In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of persons.

  • The EU Data Protection Commission (DPC) is the EU supervisory authority
  • The ICO is the UK supervisory authority
  • The DPC is the Irish supervisory authority

Where the notification to the supervisory authority is not made within 72 hours, the reasons for the delay must be given

The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

Iprotectu has GDPR awareness training for managers on what you can and cannot process and what the legal data processing requirements are