What is the timescale you have to notify us of a breach?
In Article 33 (Notification of a personal data breach to the supervisory authority) of the GDPR. Section 1 states:
1) In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
This means, you as a school have 72 hours from being made aware by us to notify the data subject/s of the breach in accordance with the stipulation of Article 33 Section 3, at the very least. This 72 hours does not run from the time the breach actually happened, rather from when you were notified that a breach had occurred. As processors, we are bound by Article 33 Section 2 which states:
2) The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
Whilst the above does not specify a time frame from the processors perspective, if we look at Article 34 Section 1 it says:
1) When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
This would then indicate that their definition of undue delay is a maximum of 72 hours (the requirements of Article 33 Section 3 can be disseminated over time as per Article 33 Section 4, again without undue delay), so as soon as we are aware of a data breach, this is the period of time that we have to contact you to notify you of a breach of the data upon which you are the controller and we are the processors.
Just to reiterate, this timer runs from the point you as data controllers are made aware (by us telling you) and a separate timer when we as data processors are made aware (by us discovering the breach through monitoring systems, or by internal employees), it does not run from the time the breach actually occurred.