GDPR Glossary Also known as: 72-hour rule
The duty to report a risky personal data breach to the regulator within 72 hours, and to affected people without undue delay.
Where a breach is likely to risk people's rights and freedoms, the controller must notify the competent supervisory authority within 72 hours of becoming aware of it.
If the risk is high, the affected individuals must also be told without undue delay. Processors must alert their controller without undue delay.
In the Regulation
Related terms
Need this applied to your business?
Our data-protection lawyers turn GDPR terms into a working plan.