← Full glossary

The 72-hour rule

The deadline in Article 33 of the GDPR for notifying a personal data breach to the data protection authority: without undue delay and where feasible no later than 72 hours after the company becomes aware of the breach. The clock also runs on weekends and public holidays. If the deadline is missed, the notification must explain the delay. If not all information is available in time, the notification can be made in phases — the key is to report what you know on time.