Data Breaches: 72 Hours to Act, Every Minute Counts

A personal data breach is any security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data — as defined by Article 4(12) of the EU General Data Protection Regulation (GDPR, Regulation 2016/679). Under Article 33 GDPR, the controller must notify the competent supervisory authority (in Spain, the AEPD) within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals' rights. Where the breach is likely to result in a high risk, Article 34 also requires direct notification to the affected individuals. Failure to notify, or notification that omits required content, can itself constitute a separate GDPR infringement.

A data breach is one of the highest-pressure moments an organisation can face: detection typically occurs outside normal working hours, initial information is incomplete and uncertain, and the 72-hour clock starts running from the moment the organisation has reasonable knowledge of the incident. The difference between a well-managed breach and one that results in a serious sanction is not the incident itself — it is the quality of the response protocol.

Understanding the Dual Notification Obligation

The GDPR imposes a critical distinction that many organisations do not fully understand: the obligation to notify the AEPD (Article 33) and the obligation to communicate to affected individuals (Article 34) apply at different thresholds. AEPD notification is triggered when there is “a risk” to data subjects’ rights — a deliberately low threshold that captures the vast majority of real-world breaches. Communication to individuals is only mandatory when the risk is “high” — requiring a specific impact assessment for each breach. Getting this distinction right determines both what must be done and in what timeframe.

The First 72 Hours

Our response protocol is designed to function under pressure. From the moment of detection, we coordinate technical containment and legal notification analysis in parallel — not sequentially. We do not wait for complete information before initiating the AEPD notification: the GDPR explicitly permits phased notifications when full information is not available at the outset, and this flexibility is critical for meeting the deadline without sacrificing notification quality.

The AEPD notification is not a form-filling exercise. The authority’s enforcement decisions confirm that incomplete notifications, notifications that underestimate the scope of the breach, or notifications that fail to describe the measures taken are treated as compliance failures in themselves. Our notifications reflect the full technical and legal analysis of the incident, providing the AEPD with a complete picture from the first contact.

Post-Breach: From Incident to Improvement

The post-breach phase is as important as the immediate response. A data breach systematically reveals vulnerabilities in the privacy management system that go beyond the technical incident: processor contracts with no breach notification obligation, excessive retention periods that extended the breach’s scope, or absence of encryption on data that could have been protected. The privacy audit we conduct after each incident converts the breach into a genuine opportunity to improve the compliance system.

Coordination with the outsourced DPO is central to our response capacity: the DPO’s existing knowledge of the organisation’s data processing systems significantly accelerates the impact analysis and notification obligation assessment in the critical first hours of an incident. Organisations without a functioning DPO consistently take longer to respond and produce lower-quality notifications — a difference that shows up directly in enforcement outcomes.