Under GDPR Article 33, how long does an organization have to notify the supervisory authority of a data breach?

72 hours from when the organization becomes aware of the breach

Which of the following scenarios would be considered a 'data breach' under GDPR? (Select all that apply)

A hacker gains unauthorized access to a customer database Additionally, An employee accidentally sends customer data to the wrong email address Additionally, A laptop containing unencrypted personal data is lost or stolen Additionally, A system failure causes temporary loss of access to personal data

What is the potential penalty under GDPR for failing to properly notify authorities of a data breach?

Up to 10 million euros or 2% of global annual revenue, whichever is higher

Data Breach Response

Learn why covering up accidental disclosures leads to fines up to 10 million euros, how to file an incident report that protects your organization, and what information the supervisory authority actually needs. Master the difference between breaches that require notification and those that only need internal documentation.

What You'll Learn

Recognize common cybersecurity threats
Respond appropriately to security incidents
Protect sensitive information
Follow security best practices
Report suspicious activities

Training Steps

Introduction

Welcome to DataGuard Solutions, a SaaS company that handles customer data for enterprise clients. You are Alice, a Customer Service Representative responsible for managing vendor integrations and data exports. Today's training will teach you about GDPR data breach notification requirements - one of the most critical compliance obligations any organization handling personal data must understand.
Routine Data Export

Alice is preparing a routine customer data export for VendorPartner Inc., a legitimate third-party integration partner. The spreadsheet contains 847 customer records including names, email addresses, phone numbers, and mailing addresses. This is a standard weekly task that Alice has done dozens of times before. She opens her email client to send the file to John Smith at VendorPartner.
The Mistake

Alice finishes typing the email and hits send. A few seconds later, she glances at the 'Sent' folder and notices something wrong. The email was sent to john.smith847@gmail.com instead of the correct address: john.smith@vendorpartner.com - the autocomplete suggested a similar-looking personal Gmail address, and Alice clicked it without checking carefully. 847 customer records are now in the hands of an unknown person.
The Critical Decision

Alice's heart sinks. Her first instinct is to hope nobody notices - maybe the recipient will just delete it? Maybe she can pretend it never happened? But Alice remembers her GDPR training. A data breach includes 'accidental or unlawful disclosure of personal data.' Sending customer records to the wrong email address clearly qualifies. Under Article 33 of GDPR, her company has exactly 72 hours from becoming 'aware' of the breach to notify the supervisory authority. The clock starts now - not when the investigation finishes.
Accessing the Incident Portal

Alice decides to do the right thing and report the incident immediately. She opens the company's internal incident reporting system. DataGuard Solutions has a dedicated breach reporting portal that connects directly to the Data Protection Officer (DPO) and the incident response team.
Filing the Breach Report

Alice fills out the incident report form with complete details about the misdirected email. Being thorough and honest is essential - the DPO needs accurate information to assess the breach severity and determine notification requirements.
DPO Response

Within minutes of submitting the report, Alice receives a call from Dr. Sarah Chen, the company's Data Protection Officer. Dr. Chen thanks Alice for reporting immediately and explains how the breach assessment process works under GDPR.
Understanding the 72-Hour Rule

Dr. Chen explains the key GDPR requirements: Article 33 : Controllers must notify the supervisory authority within 72 hours of becoming 'aware' of a breach The clock started when Alice realized the email went to the wrong address - not when investigation finishes Weekends and holidays do not extend the deadline Failure to notify can result in fines up to 10 million euros or 2% of global annual revenue The DPO will now assess whether this breach is 'likely to result in a risk to the rights and freedoms of natural persons' - if so, notification to the authority is mandatory.
Containment Actions

The incident response team has begun containment actions: Email recall attempted through the mail server IT Security is analyzing server logs Legal team has been notified The unknown Gmail recipient has been contacted requesting deletion Dr. Chen explains that even with containment efforts, the breach must still be documented and potentially reported. The key question is whether the breach poses a risk to the affected individuals.
Documenting the Incident

Even if notification to the supervisory authority is not required, GDPR mandates that all breaches must be documented internally. Alice is asked to provide additional documentation about the incident, including the exact timeline and any evidence she has.

Knowledge Check Questions

This training includes a 6-question quiz to test your understanding of Security Awareness threats and defenses.

Under GDPR Article 33, how long does an organization have to notify the supervisory authority of a data breach?
Which of the following scenarios would be considered a 'data breach' under GDPR? (Select all that apply)
What is the potential penalty under GDPR for failing to properly notify authorities of a data breach?
When does the 72-hour notification clock start under GDPR?
If an employee discovers a potential data breach on Friday evening, what should they do?