Companies get fined for reporting data breaches too late because the GDPR requires notification to the supervisory authority within 72 hours of discovering a breach — and missing that window is itself a violation of the regulation, regardless of whether the breach caused harm. Regulators treat late notification as evidence of weak internal processes and poor governance, which can significantly increase the severity of enforcement action. The sections below unpack the rule, the fines, the most common causes of delay, and what organisations can do to stay compliant. If you want to discuss your organisation’s current readiness, feel free to get in touch and we will be happy to help.

What is the GDPR 72-hour rule for reporting data breaches?

The GDPR 72-hour rule requires organisations to notify their national supervisory authority within 72 hours of becoming aware of a personal data breach. This obligation applies to all data controllers operating in the EU, regardless of company size or sector. The clock starts not when the breach occurred, but when the organisation first becomes aware that a breach has likely taken place.

The legal basis for this requirement is Article 33 of the General Data Protection Regulation. Notification is mandatory unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. In practice, most breaches involving personal data will cross that threshold, which means the default expectation is to notify.

When a full notification cannot be submitted within 72 hours, organisations are permitted to submit an initial notification and supplement it later. However, this only applies when the delay is justified and the initial submission clearly states that further information will follow. Supervisory authorities expect a good-faith effort to report promptly, not a placeholder used to buy time.

Notification to the supervisory authority is separate from the obligation to inform affected individuals. Under Article 34, organisations must also communicate directly with data subjects when a breach is likely to result in a high risk to their rights. That notification must happen without undue delay and has no fixed hour limit, but regulators expect it to happen quickly once the risk is confirmed.

Why do regulators fine companies for late breach notifications?

Regulators fine companies for late breach notifications because the 72-hour deadline is a hard legal obligation, and missing it signals that an organisation lacks the internal structures needed to detect, assess, and escalate security incidents in a timely way. Late notification is treated as a governance failure, not just an administrative oversight.

From a regulatory perspective, the notification deadline exists to protect data subjects. When organisations fail to report on time, supervisory authorities lose the ability to act quickly, issue public warnings, or coordinate cross-border responses. The delay can extend the window during which affected individuals remain unaware of risks to their data, their finances, or their identity.

Regulators also view late notification as an indicator of broader compliance weaknesses. If an organisation cannot meet a well-known, clearly defined deadline, it raises questions about the maturity of its data protection programme as a whole. Enforcement decisions frequently cite the absence of documented incident response procedures, unclear internal escalation paths, and a lack of designated accountability as aggravating factors.

In short, the fine is not just for being late. It is for demonstrating that the organisation was not prepared to respond to a breach in the first place.

How large can fines get for missing the 72-hour deadline?

Fines for missing the GDPR 72-hour notification deadline fall under the lower tier of GDPR penalties, which allows supervisory authorities to impose fines of up to 10 million euros or 2% of total annual global turnover, whichever is higher. However, when late notification is combined with other violations, penalties can escalate significantly.

The actual fine amount depends on several factors that regulators weigh on a case-by-case basis. These include the nature and severity of the breach, the number of individuals affected, how long the delay lasted, whether the delay was intentional or negligent, and whether the organisation has a history of non-compliance. Repeated violations or evidence of deliberate concealment will push fines toward the upper end of the range.

It is also worth noting that fines are rarely the only consequence. Regulators can issue reprimands, impose temporary or permanent bans on data processing, and require organisations to implement specific remediation measures under supervision. In sectors with additional regulatory oversight, such as financial services or healthcare, a GDPR fine may trigger parallel enforcement from sector-specific regulators as well.

For scale-ups and mid-market companies, even a mid-range fine can represent a material financial and reputational impact. The cost of a robust breach response process is almost always lower than the cost of a regulatory investigation.

What causes companies to miss the reporting deadline?

The most common reason companies miss the 72-hour reporting deadline is that they do not detect the breach quickly enough. Many breaches go unnoticed for days or weeks before someone inside the organisation recognises what has happened. By the time the incident is confirmed and escalated, the deadline has already passed.

Beyond detection speed, several structural issues contribute to late notifications:

  • No defined incident response process: Without a documented procedure, employees do not know what qualifies as a reportable breach, who to tell, or how quickly to act.
  • Unclear accountability: When responsibility for data protection is distributed across teams without a clear owner, incidents get passed around rather than escalated.
  • Assessment bottlenecks: Organisations often delay notification while trying to fully understand the scope of a breach. Waiting for certainty before notifying is a common and costly mistake.
  • Lack of awareness among staff: Employees who handle personal data regularly are often unaware of their obligation to report suspicious activity to a designated contact.
  • Governance drift: Organisations that built compliance processes during a certification project but never maintained them as living systems find that those processes have quietly degraded over time.

The 72-hour window is short by design. It is meant to test whether an organisation has genuinely embedded data protection into its operations, or whether compliance exists only on paper. Organisations that treat governance as a continuous operational capability rather than a periodic exercise are significantly better positioned to meet the deadline.

Who is responsible for reporting a data breach inside an organisation?

Under the GDPR, the data controller is legally responsible for reporting a breach to the supervisory authority. In practice, this means the organisation’s leadership, typically the board or executive management, carries ultimate accountability. The Data Protection Officer, where one is appointed, plays a central coordinating role but does not carry the legal obligation personally.

Inside the organisation, breach notification is a cross-functional responsibility. Security teams are usually the first to detect a technical incident. Legal and compliance teams assess whether the incident meets the threshold for notification. The DPO advises on the reporting obligation and helps draft the notification. Senior management approves and submits it.

This is precisely where many organisations run into problems. When those functions are siloed, or when the DPO role exists on paper but lacks real authority or resources, the internal handoffs slow down. The 72-hour clock does not pause while teams debate whether something counts as a breach or wait for sign-off from a busy executive.

Effective governance requires that breach response responsibilities are pre-assigned, documented, and regularly tested. Everyone in the chain needs to know their role before an incident occurs, not during one. Continuous governance means those roles are maintained and validated over time, not defined once and forgotten.

How can organisations avoid late breach notification penalties?

Organisations can avoid late breach notification penalties by building and maintaining a continuous incident response capability, rather than relying on ad hoc responses when a breach actually occurs. The organisations that consistently meet the 72-hour deadline are those that have made breach detection, assessment, and escalation a permanent operational process.

The most effective steps include:

  1. Document a clear incident response procedure: Define what constitutes a reportable breach, who must be notified internally, and in what timeframe. Make this procedure accessible to all relevant staff.
  2. Assign unambiguous ownership: Designate a single point of accountability for breach coordination. This is typically the DPO, but that person must have the authority and access to act quickly.
  3. Train staff regularly: Employees who handle personal data should know how to recognise a potential breach and who to report it to immediately. Annual training is a minimum; embedded awareness is better.
  4. Test your response process: Run tabletop exercises or simulated breach scenarios to identify gaps before a real incident exposes them.
  5. Avoid waiting for certainty before notifying: Regulators accept initial notifications with incomplete information. Waiting until you have the full picture before reporting is one of the most common causes of deadline breaches.
  6. Integrate governance across domains: Breach response does not sit in isolation. It connects to your security monitoring, privacy programme, and risk management processes. Fragmented governance creates the gaps that cause delays.

This is the core argument for continuous governance. A compliance programme that was built for a certification audit and then left to run passively will drift. Processes become outdated, responsibilities shift as staff change, and the organisation’s real-world readiness quietly diverges from what its documentation says. Organisations that treat governance as a living system, actively maintained across security, privacy, and risk domains, are far less likely to be caught unprepared when a breach occurs. You can learn more about how we approach this through our governance services.

If you want to assess whether your organisation has the processes in place to meet the 72-hour deadline and avoid the penalties that come with missing it, contact us and we will help you find out.

Frequently Asked Questions

Does the 72-hour clock start when the breach happened or when we found out about it?

The 72-hour clock starts from the moment your organisation becomes aware that a breach has likely taken place — not from when the breach actually occurred. This is an important distinction, because a breach may have happened days or weeks earlier without your knowledge. However, regulators will scrutinise whether your detection capabilities were adequate, so a long gap between occurrence and discovery can itself become an aggravating factor in enforcement decisions.

What if we are still investigating the breach when the 72-hour deadline arrives — do we have to notify before we have all the facts?

Yes. The GDPR explicitly allows organisations to submit an initial notification with incomplete information, provided you clearly state that further details will follow and you supply them as soon as they become available. Waiting until your investigation is complete before notifying is one of the most common and costly mistakes organisations make. Regulators expect a good-faith, prompt report — not a perfect one.

Are small businesses and startups subject to the same 72-hour rule as large enterprises?

Yes. The 72-hour notification obligation under Article 33 of the GDPR applies to all data controllers operating in the EU, regardless of company size, headcount, or sector. While the scale of a fine may be calibrated to annual turnover, the legal obligation itself is the same for a ten-person startup as it is for a multinational corporation. Smaller organisations are often at greater risk precisely because they lack dedicated compliance resources.

What information do we actually need to include in a breach notification to the supervisory authority?

Article 33(3) sets out the required content: a description of the nature of the breach (including the categories and approximate number of individuals and records affected), the contact details of your DPO or relevant point of contact, a description of the likely consequences of the breach, and a description of the measures taken or proposed to address it. If you cannot provide all of this within 72 hours, submit what you have and clearly flag that additional information will follow. Most supervisory authorities provide a structured online form that guides you through the required fields.

How do we know whether a breach is serious enough to require notification, or can we keep it internal?

Notification to the supervisory authority is required unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. In practice, the threshold is relatively low — any breach involving sensitive personal data, financial information, login credentials, or a significant number of individuals will almost certainly meet it. When in doubt, the safer and legally defensible position is to notify. Choosing not to notify and being wrong about the risk assessment is a significantly worse outcome than over-reporting.

What is the difference between notifying the supervisory authority and notifying affected individuals, and do we have to do both?

These are two separate obligations under the GDPR. Article 33 requires you to notify your supervisory authority within 72 hours of becoming aware of a breach. Article 34 requires you to communicate directly with affected individuals — but only when the breach is likely to result in a high risk to their rights and freedoms, which is a higher threshold than the one that triggers authority notification. If individual notification is required, it must happen without undue delay, though there is no fixed hour limit. In some cases you may need to do both; in others, only authority notification will be required.

If we use a third-party processor — such as a cloud provider or SaaS vendor — and they suffer a breach, who is responsible for notifying the supervisory authority?

The data controller remains legally responsible for notifying the supervisory authority, even when the breach originates with a third-party data processor. Under Article 33(2), processors are required to notify the controller without undue delay after becoming aware of a breach, but the 72-hour clock for regulatory notification runs from when the controller becomes aware — not the processor. This makes it essential to include clear, contractual breach notification obligations and response timeframes in all data processing agreements, and to verify that your key vendors have the processes in place to alert you promptly.

Related Articles

Share

  • May 13, 2026