Which action is required for breaches of data under the general data protection regulation (GDPR) within 72 hours of becoming aware of the event?

The requirement to report data breaches under the General Data Protection Regulation (GDPR) includes the obligation to notify the supervisory authority within 72 hours of becoming aware of the breach. This provision is in place to ensure that data protection authorities are informed promptly about incidents that could pose significant risks to individuals' privacy rights and freedoms. Such timely reporting helps supervisory authorities to take necessary actions and to protect affected individuals from further harm.

In this context, the obligation to notify the supervisory authority is pivotal as it serves as the first line of defense in enforcing data protection compliance and accountability. It also ensures that a proper assessment of the breach can be conducted, which can inform further steps that may need to be taken, such as implementing additional controls or informing affected individuals if there is a high risk to their rights and freedoms.

Notifying the affected individuals, while also critical, is required only when the breach poses a high risk, and this notification typically occurs after the supervisory authority has been informed. Therefore, the precise action of notifying the supervisory authority within 72 hours is a foundational element of compliance with GDPR in the event of a data breach.