According to the GDPR, organizations are obligated to report the data breach to the regulatory authorities (and sometimes affected individuals), within 72 hours after becoming aware of the breach.
The same applies for the organization or a company that is a data processor. The data processor needs to notify the data controller as soon as possible or within 72 hours after they have become aware of the breach.
In the report, the Organization needs to:
- describe the nature of the data breach, and if possible categories and approximate number of data subjects and the categories and approximate number of personal data records concerned
- disclose the contact details of their DPO
- describe the consequences of the breach
- describe measures taken to address the breach
However, different data protection laws propagate different requirements and measures, although they are all focused on mitigating further damages and disclosing the breach to the affected individuals.