When does the GDPR 72-hour clock start?

Under Article 33(1), the clock starts when the controller becomes aware of the breach, meaning you have a reasonable degree of certainty that a security incident has compromised personal data. It does not start at the moment the breach happened or when it is fully investigated.

What happens if I miss the 72-hour deadline?

If notification to the supervisory authority is later than 72 hours it must be accompanied by reasons for the delay. Failure to notify without good reason can attract administrative fines of up to 10 million euros or 2 percent of global annual turnover, whichever is higher.

Do I have to notify for every breach?

No. Notification to the supervisory authority is required unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. If there is a high risk, you must also notify the affected individuals without undue delay.

Is my incident data sent anywhere?

No. The timer, checklist, and exported record are all generated and stored entirely in your own browser using local storage. No incident details are transmitted to any server.

What counts as the 72 hours, working days or calendar time?

It is 72 continuous calendar hours, including weekends and public holidays. The deadline is three full days from the time you became aware, not three working days.

GDPR 72-Hour Breach Notification Countdown Timer

A personal data breach triggers one of the tightest deadlines in privacy law: GDPR Article 33 requires a controller to notify the competent supervisory authority (such as the ICO in the UK) within 72 hours of becoming aware of the breach. This tool starts that clock from the exact discovery timestamp you enter, counts down in real time, survives a page refresh, and gives you the four mandatory pieces of information the regulator expects. It is built for data protection officers and incident-response teams who need to move fast without losing track of the deadline.

How it works

The countdown is pure arithmetic against a fixed deadline:

You enter the discovery time T0 — the moment you became aware of the breach.
The deadline is computed as T0 + 72 hours (72 x 3600 x 1000 milliseconds).
Every second the tool recomputes remaining = deadline - now and renders it as HH:MM:SS, broken into days, hours, minutes and seconds.
When remaining drops below zero the timer flips to an overdue state and shows how far past the deadline you are, because a late notification still has to be made (with reasons for the delay).

The discovery timestamp is written to localStorage, so if you refresh or reopen the tab the same countdown resumes from where it really is in wall-clock time, not from a fresh 72 hours.

The mandatory notification content

Article 33(3) lists what your notification must contain. The checklist mirrors it:

The nature of the breach, including categories and approximate number of data subjects and records affected.
The name and contact details of the DPO or other contact point.
The likely consequences of the breach.
The measures taken or proposed to address it and mitigate adverse effects.

Tips and notes

Start the timer the instant you have reasonable certainty a breach occurred — do not wait for the full forensic picture, as the clock runs against awareness, not certainty of scope. If you genuinely cannot provide all information at once, Article 33(4) allows information to be provided in phases without undue further delay. Use the export button to keep a timestamped record of when you became aware, which is itself evidence of compliance. This tool does not submit anything to a regulator; it is a deadline aid only.