The European Data Protection Board has released a reusable template for reporting personal data breaches, aiming to cut confusion around the 72-hour notification deadline that has tripped up organizations since GDPR took effect.
The European Data Protection Board has published a standardized template for personal data breach notifications, giving organizations across the European Union a common structure for one of the most time-pressured obligations under the General Data Protection Regulation.
The template addresses a recurring problem. Since GDPR became enforceable in May 2018, companies have been required to report qualifying breaches to their supervisory authority, but the format and detail of those reports varied widely between member states and between individual data protection authorities. A controller operating in several countries often faced different forms, different mandatory fields, and different interpretations of what counted as adequate disclosure. The new template offers a single reference point that maps directly to the legal requirements.
What the law actually requires
The obligation comes from Article 33 of the GDPR, which governs notification of a personal data breach to the supervisory authority. The headline rule is the timeline: a data controller must notify the competent authority "without undue delay and, where feasible, not later than 72 hours" after becoming aware of a breach. If notification happens after that window, the controller has to explain the reasons for the delay.
A personal data breach, as defined in Article 4(12), is broader than many people assume. It is not limited to hackers stealing a database. The definition covers any "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to" personal data. A lost laptop, an email sent to the wrong recipient, a ransomware attack that encrypts records, or a misconfigured cloud storage bucket can all qualify.
Article 33 also lists the minimum information a notification must contain. The controller has to describe the nature of the breach, including the categories and approximate number of individuals and records affected. It must give the name and contact details of the data protection officer or another contact point. It must describe the likely consequences of the breach and the measures taken or proposed to address it, including steps to limit harm. The EDPB template is built around exactly these fields, which is what makes it useful as a working checklist rather than just a form.
There is a separate but related duty under Article 34. When a breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must also communicate the breach to the affected people directly, in clear and plain language. The supervisory authority notification and the notification to individuals are distinct obligations with different thresholds.
Who is affected
The practical audience for this template is anyone who handles personal data of people in the EU, which extends well beyond European companies because of GDPR's territorial reach. Data controllers carry the primary notification duty. Data processors, the vendors and service providers acting on a controller's instructions, have their own obligation under Article 33(2) to notify the controller without undue delay after becoming aware of a breach, so that the controller can meet its own deadline.
For data protection officers and incident response teams, the value is operational. The 72-hour clock starts when the organization becomes "aware" that a breach has occurred, and in the chaos of an active incident, assembling the required information quickly is genuinely difficult. Having a pre-agreed template lets a team populate fields as facts are confirmed, and GDPR explicitly permits notification in phases under Article 33(4) when all the details are not available at once. The template supports that staged approach, letting an organization file an initial report and supplement it as the investigation continues.
For individuals whose data is involved, standardization matters indirectly. More consistent reporting to regulators tends to produce more consistent enforcement and clearer public records of how breaches are handled. The framework is built to protect the rights of data subjects, and a structured notification process makes it harder for the scope of an incident to be quietly understated.
The cost of getting it wrong
The stakes are not theoretical. Failure to notify, or inadequate notification, falls under the lower tier of GDPR's administrative fines, which can reach up to 10 million euros or 2 percent of total worldwide annual turnover, whichever is higher. Breaches of the broader data protection principles can attract the higher tier of up to 20 million euros or 4 percent of global turnover.
Regulators have shown they will penalize the handling of a breach as well as the breach itself. Several high-profile enforcement actions across Europe have cited delayed or insufficient notification as an aggravating factor, separate from whatever security failure allowed the incident in the first place. The template will not prevent a breach, but it reduces the risk of a second, avoidable penalty for botching the disclosure.
What changes in practice
Organizations should treat the template as a prompt to revisit their internal breach response procedures. GDPR requires controllers to document all breaches under Article 33(5), including the facts, effects, and remedial action, regardless of whether the breach met the threshold for reporting to the authority. That internal record is itself something regulators can request, and the new template can double as a documentation standard for that log.
The most useful step for compliance teams is to pre-fill the static parts of the template now, the organizational contact details, the DPO information, the escalation chain, so that during a live incident the only work left is describing the breach itself. Mapping the template fields against existing incident response playbooks will also surface gaps, such as whether the team can realistically estimate the number of affected records within the first day.
The template does not change the underlying legal obligations, and it does not replace the specific notification channels that individual national authorities operate. Organizations still need to file with the correct supervisory authority through its designated system. What it offers is a common language for an obligation that has long suffered from fragmented practice, and a head start on the one deadline in GDPR that leaves the least room to improvise.
Comments
Please log in or register to join the discussion