GDPR Scenario · Pressure Signal: Uncertainty
Probably Nothing
You spot something that appears to be personal data that may have been accessed. You’re not sure. It might be recoverable. Raising it now feels premature — why cause a panic over something that could be nothing? So you start digging quietly first.
Quick Answer
Do you have to report a data breach before you’re certain it happened?
You have to escalate it. Under GDPR, the 72-hour notification clock starts when the organization becomes aware of a possible personal-data breach — not when it’s fully confirmed. Quietly investigating on your own to “be sure first” burns that window. The right move is to raise suspicion immediately through the incident process, so that the people who assess breaches can make a clock-aware decision while containment proceeds. Uncertainty doesn’t pause the clock.
The Pressure Signal: Uncertainty
“Let’s be sure before we cause a panic.” It sounds like maturity — you don’t want to cry wolf, embarrass a colleague, or trigger a fire drill over nothing. So you investigate first. But the instinct to wait for certainty is exactly what runs out the clock, because the obligation doesn’t wait for certainty either.
The Situation
Niels, in IT support at Velsenhoff Medical, notices an odd access pattern on a system holding EU customer records — logins at strange hours, a file that may have been copied. It could be a breach. It could be a misconfiguration or a false alarm. He genuinely can’t tell yet.
His instinct is to dig in before saying anything: confirm what actually happened, see if the data’s recoverable, get the facts straight so he doesn’t set off alarms over nothing. Raising a maybe-breach that turns out to be nothing would be embarrassing. So he opens the logs and starts investigating — quietly, on his own. The hours start ticking.
Three Ways People Respond
1. Investigate quietly, raise it once sure.
Confirm it’s real before escalating. Why it fails: the 72-hour clock starts when you become aware of a possible breach, not when it’s confirmed. Investigating in private burns the window, and one person deciding it’s “probably nothing” is exactly the failure regulators see most.
2. Quietly fix it and move on.
Contain it himself and avoid the alarm. Why it fails: containment is good — but it doesn’t replace the duty to escalate so the organization can assess whether it’s reportable. Fixing the hole and saying nothing leaves the notification decision unmade by the people who own it.
3. Escalate the suspicion now.
Report it through the incident process immediately — flag the suspicion, let the breach-assessment owners start the clock-aware process while containment runs in parallel. Why it works: see below.
The Right Call
Raise it the moment it appears to be a possible breach. Escalate through the defined incident process, describe what you saw plainly, and let the people whose job it is to assess breaches decide whether it’s reportable. Containment and investigation still happen — in parallel, by the right people — but the clock is now visible and owned. Your job isn’t to be certain. It’s to raise it fast.
Reframe the fear: escalating a suspicion that turns out to be nothing is a non-event — that’s the system working. Sitting on a real one while you investigate is what turns a contained incident into a reportable failure, with the deadline already gone.
Why It’s Harder Than It Looks
You’re not sure — and raising a false alarm feels worse than waiting. Investigating first feels responsible, even diligent. The clock is invisible; no countdown appears on your screen the moment you become aware. So the most conscientious-seeming move — “let me get the facts before I worry anyone” — is the one that quietly spends the window. Breaches rarely go unreported because someone decided to hide one. They go unreported because someone was being careful.
“I’d never sit on a breach.”
Nobody sits on a confirmed breach. They sit on an unconfirmed one, telling themselves they’re just being careful, just getting the facts first. The clock doesn’t distinguish between hiding and verifying. It only counts the hours since you became aware.
How to Run This With Your Team
Take 10–15 minutes. Read the situation, then ask: “You’re not sure it’s real — do you raise it now or confirm first?” Most people instinctively want to confirm first; let them defend that, then reveal when the clock actually starts. Make the key fact stick: awareness, not certainty, starts the window.
Close on the habit: escalate suspected breaches immediately through the incident process; containment and notification are decided by the right people, in parallel. Available as a manager-led Decision Brief™.
Related
Go deeper with GDPR compliance training, browse the full GDPR scenario library, or see the US-side companion in the Data Privacy & CCPA scenarios. (GDPR governs EU personal data; CCPA/CPRA governs California residents’ data — with different breach rules.)
Frequently Asked Questions
When does the 72-hour breach clock start?
When the organization becomes aware of a personal-data breach — that is, reasonably certain a security incident affecting personal data has occurred. It does not wait for a full investigation to confirm every detail.
What if I’m not sure it’s actually a breach?
Escalate the suspicion anyway. Assessing whether it’s reportable is the job of the people who own breach response, not the individual who spotted it. Raising it preserves the window; sitting on it spends it.
Isn’t it better to investigate first so I don’t cause a false alarm?
No. A false alarm that’s escalated is a non-event — the process is working as intended. Investigating privately before escalating is what burns the notification window.
Build people who raise it fast, not perfectly
Run this scenario with your team as a 15-minute Decision Brief™, or explore the full Xcelus approach.
© 2005–2026 Xcelus LLC. All rights reserved. For training and discussion only; not legal advice — route specific questions to your DPO or counsel.
© 2005–2026 Xcelus LLC. All rights reserved. This content is for training and discussion only and is not legal advice; consult qualified counsel about your organization’s specific obligations.