Under GDPR Article 33, how long does an organization have to notify the supervisory authority of a personal data breach?

72 hours from when the organization becomes aware of the breach

When must an organization notify affected individuals directly under GDPR Article 34?

When the breach is likely to result in HIGH RISK to the rights and freedoms of individuals

Which of the following must be included in a breach notification to the supervisory authority? (Select all that apply)

The nature of the breach and categories of data affected Additionally, The approximate number of data subjects affected Additionally, The name and contact details of the DPO Additionally, The likely consequences of the breach Additionally, Measures taken or proposed to address the breach

Security Incident Response

Learn to assess incident severity, understand when the 72-hour breach notification requirement applies, trigger proper incident response procedures, and document everything for regulatory compliance. Master the critical difference between security events that require supervisory authority notification and those that only need internal documentation.

What You'll Learn

Recognize common cybersecurity threats
Respond appropriately to security incidents
Protect sensitive information
Follow security best practices
Report suspicious activities

Training Steps

Introduction

Welcome to SecureNet Financial, a company that processes financial transactions and stores sensitive customer data for enterprise clients. You are Alice, a Security Operations Analyst responsible for monitoring security alerts and responding to incidents. Today's training will teach you about GDPR-compliant incident response - how to assess security events, determine breach notification requirements, and trigger the right procedures when personal data may be compromised.
Starting Your Shift

Alice begins her morning shift at the Security Operations Center (SOC). The dashboard shows normal activity levels - a few routine alerts that have already been triaged by the overnight team. SecureNet Financial handles payment processing for hundreds of enterprise clients. The SOC monitors for unauthorized access, data exfiltration, policy violations, and other security events around the clock.
High-Severity Alert

Suddenly, a high-severity alert appears on the dashboard. The SIEM has detected unusual login attempts - multiple failed authentication attempts followed by a successful login from a foreign IP address. The alert indicates the account belongs to a system administrator with elevated privileges. This could be a brute-force attack that succeeded in compromising credentials.
Analyzing the Login Alert

The alert details reveal concerning information: Account : sysadmin_jsmith (System Administrator) Source IP : 185.220.101.45 (Eastern Europe) Failed attempts : 47 over 3 hours Successful login : 06:47 AM local time Session duration : 2 hours 13 minutes The legitimate account owner, John Smith, is currently on vacation in Spain - but the login originated from a different country entirely.
Second Alert Appears

While reviewing the login alert, a second alert appears - medium severity. The Data Loss Prevention (DLP) system has flagged a large data export request. Someone used the compromised sysadmin account to export customer records from the production database. The export completed before the automated systems could block it.
The Scope of the Breach

The data export alert reveals the extent of potential damage: Records exported : 50,000 customer records Data types : Full names, email addresses, phone numbers, financial account numbers, transaction history Export destination : External FTP server (IP: 185.220.101.89) Time of export : 07:15 AM local time This is no longer just a security event - personal data has been exfiltrated to an external server controlled by unknown parties.
Acknowledging the Alerts

Alice needs to acknowledge both alerts to indicate they are under active investigation. This creates an audit trail showing when the SOC became aware of the potential breach. Under GDPR, the organization is considered 'aware' of a breach when the SOC identifies an incident involving personal data - not when the investigation concludes.
Acknowledging the Data Export Alert

The unauthorized access has been marked as acknowledged. Now Alice needs to acknowledge the data export alert as well. With both alerts acknowledged, there is a clear timestamp showing when SecureNet Financial became aware of the potential breach involving personal data.
Checking Compliance Status

Before escalating the incident, Alice checks the compliance dashboard to understand the organization's current security posture. This context helps determine what controls may have failed. Understanding existing compliance gaps can help explain how the breach occurred and what mitigations should be prioritized.
Identifying the Vulnerability

The compliance dashboard reveals a critical issue: Consent Management : Compliant DSAR Response Time : Compliant Data Encryption : Compliant MFA Enforcement : Warning - 23% of admin accounts lack MFA Data Retention : Compliant The compromised sysadmin account was one of the 23% without Multi-Factor Authentication enabled. This security gap allowed the attacker to gain access using only stolen credentials.

Knowledge Check Questions

This training includes a 6-question quiz to test your understanding of Security Awareness threats and defenses.

Under GDPR Article 33, how long does an organization have to notify the supervisory authority of a personal data breach?
When must an organization notify affected individuals directly under GDPR Article 34?
Which of the following must be included in a breach notification to the supervisory authority? (Select all that apply)
Why did the attacker succeed in compromising the sysadmin account in this scenario?
What is the first action a SOC analyst should take when identifying a potential data breach?