A data breach is one of the most serious incidents an organisation can face. It can disrupt business operations, damage reputation, cause financial loss, and expose individuals to identity theft, fraud, or emotional distress. Under the General Data Protection Regulation (GDPR), every organisation that processes personal data must be able to detect, investigate, document, and notify breaches in a structured and timely way.
This page provides a complete breakdown of GDPR breach obligations, including practical guidance, matrices, checklists, templates, and internal processes that all organisations should implement.
1. What Counts as a Personal Data Breach?
A personal data breach is defined as any security incident that leads to:
- Unauthorised access
- Unauthorised disclosure
- Accidental or unlawful destruction
- Accidental or unlawful loss
- Alteration of personal data
- Loss of availability of personal data
It applies to digital, physical, and human error events.
Examples of Incidents That Qualify
| Incident | Description | Likely Reportable? |
|---|---|---|
| Misdirected email | Client invoice sent to wrong person | Often yes |
| Lost laptop | Unencrypted device stolen from car | Yes |
| Ransomware | Data locked; backups unavailable | Yes |
| Internal access error | Employee views restricted HR data | Depends on severity |
| Misconfigured database | Publicly accessible cloud bucket | Yes |
2. The 72-Hour Notification Requirement
Organisations must notify their Supervisory Authority within 72 hours of becoming aware of a breach that poses a risk to individuals’ rights and freedoms.
Regulatory Timeline
Hour 0 Hour 24 Hour 48 Hour 72 │-------------│-----------------│------------------│─────────────▶ Awareness Containment Investigation Official Report
Key Interpretations
- The 72 hours include weekends and public holidays.
- The organisation does not need full investigation results to notify; preliminary facts are acceptable.
- Failure to notify can result in significant penalties, even if the breach itself had limited impact.
3. What You Must Include in an Official Notification
Article 33 requires the notification to contain the following:
| Requirement | Explanation |
|---|---|
| Nature of the breach | Type of breach, categories of data, number of records |
| DPO or contact | Name, direct phone number, email |
| Likely consequences | Identity theft, fraud, personal safety risks |
| Measures taken | Containment efforts, ongoing mitigation |
4. When You Must Notify the Affected Individuals
A breach must be communicated to individuals when it poses a high risk.
High-Risk Indicators
- Passwords, ID numbers, financial details
- Health, biometric, or children’s data
- Data belonging to vulnerable persons
- Wide-scale exposure
- Public availability of the breached information
- Loss of control over personal accounts
Low-Risk Indicators
- Strong encryption
- Quick containment before any access
- No sensitive data involved
- No realistic risk to individuals
5. Risk Rating Matrix (Operational Tool)
This matrix helps determine notification obligations.
| Impact Level | Likelihood | Risk Rating |
|---|---|---|
| High | High | Critical – Notify authority + individuals |
| High | Low | Medium – Notify authority |
| Low | High | Medium – Case-by-case |
| Low | Low | Low – Internal record only |
6. Typical Causes of Personal Data Breaches
Human-Driven
- Misaddressed emails
- Falling for phishing attacks
- Sharing credentials
- Neglecting physical document security
- Verbally disclosing sensitive information
Technical Failures
- Outdated software
- Missing patches
- Faulty backups
- Cloud misconfigurations
- Failed access controls
Physical Incidents
- Stolen laptops or phones
- Lost USB drives
- Unlocked filing cabinets
- Exposed mail
7. Internal Data Breach Response Workflow
A structured workflow reduces risk and ensures compliance.
Step 1: Detect or report the incident Step 2: Immediately escalate to DPO/incident team Step 3: Secure and contain affected systems Step 4: Assess scope (data types, individuals, volume) Step 5: Assess risk using matrix Step 6: Notify authority (if needed) Step 7: Notify individuals (if needed) Step 8: Document everything in breach register Step 9: Conduct post-incident review
8. Internal Breach Response Checklist
- Confirm a breach occurred
- Identify affected systems
- Identify affected personal data
- Identify number of data subjects
- Determine whether encryption or pseudonymisation was used
- Identify possible attacker(s) or cause
- Evaluate risks to individuals
- Decide if notification is required
- Draft and submit authority notice
- Draft and send individual notices
- Record all actions
- Implement remediation measures
9. Detailed Breakdown of Risk Factors
A. Type of Data Exposed
| Data Type | Risk Level | Notes |
|---|---|---|
| Financial (IBAN, credit card details) | High | Fraud and loss risk |
| Medical/health | High | Sensitive category data |
| Account credentials | High | Enables account takeover |
| Basic contact info | Low–Medium | Depends on context |
| Pseudonymised data | Low | Low risk unless re-identifiable |
B. Volume of Data
Small breach (<50 records) → Medium risk Medium breach (50–5,000 records) → Medium–High risk Large breach (5,000+ records) → High risk
C. Nature of Individuals Affected
- Children
- Elderly
- Employees
- Customers
- Vulnerable persons
Risk increases significantly for children and vulnerable individuals.
10. Common Regulatory Penalties for Breach Mismanagement
- Up to €10 million or 2% of global annual turnover for failing to notify
- Up to €20 million or 4% of annual turnover for failing to implement appropriate security
- Mandatory audits
- Temporary processing suspensions
- Public reprimands
- Orders to notify affected individuals
11. Example Breach Register (Internal Use)
| Date | Incident Description | Data Types | Actions Taken | Reportable? |
|---|---|---|---|---|
| 12 Jan 2025 | Email with payroll list sent to wrong recipient | Salaries, names, addresses | Recall attempted, DPO consulted | Yes – both authority and individuals |
| 3 Mar 2025 | Employee accessed CRM data without authorisation | Emails, names | Account suspended, staff trained | No – low risk |
| 8 May 2025 | Ransomware incident on accounting server | Invoices, financials | Systems isolated, backups restored | Yes – authority only |
12. Templates
A. Notification to Supervisory Authority
Subject: Personal Data Breach Notification – [Organisation] We report a personal data breach under Article 33 GDPR. • Date/time detected: • Method of detection: • Nature of the breach: • Categories of affected data: • Approx. number of affected individuals: • Likely consequences: • Containment measures: • Long-term mitigation: • DPO/contact details:
B. Notification to Individuals
Subject: Important Notice About Your Personal Data We are informing you of a data incident that may involve your personal information. • What happened: • What information was affected: • Potential risks: • Steps we recommend you take: • Actions we have taken: • Contact details for support:
13. How Organisations Can Prevent Future Breaches
- Full encryption of devices
- MFA for all accounts
- Patch management & updates
- Data minimisation
- Staff training
- Strong password policies
- Annual penetration testing
- Zero Trust architecture
- Regular audit of access rights
- Secure cloud configuration
14. Breach Simulation Exercise (Recommended Quarterly)
Use the following internal drill:
Scenario: Employee loses laptop at airport Data involved: HR files + addresses Goal: Test escalation, investigation, containment, reporting Required outcomes: Correct risk rating + full documentation
15. Quick Reference Sheet
| Action | When | Responsible |
|---|---|---|
| Notify authority | Within 72 hours | DPO |
| Notify individuals | If high risk | DPO + Legal |
| Contain breach | Immediately | IT/Security |
| Document internally | Always | DPO |