communication to affected individuals. You always notify the authority if the breach meets the risk threshold. You notify individuals only if the breach is likely to result in a high risk to their rights and freedoms.
High risk typically means potential for identity theft, financial loss, discrimination, reputational damage, or other significant harm. If an attacker stole a database of customer Social Security numbers and addresses, that is high risk. If an internal employee accidentally viewed a file they should not have accessed but no data left your systems, that may not be.
When you do notify individuals, the communication must be clear and plain language. You explain what happened, what data was involved, what the consequences might be, and what steps you are taking. You also explain what individuals can do to protect themselves. A letter written in compliance jargon will not satisfy the requirement.
Timing matters. Individual notification should happen without undue delay, and in many cases concurrently with or shortly after authority notification. Delaying individual notification to avoid bad press or customer churn is not defensible and will increase penalties if regulators investigate.
For professional services firms holding sensitive client data, this dual notification requirement means you are managing both regulatory and client relationship consequences at the same time. Your response plan needs to account for both.
What happens if you fail to report a GDPR breach on time?
Failure to notify within 72 hours, or failure to notify at all, is a separate violation from the breach itself. GDPR Article 33 violations can result in fines up to €10 million or 2% of global annual revenue. If the breach itself involved inadequate security measures, you face additional fines under Article 32, which can reach the higher €20 million or 4% threshold.
Regulators consider intent and negligence. If you discovered a breach, assessed it, and made a good-faith but incorrect decision not to report, that is viewed more favorably than ignoring the incident entirely. But good faith requires documentation. You need to record what you knew, when you knew it, and why you concluded notification was not required.
Real-world enforcement shows that supervisory authorities treat notification failures seriously, especially when delays suggest an attempt to hide the incident. A German company fined €195,000 in 2023 for failing to report a breach within the deadline argued operational challenges. The authority noted that operational difficulties do not suspend legal obligations.
For SMBs, the risk is not just the fine. Late or incomplete notification undermines trust with customers, partners, and regulators. If your business depends on demonstrating data stewardship to win contracts, a public enforcement action can cost more than the penalty itself.
How should SMBs prepare for GDPR breach notification before an incident occurs?
Preparation is the difference between controlled compliance and crisis. Start by mapping what personal data you hold, where it lives, who can access it, and what regulations apply. If you process EU resident data, GDPR breach notification applies even if your headquarters is elsewhere.
Draft an incident response plan that includes decision trees. If X happens, assess Y factors, then notify Z parties. Assign roles. Who investigates? Who communicates with the supervisory authority? Who drafts the individual notification? Do not assume your IT team knows compliance requirements or that your compliance team understands technical incident details. Cross-train or retain external expertise.
Pre-register with your supervisory authority if your jurisdiction requires it, and confirm the notification method they prefer. Some accept an online portal submission. Others require email to a specific address. Finding this out at hour 70 of your 72-hour window is not ideal.
Document every security incident, even those that do not rise to the level of GDPR breach notification. Regulators will ask during audits why you did or did not report specific events. A log that shows you assessed each incident and applied consistent criteria protects you. A gap in your records does the opposite.
Finally, test your plan. Run a tabletop exercise where you simulate a breach and walk through each step of your notification process. Time it. Identify gaps. Revise. The goal is not perfection but readiness. When a real breach occurs, you will be managing technical remediation, business continuity, customer communication, and regulatory reporting simultaneously. Anything you can automate or pre-decide reduces errors and missed deadlines.
Organizations looking to strengthen their overall compliance posture can explore solutions that integrate compliance and security so breach response is not isolated from daily operations.
Does the new common template change GDPR breach notification requirements?
The European Data Protection Board’s common template does not change the underlying legal requirements. The 72-hour deadline remains. The criteria for what constitutes a reportable breach remain. The penalties remain. What changed is standardization across member states.
Previously, each supervisory authority could request breach notifications in slightly different formats or request different levels of detail. The common template creates a single structure, making it easier for organizations operating in multiple EU countries to manage reporting. You fill out one template and submit it to the relevant authority, rather than navigating 27 different formats.
For SMBs, this is a modest administrative improvement but not a reduction in burden. You still need to gather the same information, make the same risk assessments, and meet the same deadlines. The template simply makes it clearer what complete looks like.
Adopting the template is not optional. Supervisory authorities will expect submissions to follow the common format once it is in effect in their jurisdiction. Check with your specific supervisory authority for the rollout timeline and submission process.
What are the most common GDPR breach notification mistakes SMBs make?
The most common mistake is delay. SMBs often spend too long investigating before notifying, either because they want complete information or because they hope the breach will turn out to be less serious than it appears. GDPR expects you to notify based on what you know, then update as you learn more. Waiting for certainty burns your 72-hour window.
The second mistake is under-reporting severity. Downplaying the number of affected individuals, the sensitivity of the data, or the likelihood of harm makes your notification look incomplete or misleading. If the authority investigates and finds the breach was worse than you reported, your credibility is gone and penalties increase.
The third mistake is failing to document why you did not report an incident. Not every security event is a reportable breach, but you need a record of your decision process. If an auditor asks why you did not report a server compromise in March, you need to show that you assessed it, concluded the data was encrypted and inaccessible, and documented that reasoning at the time.
The fourth mistake is assuming cyber insurance or a managed service provider will handle notification for you. Insurance may cover costs, and an MSP may help investigate, but the legal obligation to notify rests with you as the data controller. You can delegate tasks but not accountability.
Finally, SMBs often neglect individual notification. They report to the authority but fail to communicate with affected individuals when required, either because they fear reputation damage or because they misunderstand the high-risk threshold. Both the authority notification and individual communication are legally required when criteria are met. Skipping one does not reduce your obligation for the other.
Keep reading
Sources
Source: EDPB Moves Toward a Common GDPR Breach Notification Template – Security Boulevard
{
“@context”: “https://schema.org”,
“@type”: “FAQPage”,
“mainEntity”: [
{
“@type”: “Question”,
“name”: “How quickly do I need to report a GDPR breach?”,
“acceptedAnswer”: {
“@type”: “Answer”,
“text”: “You must report a qualifying GDPR breach to your supervisory authority within 72 hours of becoming aware of the breach. Awareness begins when you have reasonable certainty that a personal data breach occurred. If you cannot provide complete information within 72 hours, submit what you know and follow up with additional details as your investigation continues.”
}
},
{
“@type”: “Question”,
“name”: “Do I have to notify customers directly after a GDPR breach?”,
“acceptedAnswer”: {
“@type”: “Answer”,
“text”: “You must notify affected individuals directly if the breach is likely to result in a high risk to their rights and freedoms, such as potential identity theft, financial loss, or significant harm. This notification should happen without undue delay and must be written in clear, plain language explaining what happened, what data was affected, potential consequences, and steps individuals can take to protect themselves.”
}
},
{
“@type”: “Question”,
“name”: “What happens if I miss the 72-hour GDPR breach notification deadline?”,
“acceptedAnswer”: {
“@type”: “Answer”,
“text”: “Missing the 72-hour deadline is a separate violation under GDPR Article 33 and can result in fines up to €10 million or 2% of global annual revenue. Regulators view late notification seriously, especially if delays suggest an attempt to hide the incident. You must document your decision-making process for every breach, whether or not you report it, to demonstrate good faith during audits.”
}
},
{
“@type”: “Question”,
“name”: “Does the GDPR breach notification requirement apply to small businesses?”,
“acceptedAnswer”: {
“@type”: “Answer”,
“text”: “Yes, GDPR breach notification requirements apply equally to all organizations that process EU residents’ personal data, regardless of company size or revenue. There are no exemptions for small or mid-sized businesses. If you hold EU customer data and experience a qualifying breach, you face the same 72-hour deadline and potential penalties as larger enterprises.”
}
},
{
“@type”: “Question”,
“name”: “What information must be included in a GDPR breach notification?”,
“acceptedAnswer”: {
“@type”: “Answer”,
“text”: “You must describe the nature of the breach, the categories and approximate number of affected individuals and data records, your contact point for more information, the likely consequences of the breach, and the measures taken or proposed to address it and mitigate harm. The European Data Protection Board’s common template standardizes this information across EU member states.”
}
}
]
}