Breach notification (supervisory authority)
Description
Data breach must be reported to the supervisory authority within 72 hours of becoming aware.
⚠️ Risk Impact
Failure to notify within 72 hours results in additional penalties.
🔧 Remediation
Implement breach detection and response procedures. EchelonGraph real-time monitoring helps detect breaches faster.
💀 Real-World Attack Scenario
A fintech company detected a data breach on Friday evening but the security team was unavailable until Monday. By the time the breach was reported to the DPA, 96 hours had elapsed — exceeding the 72-hour deadline. The DPA imposed an additional €1.5M fine specifically for the late notification, on top of the breach penalty.
💰 Cost of Non-Compliance
Twitter/X 2022: €450K fine for late breach notification alone. Average additional fine for late notification: €800K. Repeat late notification offenders face enhanced scrutiny and higher base fines.
📋 Audit Questions
- 1.What is your breach detection and notification process?
- 2.Who is responsible for DPA notification?
- 3.Can you notify within 72 hours including weekends?
- 4.Show evidence of breach notification drills.
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔No 24/7 incident response capability (72 hours includes weekends and holidays)
- ⛔Unclear ownership of breach notification responsibility
- ⛔Waiting for full forensic analysis before notifying (notification should happen within 72 hours even with incomplete information)
📈 Business Value
Rapid breach detection and notification prevents additional GDPR penalties and demonstrates regulatory maturity. Real-time monitoring cuts detection time from months to minutes.
⏱️ Effort Estimate
8-16 hours to create and test breach notification procedures
EchelonGraph provides real-time security monitoring to detect breaches within minutes
🔗 Cross-Framework References
Automate GDPR Art33 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →