GDPR for Managers Part 5 of 5 : Personal Data Breach Notification (the 72-hour rule)

A personal data breach must be assessed quickly. If there’s a risk to people’s rights and freedoms, notify your supervisory authority within 72 hours of awareness. Tell affected individuals without undue delay when the risk is high. See what to include, who to notify (ICO, DPC, or your lead SA), and how iProtectU helps.
REQUEST DEMO

What is a personal data breach?

A breach is a security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data—whether deliberate (attack) or accidental (mis-send, lost device).

Who to notify and when

Supervisory authority: If the breach is likely to result in a risk to individuals’ rights and freedoms, notify without undue delay and within 72 hours of becoming aware. If later, explain the delay.

  • UK: the ICO is the supervisory authority.

  • Ireland: the DPC is the supervisory authority.

  • EU (elsewhere): notify your lead supervisory authority (based on your main establishment).

Data subjects: If the breach is likely to result in a high risk to individuals, inform affected people without undue delay in clear, plain language.

Processors must notify the controller without undue delay after becoming aware of a breach.

Health & Safety Software - EHS Management Software

What to include in a notification

The nature of the breach (types of records, categories/approximate number of data subjects and records)

Likely consequences of the breach

Measures taken or proposed to address the breach and mitigate harm

Contact details for your data protection lead/DPO

Immediate response steps

  1. Contain and secure systems; revoke access where needed.

  2. Assess risk to individuals (type of data, sensitivity, volume, exposure).

  3. Decide on notification to authority and data subjects; prepare messages.

  4. Document the breach, decisions, and remediation—even if you decide not to notify.

  5. Implement lessons learned: controls, training, supplier follow-up.

Manager checklist

Breach detected, contained and logged (time of awareness recorded)

Risk assessed; legal basis for any notifications confirmed

SA notified within 72 hours (or delay explained)

Individuals informed promptly if high risk, in plain language

Evidence retained: facts, effects, remedial actions, decisions

Post-incident actions assigned and tracked to completion

How iProtectU helps with GDPR

IIRSM-approved GDPR awareness training – assign our IIRSM training to staff/managers, track completion, and schedule refreshers.

Policy & document management – publish privacy notices, retention schedules and procedures using our document management software; version control ensures a full audit trail.

Vendor/processor records – store contracts, data processing agreements and due-diligence checks.

DPIAs & risk logs – consistent templates, actions and reviews to manage high-risk processing.

Tasking & reminders – owners, due dates and renewals for RoPA, DPIAs, policy updates and vendor checks.

Dashboards & reportingreal-time view of training, policy acceptance, actions and expiries for audit readiness. 

Need to tighten GDPR controls, train staff or manage your risks? 

Book a demo and see how iProtectU keeps you audit-ready.

REQUEST DEMO

Other Parts in the Series

This article provides general guidance and is not legal advice.

Missed a Part, please click here?

Part 1: GDPR basics for managers — why it matters and how iProtectU helps.

Part 2: Consent that’s freely given (and provable)

Part 3: Special category (sensitive) data — what it is and when you can process it

Part 4:  Notification of a personal data breach

GDPR FAQs

OurFAQs guides enable you to make informed decisions about how our health and safety software can benefit your organisation.

For anything else please request a demo, call or send us an email.

REQUEST DEMO

You must stop the processing based on that consent and log the withdrawal. Keep a record that consent was previously given/withdrawn.

No. Consent must be an opt-in via clear affirmative action.

The UK applies the UK GDPR alongside the Data Protection Act 2018; it mirrors GDPR principles closely. If you operate across regions, design for the higher standard.

No. Consent must be specific—give separate choices for each purpose.

No. Consent is one of six lawful bases. For many HR or service-delivery activities, contract or legitimate interests may be more appropriate—document your choice.

A Data Protection Impact Assessment evaluates high-risk processing (e.g., large-scale monitoring, special category data). It documents risks and the measures you’ll put in place.

If a personal data breach is likely to risk people’s rights/freedoms, report to the supervisory authority within 72 hours and inform affected individuals when required.

Yes—book a free demo and we’ll tailor a walkthrough to your industry, data and processes so you can see how iProtectU fits your organisation.

Refresh when your purposes, technology or context change, or when consents become stale for the risk involved.

Share on social media

Please follow us or subscribe to our social media channels. 

Twitter
Facebook
YouTube
YouTube
LinkedIn
LinkedIn
Share
Instagram
RSS
Follow by Email
Copy link
URL has been copied successfully!

Latest Updates & Information

The future of Health and Safety software – today! Leaders in EHS Software, GRC Software, safety, risk, governance and compliance software
MORE NEWS AND INFORMATION

Arrange your demonstration

Let us show you how we can transform your health and safety, risk and compliance management

Please choose a date and time for your demo. We look forward to meeting with you.

error

Please follow us or subscribe

Transform your safety and compliance management

BOOK A DEMO

Search for your EHS Module