Legal Obligation: Under the GDPR, organisations are generally required to notify the relevant supervisory authority about a data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.

Contents of Notification: The notification should include details about the breach, its impact, and the organisation's response plan. If the investigation is ongoing, provide initial information and follow up with additional details as needed.

Cooperation: Cooperate fully with the supervisory authority throughout the breach investigation and response process, providing any requested information or assistance.