At 14:32 on a Tuesday, your marketing automation platform flags an anomaly: an unauthorised export of 12,000 customer records from your CRM. The clock starts now. Under GDPR Article 33, your organisation has exactly 72 hours to notify the relevant supervisory authority of a personal data breach. For marketing teams who own and operate CRM systems daily, understanding this protocol is not optional. It is a core operational competency.
At Data Innovation, we work with marketing and CRM teams across Europe to build resilient data practices. This article breaks down the 72-hour breach response protocol, specifically tailored for the teams most likely to discover, and inadvertently cause, CRM-related data incidents.
What Counts as a Notifiable CRM Breach
Not every data incident triggers the 72-hour notification requirement. GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. For marketing teams working within CRM platforms, this definition covers a wider range of scenarios than most people assume.
Common CRM-related breaches that meet the notification threshold include:
- Unauthorised data exports where a team member or compromised account downloads contact lists containing personal data without proper authorisation or encryption.
- Misdirected email campaigns that expose personal data, such as sending a segmented list to the wrong audience with visible personal identifiers in dynamic content fields.
- Integration leaks where a misconfigured API between your CRM and a third-party tool exposes customer records to an unauthorised platform or vendor.
- Access control failures where former employees, agency partners, or freelancers retain CRM access and view or extract data after their engagement has ended.
- Ransomware or malware affecting CRM infrastructure, rendering customer data inaccessible or compromised.
The key test is whether the breach poses a risk to the rights and freedoms of the individuals concerned. If the data involved includes email addresses combined with names, purchase history, behavioural profiles, or any special category data, the risk threshold is almost certainly met. When in doubt, treat the incident as notifiable. Under-reporting carries far greater regulatory and reputational consequences than over-reporting.
The 72-Hour Timeline: Who to Notify and When
The 72-hour window begins not when the breach occurred, but when your organisation becomes aware of it. This is a critical distinction. If your CRM logs show an unauthorised export happened on Saturday but your team only discovers it on Monday morning, the clock starts on Monday. However, regulators will scrutinise whether your monitoring practices were adequate enough to have detected it sooner.
Here is a structured timeline that marketing teams should follow:
Hours 0 to 6: Containment and initial assessment. Immediately revoke compromised access credentials, disable the affected integration, or halt the campaign in question. Document everything: timestamps, affected records, the nature of the data exposed, and how the breach was discovered. Do not attempt to investigate the full scope alone. Escalate to your Data Protection Officer (DPO) or the designated privacy lead within the first hour.
Hours 6 to 24: Severity assessment and documentation. Working alongside your DPO and IT security team, determine the volume of records affected, the categories of personal data involved, the likely impact on data subjects, and whether the data was encrypted or pseudonymised. This assessment directly informs both the supervisory authority notification and the decision on whether to notify affected individuals under Article 34.
Hours 24 to 72: Supervisory authority notification. Your DPO prepares and submits the formal notification to the relevant supervisory authority, such as the AEPD in Spain, the ICO in the United Kingdom, or the CNIL in France. The notification must include the nature of the breach, approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach. If the full picture is not yet clear, GDPR permits phased reporting, but the initial notification must still land within the 72-hour window.
Beyond 72 hours: Individual notification and remediation. If the breach is likely to result in a high risk to the rights and freedoms of individuals, you must also notify those individuals directly, in clear and plain language. For marketing teams, this often means preparing a dedicated communication through the very CRM system that was compromised, which requires careful coordination to ensure the notification channel itself is secure.
Severity Assessment: A Practical Framework for Marketing Teams
One of the most challenging aspects of breach management for marketing professionals is assessing severity. Marketing teams are accustomed to thinking about data in terms of segments, engagement metrics, and campaign performance. Reframing that data through a risk lens requires a deliberate shift in perspective.
We recommend a four-factor severity matrix:
- Data sensitivity. Basic contact details (name and email) represent a lower risk than records enriched with behavioural data, purchase history, location tracking, or health-related preferences. The richer your CRM profiles, the higher the severity.
- Volume. A breach affecting 50 records and one affecting 50,000 records carry fundamentally different risk profiles, both for regulatory scrutiny and for the potential scale of harm to individuals.
- Exposure context. Data exposed to a known, contractually bound processor is different from data leaked to an unknown third party or published on the open internet. Assess where the data went and who might have accessed it.
- Recoverability. Can the exposure be contained? If a misconfigured integration shared data with a trusted vendor, that vendor can be contacted and the data deleted under contractual obligations. If data was exfiltrated by an unknown actor, recoverability is effectively zero, and severity increases accordingly.
Document this assessment formally. Regulators will request evidence of your decision-making process, and a well-structured severity assessment demonstrates both competence and good faith.
Building a Breach-Ready Culture in Your Marketing Team
The most effective breach response protocols are the ones that never feel improvised. Marketing teams that manage CRM platforms should invest in preparedness long before an incident occurs.
Start by establishing a direct communication channel between your marketing operations lead and your DPO. In many organisations, these two functions rarely interact until a crisis forces them together. Regular quarterly reviews of CRM access logs, integration configurations, and data processing activities create a shared understanding of where vulnerabilities exist.
Develop a breach response playbook specific to your CRM environment. Generic IT incident response plans rarely account for the nuances of marketing technology stacks, where data flows through automation workflows, third-party enrichment tools, advertising platform syncs, and multi-user campaign builders. Your playbook should map these data flows explicitly and identify the containment actions relevant to each one.
Run tabletop exercises at least twice a year. Present your marketing team with a realistic CRM breach scenario and walk through the response protocol in real time. These exercises consistently reveal gaps in knowledge, unclear escalation paths, and assumptions about who is responsible for what. Addressing those gaps in a low-pressure training environment is vastly preferable to discovering them during an actual incident.
Finally, ensure that every team member with CRM access understands that they are a potential first responder. The 72-hour clock starts at the moment of awareness, and awareness often begins with a marketing coordinator noticing something unusual in a campaign report or an unexpected data sync. Training your team to recognise and escalate anomalies quickly can make the difference between a well-managed incident and a regulatory penalty.
Protect Your CRM Data with Expert Guidance
CRM security is not solely an IT responsibility. Marketing teams sit at the intersection of customer data and business operations, making them both the first line of defence and the most likely point of vulnerability. A proactive, well-rehearsed breach response protocol protects your customers, your brand reputation, and your regulatory standing.
At Data Innovation, we help organisations across Barcelona and beyond build CRM environments that are secure by design and resilient under pressure. Whether you need a CRM security audit, a tailored breach response framework, or guidance on aligning your marketing operations with GDPR requirements, our team is ready to help.
Get in touch with Data Innovation to schedule a consultation and ensure your marketing team is prepared for the incidents you hope will never happen.