f in x
GDPR Data Breach Notification — Timelines, Procedures, and Operational Checklist for SMEs
> cd .. / HUB_EDITORIALE
Considerazioni legali ed etiche

GDPR Data Breach Notification — Timelines, Procedures, and Operational Checklist for SMEs

[2026-07-05] Author: Ing. Calogero Bono
Zenithby Meteora Web The operating system for your business. Social, clients, bookings and invoices in one platform. Gyms, barbers, professionals. Discover Zenith Free demo · no card

Your server has been breached. An employee lost a laptop with customer data. A ransomware attack encrypted the database. At that moment, your priority is to stop the emergency, but GDPR imposes a precise countdown: 72 hours to notify the supervisory authority. Do you have a ready procedure, or do you risk million-euro fines? At Meteora Web, we see daily how companies discover a data breach when it's too late — or have no idea what to do afterward. This guide is not theory: it's the concrete list of actions to take, deadlines to meet, and documents to prepare.

What are the notification timelines for a data breach under the GDPR

Article 33 of the GDPR is clear: the data controller must notify the supervisory authority within 72 hours of becoming aware of the breach. Not from the day of the attack, but from the moment the company — or someone acting on its behalf — realizes that a personal data breach has occurred. The difference is crucial. Often a breach is discovered weeks later, and the 72-hour clock starts from the actual awareness, not the event. If you cannot provide all information within 72 hours, you can submit a preliminary notification followed by subsequent communications without undue delay. We recommend preparing a notification template in advance, because when the emergency hits, there's no time to write. The notification must include: nature of the breach, categories of data involved, approximate number of data subjects, consequences, and measures taken.

Sponsored Protocol

When is notification mandatory and when is it not

Not every security incident is a notifiable data breach. If data is already public or encrypted with a secure key (and the key is not compromised), the risk to individuals' rights may be negligible — and notification can be omitted. But the risk assessment is your responsibility and must be documented. When in doubt, notify. The Italian Data Protection Authority has stated that unjustified omission is a serious violation. For example, a ransomware attack that encrypts data but does not exfiltrate it: if you have a good backup, can you skip notification? Not always. If personal data was accessed, there is potential risk. In a real case, we assisted a client whose database was copied but not encrypted: notification was mandatory.

Sponsored Protocol

What to do within the first 72 hours after a data breach

The 72-hour window includes three parallel phases: containment, analysis, and notification. There is no time to do them sequentially. Here is an operational checklist we use with clients:

  • Isolate the compromised system: disconnect the server from the network, block suspicious access, change all critical passwords. Do not shut down the server if it may delete useful logs.
  • Identify the type of breach: exfiltration, unauthorized access, data modification, physical loss. Categorizing helps the notification.
  • Determine the start and end dates of the breach: from logs, monitoring systems, forensic analysis. Even approximate.
  • Quantify the data involved: how many people, which categories (financial, health, contact). The more sensitive, the more urgent the notification.
  • Assess the risk: if data is exposed to concrete risks (identity theft, fraud, discrimination), you must also notify the data subjects (Art. 34 GDPR). If not, only the authority.
  • Prepare the notification: use the authority's official model (available on their website). Include all required information. If something is missing, mark it as provisional.
  • Send the notification within 72 hours: via certified email or the authority's portal. Keep the receipt.

A common mistake is trying to figure everything out before notifying. GDPR allows you to supplement details later. Sending a partial notification is better than missing the deadline.

Sponsored Protocol

Tools for early detection

To meet the 72-hour window, you must become aware of the breach as soon as possible. We recommend configuring intrusion detection systems (IDS), centralized logs (ELK, Graylog), and alerts for unusual authentication errors. If your site runs WordPress, plugins like Wordfence or Sucuri give real-time alerts. But make sure alerts reach someone who can act. A log that nobody reads is useless.

How to handle the data breach notification to the DPA and document the incident

The formal notification must be sent to the data protection authority. In Italy, use certified email (PEC) to garante@pec.gpdp.it. The format is not strict but must contain the elements of Article 33. We have prepared a template that includes:

Sponsored Protocol

  • Name and contact of the controller and DPO (if appointed).
  • Description of the breach (nature, cause, date and duration).
  • Categories and number of data subjects involved.
  • Likely consequences and measures already taken.
  • Recommendations for data subjects (if applicable).

Mandatory internal documentation

In addition to the notification, you must document internally every data breach, even those not notified (Art. 33.5 GDPR). Keep a register with: date of discovery, date of notification (if made), incident details, actions taken, and reason for non-notification. This register is among the first documents the authority asks for during an inspection. We suggest using a spreadsheet or a small database with controlled access.

What are the penalties for failing to notify a data breach

The GDPR imposes administrative fines of up to 10 million euros or 2% of annual global turnover for failure to notify the authority. For failure to notify data subjects (when required), fines can reach 20 million or 4% of turnover. But it's not just about the fine: the company's reputation suffers often irreversible damage. We have seen clients lose B2B contracts because they couldn't demonstrate a data breach procedure. Prevention and preparation pay far more than the potential penalty.

Sponsored Protocol

What to do now

Don't wait for an incident to wake you up at night. Here are three concrete actions you can take today:

  1. Download and fill out a notification template: get the model from your DPA's website and customize it with your company details. Keep it ready in a protected folder.
  2. Check your detection time: do you have monitoring systems that alert you immediately to unusual access? If not, implement at least basic alerting (e.g., uptime monitor + login logs).
  3. Appoint an incident response lead: a member of your team who knows what to do when the alarm sounds. At Meteora Web, we offer incident response planning sessions for SMEs. But even on your own, you can define a flow: who alerts, who analyzes, who communicates.

For the full regulatory picture, read our pillar guide on Privacy and GDPR for Developers.

Ing. Calogero Bono

> AUTHOR_EXTRACTED

Ing. Calogero Bono

Ingegnere informatico, fondatore di Meteora Web e Zenith OS. System administrator e progettista di piattaforme, app e CMS proprietari, con esperienza in sviluppo full-stack, marketing digitale ed ecosistema Google.
[ Read Full Dossier ]

> METEORA_WEB // DIGITAL AGENCY

We build the digital presence your business deserves.

Websites, social media, online advertising, e-commerce and high-performance hosting, engineered with method by computer engineers in Sciacca, for all of Italy.

> MW_JOURNAL

> READ_ALL()