What are the core GDPR principles, and what is the breach notification timeline?
Short answer
GDPR Article 5 sets seven principles: lawfulness/fairness/transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. For a personal data breach, the controller must notify the competent supervisory authority without undue delay and where feasible within 72 hours of becoming aware (Article 33). If the breach is likely to result in a high risk to individuals, the controller must also notify the affected data subjects without undue delay (Article 34).
The General Data Protection Regulation governs how organisations process the personal data of people in the EU. Interviewers ask this to check that you can connect the legal principles to operational duties — not just recite buzzwords.
The seven principles (Article 5)
GDPR builds on seven principles that every processing activity must satisfy:
- Lawfulness, fairness, transparency — you need a valid legal basis and must be open about it.
- Purpose limitation — collect data for specified, explicit purposes, not "just in case".
- Data minimisation — only what is adequate and relevant.
- Accuracy — keep it correct and up to date.
- Storage limitation — keep it no longer than necessary.
- Integrity and confidentiality — protect it with appropriate security.
- Accountability — be able to demonstrate compliance with all of the above.
Breach notification
A personal data breach is a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
- To the regulator (Article 33): the controller notifies the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware. If it is unlikely to result in a risk to individuals, notification can be skipped.
- To data subjects (Article 34): if the breach is likely to result in a high risk to individuals' rights and freedoms, they must be told without undue delay, in clear language.
Why this matters
Strong answers tie the principles (especially accountability) to evidence: records of processing, DPIAs, and a tested breach runbook. Saying "72 hours" is table stakes; explaining when the clock starts and the high-risk threshold for notifying individuals is what shows real fluency.
Likely follow-ups
- When does the 72-hour clock start, and what if you don't have all the facts yet?
- When are you exempt from notifying data subjects under Article 34?
- What is the difference between a data controller and a data processor for notification duties?