Timelines for Reporting
72-Hour Rule: Organisations must report data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. This short timeframe underscores the importance of rapid response and investigation.
Reasonable Delay: If a breach is complex, organisations can provide initial information within 72 hours and follow up with additional details afterwards, as long as they can provide a valid reason for the delay.
Notification to Data Subjects: In some cases, organisations may also need to notify affected data subjects without undue delay, especially if the breach is likely to result in a high risk to their rights and freedoms.
Last updated