The 72-Hour Breach Rule for Freelancers — GDPR compliance guide for solo workers

The 72-Hour Breach Rule: What Freelancers Actually Owe

Transparency Notice: This article contains affiliate links. If you purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. Read our full disclosure.

The 72-Hour Breach Rule: What Freelancers Actually Owe

Short answer: if you are a solo freelancer who decides how and why client personal data gets processed, the GDPR’s 72-hour breach-notification clock can apply to you, and “I’m too small for this” is not a defense the regulation recognizes. Our verdict is USE WITH CAUTION — most one-person businesses are not exempt, but the actual obligation is narrower and more manageable than the panic headlines suggest. This guide reflects the regulation as written and the latest EDPB guidance as of June 2026 (rules reviewed June 2026). If you store client emails, run a contact form, keep an invoicing spreadsheet, or hold a list of customers’ names and addresses, you are processing personal data — and a leak, a stolen laptop, or a misdirected email can all count as a breach. The stakes for a solo worker are real: the clock starts the moment you become aware, not the moment you finish investigating.

What the 72-hour rule actually requires

Here is the obligation at a glance, mapped to what it means for a one-person business. We explain how we read privacy and compliance rules before turning them into plain-English guidance.

DimensionWhat the rule says (solo view)
Who must report?Anyone acting as a “controller” — including solo freelancers
Deadline to notify regulatorWithin 72 hours of becoming aware of the breach
When the clock startsOn awareness, not on full investigation
Threshold to notify regulatorUnless the breach is unlikely to risk people’s rights
Must you tell affected people?Only if the breach is “high risk” to them
Late or partial reporting allowed?Yes — phased notification is explicitly permitted
Record-keepingAll breaches must be logged, even unreported ones

The 72-hour deadline sits in Article 33 of the GDPR, and the duty to inform affected individuals sits in Article 34 (per the GDPR text on EUR-Lex, retrieved 2026-06-18). Two details trip up solo workers. First, the clock measures hours, not business days — a Friday-evening discovery does not pause until Monday. Second, “becoming aware” means having a reasonable degree of certainty that a security incident occurred and personal data was involved; a vague suspicion you are still ruling out has not yet started the clock, but you cannot stall indefinitely to avoid it. The European Data Protection Board’s breach-notification guidelines spell out that controllers should investigate promptly once an indication appears (per the EDPB guidelines on personal data breach notification, retrieved 2026-06-18).

If you genuinely cannot gather every detail within 72 hours, the regulation does not punish you for filing an incomplete report on time. Article 33 expressly allows information to be provided in phases as it becomes available. A solo freelancer’s correct move is almost always to file a holding notification before the deadline and follow up, rather than miss the window while assembling a perfect account.

A short worked timeline makes the deadline concrete. Say you discover at 6 p.m. on a Friday that an export of your client list was emailed to the wrong address. Your awareness clock started at 6 p.m. Friday, and 72 hours lands around 6 p.m. Monday — the weekend does not buy you extra time. Over Saturday and Sunday you confirm which fields the export contained, how many people are affected, and whether the recipient has confirmed deletion. By Monday morning you either decide the breach is unlikely to risk anyone’s rights and log that reasoning, or you submit a notification — complete if you can, phased if you cannot. The wrong move is to treat Friday-to-Monday as dead time and start work only when the office reopens.

What goes into the notification itself is also defined, and it is less than many freelancers fear. At minimum you describe the nature of the breach, the approximate number of people and records involved, the likely consequences, and the measures you have taken or propose to take. You also give a contact point — for a solo worker, that is simply you. Notice that none of this requires legal drafting or a forensic report; it requires that you can describe, in plain terms, what happened and what you did about it. That is exactly why a pre-written log and template turn the deadline from a scramble into a fill-in-the-blanks exercise.

What this means for solo freelancers

The hard part for one-person businesses is recognizing that they are a “controller” at all. If you decide which client data you collect and why — your own newsletter list, your CRM, your project files — you are a controller for that data, and the breach duties attach to you directly. When you process data purely on a client’s instructions (you are editing their customer spreadsheet, for example), you are usually a “processor,” and your duty is narrower: notify that client without undue delay so they can meet their own 72-hour clock. Based on the regulation as written, misjudging which role you hold carries the specific risk of notifying the wrong party, or no one, while the deadline runs.

Three concrete scenarios show how this lands on a freelancer’s desk:

  • Stolen or lost laptop. If your unencrypted laptop holding client contact lists is stolen, that is a breach the moment you know it is gone. The risk assessment — and whether you must tell affected people — turns heavily on whether the disk was encrypted.
  • Misdirected email. Sending a client roster to the wrong recipient is one of the most common reportable breaches for solo workers. A single wrong address can trigger the assessment, even if you recall the message seconds later.
  • Compromised cloud account. If your email or storage account is phished and client files were accessible, you must assess exposure quickly. Based on the regulation as written, the absence of proof that data was read does not by itself remove the duty to assess and, where warranted, report.

None of this means every minor slip goes to a regulator. The threshold is risk to people’s rights and freedoms. A breach that is unlikely to result in such risk does not need to be reported — but you still have to document it and your reasoning.

Judging that risk is where solo workers feel least sure of themselves, so it helps to know the factors that actually move the assessment. The type of data matters most: a leaked mailing list of business email addresses is far lower risk than a leaked file containing home addresses, health details, financial records, or anything that could enable identity theft. The volume matters — one misdirected message is not the same as a full database dump. So does the ease of identifying people from the data, and whether anyone with bad intent is likely to have accessed it. And crucially, whether the data was protected: a leaked file that was strongly encrypted, with the key never exposed, may pose so little practical risk that individual notification is not required even though the incident is logged. Walking through those factors honestly, in writing, is both your decision-making tool and your evidence that you took the duty seriously.

How to stay ahead of the clock

You cannot meet a 72-hour deadline if your first 24 hours are spent figuring out who to call. Build the answer once, before anything goes wrong:

  1. Know your lead supervisory authority. For an EU-based freelancer, that is your national data protection authority; bookmark its online breach-report form now.
  2. Keep a one-page breach log. A simple template with date discovered, data involved, people affected, risk assessment, and action taken satisfies the record-keeping duty and forces clear thinking under pressure.
  3. Encrypt the devices and accounts that hold client data. Full-disk encryption and a password manager materially change the risk analysis — an encrypted, stolen laptop is far less likely to meet the “high risk” bar that forces you to notify individuals.
  4. Turn on two-factor authentication everywhere. Most reportable freelancer breaches start with a compromised login, not a sophisticated attack.
  5. Draft a holding notification template today. Two paragraphs you can send within 72 hours beats a perfect report sent on day five.

The single highest-leverage habit is encryption plus 2FA, because both reduce the chance that an incident becomes a high-risk breach requiring you to contact every affected person individually.

Tools that shrink your breach exposure

You reduce 72-hour stress most by reducing the odds and the blast radius of a breach in the first place. These options match a solo budget and directly lower the risk factors a regulator weighs:

  • Bitwarden (bitwarden.com) — what a plain browser password store does not give you: a hardened vault with breach-monitoring and secure sharing for client credentials. Free tier covers a solo worker; paid is roughly $10/year. Best for any freelancer who reuses passwords today.
  • Proton (proton.me) — encrypted email and storage where the provider cannot read your client files, which strengthens your risk assessment if an account is exposed. Free tier exists; paid plans run roughly 4–10€/month. Best for freelancers handling sensitive client correspondence.
  • A hardware security key such as a YubiKey 5 series — phishing-resistant 2FA that a one-time-code app cannot match, typically $50–70 one-time. Best for freelancers whose entire business lives in one email account.
  • NordVPN (NordVPN) — encrypted transit on public Wi-Fi at client sites and cafés, roughly 3–5€/month on longer plans. Best for freelancers who work on the move.

None of these is a legal shield on its own, but each one moves the needle on the exact factors — encryption, access control, confidentiality — that decide whether an incident becomes a reportable, high-risk breach.

The verdict

ATP Privacy-Vetted: USE WITH CAUTION

Treat the 72-hour breach clock as something that can apply to you, because for most solo freelancers acting as data controllers it does. The obligation is narrower than the headlines — you only report breaches that risk people’s rights, phased notification is allowed, and many incidents are logged rather than reported — but the deadline is strict and starts on awareness. Prepare your supervisory-authority form, a breach log, and a holding-notification template before anything happens, and the rule becomes a checklist rather than a crisis.

Frequently asked questions

Does the 72-hour rule apply to a one-person freelance business?

Yes, if you act as a data controller — meaning you decide what client or customer personal data you collect and why. The GDPR sets no minimum company size for the Article 33 notification duty. Based on the regulation as written, being a sole trader does not exempt you; what matters is whether you control personal data and whether a given breach risks people’s rights.

When exactly do the 72 hours start counting?

The clock starts when you become “aware” of the breach — when you have a reasonable degree of certainty that a security incident happened and personal data was involved. It is not 72 working hours and it does not pause over a weekend. A short, diligent investigation to confirm a suspicion is acceptable, but you cannot delay awareness on purpose to push back the deadline.

Do I have to tell my affected clients about every breach?

No. You must notify affected individuals only when the breach is likely to result in a high risk to their rights and freedoms, under Article 34. Many breaches are reportable to a regulator but do not meet the high-risk bar for individual notification — and some are neither, requiring only that you log them internally with your reasoning.

What happens if I miss the 72-hour deadline?

A late notification must still be made, accompanied by reasons for the delay. Based on the regulation as written, missing the deadline is itself a compliance failure a supervisory authority can act on, so a timely incomplete report beats a late complete one. Phased notification under Article 33 exists precisely so you can meet the clock before you have every fact.

Is a lost laptop or a wrong-recipient email really a “breach”?

It can be. A personal data breach includes accidental loss, unauthorized access, and unauthorized disclosure — not just hacking. A misdirected email containing personal data and a lost device holding client records are both classic examples. Whether you must report turns on the risk involved, which is where encryption and access controls strongly affect the outcome.

Sources

  • GDPR, Article 33 (notification of a personal data breach to the supervisory authority) — EUR-Lex official text, retrieved 2026-06-18
  • GDPR, Article 34 (communication of a personal data breach to the data subject) — EUR-Lex official text, retrieved 2026-06-18
  • European Data Protection Board, Guidelines on Personal Data Breach Notification — edpb.europa.eu, retrieved 2026-06-18

Reviewed by Jérémy, founder of AidTaskPro and GreenBudgetHub. Based in central France. Compliance posture sourced from public regulatory texts and EDPB guidance as of 2026-06-18. This is general information, not legal advice.

[INTERNAL_LINK_TO_CLUSTER_gdpr-solo] · [INTERNAL_LINK_TO_CLUSTER_gdpr-solo]

Get Your Free Cybersecurity Checklist

Protect your digital life in 5 minutes. Free checklist + weekly productivity & security tips.

Similar Posts