The organisation must assess risk, decide on notification, and document actions within 72 hours.

Why this matters

The UK GDPR sets a strict timeframe for reporting a data breach. Poor preparation leads to rushed, indefensible decisions.

Typical 72‑hour timeline

0–24 hours: Containment and fact‑finding
24–48 hours: Risk assessment and decision drafting
48–72 hours: Notification (if required) and communications

What regulators expect

• Timeliness
• Clear rationale
• Evidence of control
  
  

What good preparation delivers

• Faster decisions
• Reduced stress
• Stronger defensibility