GDPR gives you 72 hours to notify a breach. But in practice, that window is way tighter than it sounds.
Let's do the math:
Hour 0–12: Detect and validate the incident. Real breach or false positive? The SOC has to confirm before kicking off the whole machine.
Hour 12–36: Scope it. What data? How many people affected? Which systems were compromised? In real life, this investigation often takes days.
Hour 36–60: Prepare the notification, involve Legal, get approvals. DPO, CISO, CEO, sometimes the board. Each review round burns 4–8 hours.
Hour 60–72: Submit to the regulator and prepare communications for affected customers.
Buffer for complexity, weekends, or chaos? Basically none.
Straight talk: most companies have never tested whether they can meet that deadline end to end.
The breach happens Friday night. Legal won't respond until Monday. You've already lost 48 hours before you even start.
The notification needs five signatures. Each one adds hours. Where's the pre-approved template?
The SOC knows there was unauthorized access. But which files? Which fields? PII for how many people? That's the part that takes the longest.
Air Europa delayed notification by 41 days. Result: a €600,000 fine.
Four questions you should answer today:
- Can your SOC determine what data was accessed or exfiltrated within 24 hours?
- Do you have pre-approved notification templates ready to use?
- Is there a clear escalation path: SOC analyst, Legal, executives, regulator?
- Have you run a tabletop exercise for this specific scenario, start to finish?
If the answer to any of these is "I don't know" or "we've never tested it," you already know where the gap is.
In practice, 72 hours becomes a systemic test. SOC, Legal, DPO, Communications, board. Everyone has to operate in sync. And sync is built through drills, not improvisation.
Data Privacy Day is January 28. Instead of just posting about privacy, use that date as an annual trigger to run a notification drill. You don't need to simulate the whole attack. Simulate only the flow: "SOC detected customer data exfiltration at 11 p.m. on Friday. Start the clock."
If it gets stuck anywhere, you've found the problem before the real incident.
In your company, has anyone ever timed how long it takes from alert to regulator notification?
About the author Denny Roger
A cybersecurity executive and leader with 24 years of international experience in technology and security, combining executive leadership in financial services and consulting with hands-on delivery in modern cybersecurity operations. He currently serves as CISO at TIS (Angola) and is the founder of SOC Tips (Brazil), where he works as an advisor and "SOC Builder," designing methodologies and accelerating the maturity of security operations in complex corporate environments.
Throughout his career, he has worked at global organizations such as Santander, Accenture, Telefônica, and EY, leading initiatives in digital transformation, security strategy and architecture, SOC implementation and evolution, governance and risk management, data protection, and incident response.
Denny is also a best-selling author, a postgraduate lecturer in information security, and delivers official training and exam-preparation courses for internationally recognized cybersecurity certifications.
With 16 international certifications in Leader Coach, Executive Coaching, and Business Coaching, Denny is recognized as one of the most successful coaches and mentors in cybersecurity.
Denny had the honor of serving as a mentor trainer at Accenture, one of the world's largest and most respected consulting firms. This journey allowed him to learn and teach, in practice, how to achieve high performance, overcome blockers, and turn dreams into action.
Strongly results-driven, he combines governance discipline with operational agility, building high-performance multidisciplinary teams and sustainable security and resilience programs.