The 72-hour window starts when you become aware of a personal data breach. It does not require perfect information on day one. The goal is to alert regulators promptly, then follow up as you learn more.

Not every security incident triggers notification. GDPR focuses on breaches that are likely to result in a risk to people’s rights and freedoms. That risk assessment should be documented, even if you decide no notification is required.

For small teams, the best preparation is a simple template: who is on the response team, how to contact your data protection authority, and where breach logs are stored. That’s enough to handle most incidents.

• Document when you became aware of the breach.
• Record the type of data and likely impact.
• Notify regulators if risk is likely.