The General Data Protection Regulation (GDPR) is the EU’s principal data privacy law that sets rigorous standards for safeguarding the personal data of EU residents. It also establishes strict protocols for what organizations must do in the event of a data breach.

‍

Failure to meet GDPR’s breach notification requirements can result in substantial financial penalties and lasting reputational damage. In this article, we’ll break down the expected obligations, covering:

‍

• Who must comply with breach notification rules
• What constitutes a breach under the GDPR
• What reporting obligations to expect—with best practices

‍

Who must comply with the GDPR breach notification requirements?

Any organization that processes the personal data of EU residents must comply with the GDPR and its breach notification rules. This obligation applies regardless of the organization's location and size, as long as it provides services to EU residents or monitors their behavior.

‍

Furthermore, the GDPR assigns compliance responsibilities based on the organization’s specific role:

‍

1. Controllers: Organizations that decide how and why personal data should be processed
2. Processors: Organizations that handle, store, or process personal data on behalf of a controller, strictly following their instructions

‍

If a controller experiences a breach, they must report it to the relevant supervisory authority and the data subjects, while processors typically must notify the controller.

‍

In rare situations, processors may be asked to assist with notifications. For example, if a SaaS vendor (processor) hosts an HR system for another company and a vulnerability exposes the employee payroll data stored, the vendor should maintain up-to-date contact details and send out notifications as soon as possible. That said, the controller is still legally responsible for ensuring that notifications are timely, accurate, and compliant.

‍

{{cta_withimage14="/cta-blocks"}} | GDPR compliance checklist

‍

How does the GDPR define a breach?

According to Article 4 of the GDPR, a personal data breach is any security incident in an organization where the integrity, availability, or confidentiality of personal information is compromised. In practice, this can include:

‍

• Integrity: The information was modified without authorization
• Confidentiality: The information was disclosed to unauthorized individuals
• Availability: The information was destroyed when it shouldn’t have been

‍

Data breaches often occur due to routine process lapses rather than sophisticated cyberattacks. Common causes include human error (such as misdelivery of emails or improper configuration of permissions), weak IT hygiene and access controls, and failure to minimize data collection.

‍

The intent behind the security incident is irrelevant; if personal data has been compromised, you must report it as per GDPR requirements. Still, not every security event qualifies as a breach, especially if the incident does not impact personal data.

‍

How to report a data breach under the GDPR

Under Article 33 of the GDPR, once a controller becomes aware of a breach, it has 72 hours to report it to the relevant supervisory authority. If it doesn’t have the complete reporting information within that window, it may submit the notification in phases, provided all new updates are communicated without undue delay.

‍

Before sending out a notification to the relevant supervisory authority, the controller should conduct an assessment to determine the degree of risk the breach poses to data subjects. If the breach is unlikely to result in a risk to their rights and freedoms, notification is not required. If the risk is high, such as when health data, financial details, and login credentials get exposed, it’ll need to inform both the supervisory authority and the affected individuals.

‍

A processor’s obligation is to notify the controller without undue delay after having become aware of a personal data breach, and then to assist the controller with the controller’s fulfillment of the above obligations.

‍

The entire process here must be documented and referenceable. Under GDPR’s accountability principle, in-scope organizations must document all breaches (whether reported or not), their potential impact, and the actions taken to remediate them. These records serve as proof of compliance when undergoing GDPR audits or investigations.

‍

{{cta_withimage11="/cta-blocks"}}| The US data privacy checklist

‍

Notifying the appropriate authority under the GDPR

The first step of a GDPR breach notification is selecting the appropriate supervisory authority to report to—in this case, the data protection authority (DPA). While the GDPR is overseen by the European Data Protection Board (EDPB), each Member State has its own DPA to enforce the regulation.

‍

You must typically report to the DPA of the jurisdiction where your organization has its main establishment. This also applies to organizations operating globally.

‍

When sending the notification, ensure that it has the required contents, including:

‍

• A description of the nature of the data breach
• Categories and the approximate number of affected subjects
• Categories and the approximate number of compromised records
• Name and contact information of the data protection officer (DPO) or other contact point
• A description of the likely consequences of the breach
• Measures taken or proposed to address or contain the breach

‍

Notifying the affected individuals of the privacy breach

You must notify the affected data subjects without undue delay if a breach poses a high risk to their rights and freedoms. When assessing risk levels or the damage potential of the incident, consider various possible outcomes, such as:

‍

• Identity theft
• Fraud
• Distress
• Physical danger

‍

Certain data types, such as medical, financial, and ethnic information, pose inherently higher risk for individuals and warrant a notification even without a complete assessment. The content of this notice should mirror the one you’ve sent out to the supervisory authority, but must be written in plain language for accessibility.

‍

There are several cases where you may not need to report to the data subject. For example, if the data has been encrypted and made illegible, or if the risk has been neutralized.

‍

You may also omit sending out direct notifications if that would take disproportionate effort. For instance, if a large number of individuals are impacted, it might be more resource-efficient to issue a public statement, as long as it’s equally effective.

‍

Best practices for efficient breach reporting under the GDPR

Because of the tight window for reporting and the potential reputational damage, you must be prepared to send out breach notifications promptly. However, many organizations encounter repeated challenges during the process.

‍

“

Common roadblocks organizations encounter during reporting include delays in notification approval, limited visibility on the scope or nature of the breach, and a lack of a clearly defined and up-to-date communication mechanism. To prevent this, organizations should ensure that all roles and responsibilities related to breach notification are well documented and communicated to relevant stakeholders. Additionally, keep all contact information current and review it regularly to maintain readiness.”

‍

Connor Synder

GRC Subject Matter Expert, Vanta

|

LinkedIn

‍

Follow these best practices to have a better prepared setup:

‍

• Assign a DPO: Having a designated data privacy lead helps you centralize governance and coordinate faster response times.
• Maintain an up-to-date incident response plan: Design repeatable protocols to identify, respond to, and mitigate breaches, as well as handle reports. Run frequent simulations to ensure stakeholders understand their responsibilities in the plan.
• Implement continuous monitoring workflows: Move beyond point-in-time checks to real-time, continuous insights. The idea is to help you respond to incidents as soon as they happen, minimizing potential damage and reporting liabilities.
• Assess third-party risks: Regularly evaluate the potential risks that vendors introduce to processing operations. Update contracts and data processing agreements to clarify responsibilities and reporting obligations.
• Maintain thorough documentation for readiness: Maintain detailed records of processing activities (RoPAs), assessment findings, and incident reports to ensure you have evidence of timely breach responses during potential investigations.

‍

Implementing these best practices can be a complex and resource-intensive process, especially when done manually. It’s riskier when you have multiple vendors or deal with large data volumes, which leaves you vulnerable to human errors and undetected process gaps.

‍

You can streamline most of these workflows and ensure efficient, more organized processes by using an automated GDPR solution like Vanta.

‍

{{cta_withimage14="/cta-blocks"}} | GDPR compliance checklist

‍

Standardize and streamline your GDPR obligations with Vanta

Vanta is a leading trust management platform that streamlines up to 50% of GDPR compliance workloads. It leverages resources like built-in templates, automated workflows, and integrations to translate regulatory requirements into trackable tasks.

‍

Your team will receive granular guidance at every step that not only reduces compliance efforts but also minimizes the risk of violations and costly fines. Here’s what to expect:

‍

• Automated evidence collection powered by 400+ integrations
• Framework version manager for easy updates (to help keep your processes current)
• Real-time monitoring with instant report generation
• In-app policy editor with live customization
• GDPR-specific training modules
• Risk management for GDPR readiness
• A single dashboard for everything GDPR

‍

If you’re pursuing or have achieved compliance with other relevant frameworks such as SOC 2 or ISO 27001, Vanta can cross-map existing controls to reduce redundancies and save valuable time and resources.

‍

Schedule a custom demo to see firsthand how Vanta reduces the complexity of meeting your GDPR obligations.

‍

{{cta_simple19="/cta-blocks"}} | GDPR product page

‍

‍A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.