Millions of companies worldwide are covered by the European Union’s General Data Protection Regulation (GDPR). This security regulation has been implemented to protect personal data↗ and, at the same time, tell you what you need to do if your company experiences a security breach. Understanding Notification Obligation GDPR Any company or organization that experiences a security breach must, according to Article 33 of the law, report the breach to a Data Protection Authority (DPA) within 72 hours if they want to remain GDPR compliant↗. You may request an extension on this deadline in situations where it was not possible to report the breach within the specified 72 hours. You'll need to complete and submit an online form to report the breach, but this depends on the method used by the DPA you report to in your region. To be safe, collect as much information as you can so that you have everything at hand when the time comes. What to Include in a Data Breach Notification This is the information you'll need to include in your breach notification:
- Details of the breach How it happened, how many people were affected, how many records were exposed or lost, and the categories of data↗ affected
- Relevant contacts Names and contact details of all the relevant role players
- Result of the security breach Either what happened or what could happen as a result of the breach
- Measures you have taken All the details and steps you have taken to fix the security breach
How GDPR Breach Notification Affects Your Customer Trust
When you experience a data breach as an eCommerce brand, the notification requirement isn't just a legal checkbox—it's a moment that defines how customers perceive your business. Your customers need to know their payment information, addresses, or email addresses may be at risk, and they need to hear it from you first, not from a news article.
For Shopify and BigCommerce stores, breaches often involve customer payment data, email lists, or browsing behavior. If your store experiences unauthorized access to customer records, you're legally required to notify affected individuals without undue delay. This means you can't wait for the 72-hour DPA reporting deadline to pass before telling your customers—you must contact them separately and promptly.
The notification to customers should explain what data was exposed, what steps you're taking to secure their information, and what they can do to protect themselves (like monitoring credit reports or changing passwords). Keep the language clear and avoid technical jargon. Your customers are already anxious; confusing them with regulatory terminology will only damage trust further.
Many brands underestimate how quickly breach news spreads on social media. When you're transparent and proactive with notifications, you control the narrative. You demonstrate that you take their privacy seriously, which can actually strengthen loyalty long-term. However, if customers discover the breach through other channels first, recovery becomes much harder.
The Low-Risk Breach Exception: When You May Not Need to Notify Individuals
Not every unauthorized access triggers a notification requirement. GDPR includes a safeguard for breaches that pose minimal risk to people's rights and freedoms. Understanding when this applies can help you manage your response appropriately.
If your breach involves encrypted data, anonymized information, or access that was quickly detected and contained, the risk level may be low enough to skip individual notifications—though you still report to your DPA. For example, if an unauthorized person briefly accessed encrypted customer payment tokens that are useless without the decryption key, and you detected and fixed the vulnerability within hours, the risk is substantially lower than a breach exposing unencrypted passwords or payment card details.
However, don't assume a breach is low-risk without careful analysis. Your Data Protection Officer or privacy team should assess the actual harm potential. Consider factors like: Was personal data actually viewed or downloaded? How difficult is it to misuse the data? How many people were affected? Can you definitively prove the data wasn't compromised?
For eCommerce brands, this assessment becomes tricky. If your Meta Pixel or Google Analytics implementation was misconfigured and sent additional customer data to advertising platforms, that's a breach, but the risk depends on what data was shared and whether Meta or Google could re-identify individuals. If you collected emails through a contact form and a hacker accessed them but no other identifying information, the risk might be low.
Document your risk assessment thoroughly. If a regulator later questions why you didn't notify individuals, you need evidence showing your analysis was reasonable and defensible.
Notification Timing: The 72-Hour Clock Starts When?
The 72-hour deadline begins when your organization becomes aware of a breach—but "aware" can be surprisingly unclear in practice. For eCommerce brands, this matters because detection often happens gradually.
Your awareness date is when someone in your organization realizes there's been unauthorized access, destruction, loss, or alteration of customer data. This could be when your hosting provider alerts you to suspicious database access, when your security team notices abnormal traffic patterns, or when a customer reports unauthorized transactions. The moment any responsible person in your company knows something is wrong, the clock starts ticking.
The challenge is that eCommerce breaches may not announce themselves. A hacker accessing your Shopify store's customer database might go undetected for days or weeks. Once you discover it, you must notify the DPA within 72 hours of that discovery, not 72 hours from when the breach originally occurred.
This is why ongoing security monitoring, log reviews, and access controls matter. The faster you detect unauthorized activity, the sooner you can start the notification process. Many brands miss the 72-hour window because they didn't discover the breach until weeks after it happened.
Set up alerts for unusual database activity, failed login attempts, and unauthorized file access. Regular security audits help you catch breaches sooner rather than later.
Documenting Your Breach Response for Regulatory Compliance
Your DPA will want evidence that you handled the breach appropriately. Create a detailed breach response file that documents everything: when you became aware, what you did, who you notified, and what measures you took to prevent recurrence.
This documentation protects you if a regulator audits your breach response later. Include timestamps, communications, forensic reports, and records of your containment steps. For Shopify stores, save server logs and access records. For integrations like Klaviyo, document what customer data synced and when you discovered the issue.
Your documentation also supports the "measures you have taken" section of your DPA notification. Show that you didn't just react—you improved your security posture.