GDPR breaches and the 72‑hour rule: what finance firms need to have in place

9 February 2026

Under GDPR, organisations must report certain data breaches to the ICO within 72 hours of becoming aware of them. For finance firms, this isn’t just a compliance box to tick. Missing the deadline can lead to fines, regulatory scrutiny, and serious reputational damage.

What catches many businesses out is not a lack of intent, but a lack of process.

The real challenge is spotting the breach in time

The 72‑hour clock doesn’t start when everything has gone wrong. It starts when you become aware that a breach may have occurred.

That’s where problems often arise. Breaches are not always obvious. They can look like:

• A compromised user account behaving slightly differently

• Sensitive data accessed at unusual times

• Emails containing personal or financial data sent to the wrong recipient

• Malware detected on a device that had access to regulated systems

If these signals are missed or not escalated quickly, valuable time is lost.

Why finance firms are under more pressure

Finance firms handle large volumes of sensitive personal and financial data. Regulators expect stronger controls, clearer accountability, and faster responses.

In practice, we often see:

• Alerts that no one owns or reviews consistently

• Staff unsure what counts as a reportable breach

• No clear escalation path when something looks wrong

• Reliance on manual checks or individual knowledge

Under pressure, these gaps become very visible.

What a tested breach process should include

A strong GDPR breach response doesn’t need to be complicated, but it does need to be clear and tested.

At a minimum, finance firms should have:

• Monitoring in place to detect suspicious activity early

• Clear internal guidance on what could constitute a breach

• Defined escalation paths so issues reach the right people quickly

• Evidence that alerts and processes are reviewed regularly

Most importantly, the process should work even when the usual people are unavailable.

How Maple helps firms stay ahead of the deadline

Maple works with finance firms to put practical monitoring and escalation processes in place.

We help by:

• Setting up proactive monitoring across users, devices, and systems

• Ensuring alerts are seen, understood, and acted on

• Supporting clear escalation so potential breaches are assessed quickly

• Helping firms document and evidence their approach for audits and regulators

The goal is simple. No missed alerts. No last‑minute panic. No scrambling to work out what to do under pressure.

Would your process stand up in a real incident?

Many firms believe they would handle a breach well, until they’re tested by a real event.

If you’re unsure whether your current setup would reliably spot and escalate an incident in time to meet GDPR requirements, it’s worth reviewing it before you have to rely on it.

If you’d like a straightforward conversation about your monitoring, escalation, or breach response process, Maple is happy to help. Honest advice, no jargon, and no pressure. Get in touch with us.