Summary
- The EDPB consultation on a common breach notification template runs until 5 August 2026.
- The template is designed for implementation by data protection authorities through IT tooling.
- Standardised breach reporting could increase consistency and raise evidence expectations during incident response.
The European Data Protection Board is consulting on a common personal data breach notification template, a move that could make GDPR breach reporting more structured across EU supervisory authorities.
The consultation opened on 10 June and runs until 5 August 2026. The EDPB says the template is primarily designed to be implemented by data protection authorities through an IT tool. It includes predefined values, rules for collecting information only where necessary, and recommended tooltips to help organisations answer notification questions consistently.
Personal data breach notification under Article 33 of the GDPR already requires controllers to assess whether an incident is notifiable, understand what personal data is involved, determine likely consequences, and provide information to the relevant supervisory authority. A common template would give that process a more consistent structure across Member States.
The EDPB’s consultation page says the Board will decide the timeline for practical implementation by data protection authorities after the consultation closes. Stakeholder feedback may be published after screening.
Organisations operating across several EU countries already deal with a fragmented practical environment. GDPR is harmonised in law, but breach notification processes can still involve different portals, forms, local expectations, and follow-up practices. Those differences can add friction during live incidents, when legal, security, privacy, communications, supplier, and executive teams are working to establish facts under tight deadlines.
A common template would not remove the need for judgement. Organisations would still need to decide what happened, whether personal data was affected, whether individuals face risk, what measures have been taken, and whether further notification is required. It could, however, shape the information that incident response teams gather from the start.
That places more weight on logs, asset records, identity information, data classification, supplier evidence, and decision records. Weaknesses in those areas often become visible only when an incident is live and the reporting clock is running. Standardised fields may make incomplete evidence easier for authorities to identify, particularly where similar incidents are reported by organisations with stronger records.
The proposal could also help supervisory authorities compare incidents across countries and sectors. Predefined values and common fields can support trend analysis, enforcement consistency, and policy work. Organisations that treat notification as a legal filing separated from technical response may find that structure more difficult to maintain.
Breach reporting sits at the intersection of cybersecurity, privacy, records management, third-party assurance, and accountability. A common template would give that intersection a more consistent operational form across Europe.





