Is a misdirected email a data breach?

Yes, if the email contains personal data that reaches the wrong person. This is one of the most common data breaches for SMEs.

What if I miss the 72-hour deadline?

Report it anyway as soon as possible and explain why the notification was delayed. A late notification with explanation is always better than no notification.

Must I report every data breach to the supervisory authority?

No, only if it likely poses a risk to the rights and freedoms of data subjects. A lost USB with encrypted data may not need reporting. A leaked customer list with names and email addresses does.

What are the consequences of not reporting a breach?

The supervisory authority can impose a fine of up to 10 million euros or 2% of annual turnover. Furthermore, you lose customer trust if the breach later comes to light.

Data Breach - What to Do? Step-by-Step Guide

A data breach can happen to any business, from a misdirected email to a hacking attack. This article explains what a data breach is, when you must report it, and what steps to follow.

What is a data breach?

A data breach (or “personal data breach”) is any security incident that leads to:

Destruction of personal data (e.g. ransomware encrypting your database)
Loss of personal data (e.g. a stolen laptop, a misplaced USB stick)
Alteration of personal data (e.g. a hacker modifying customer records)
Unauthorised disclosure or access (e.g. a misdirected email, a hack of your CRM)

It doesn’t have to be a spectacular hacking attack. The most common data breaches for SMEs are everyday events:

An employee sends a customer list to the wrong email address
A laptop with unencrypted personnel files is stolen from a car
A former employee retains access to the CRM after leaving
Customer data is shared in a WhatsApp group with employees
A phishing email leads to leaked login credentials

The three steps for a data breach

Step 1: Assess the risk

Not every breach needs to be reported. The crucial question is: does this breach likely pose a risk to the rights and freedoms of the data subjects?

Probably MUST report:

Leaked financial data, medical records, national ID numbers
Leaked login credentials (passwords, accounts)
Personal data of vulnerable groups (children, patients)
Large numbers of data subjects
Data that could be used for identity fraud

Probably NOT required to report:

Lost USB stick with fully encrypted data (the data is unreadable)
Brief unauthorised access where no data was copied or modified
Internal breach that was immediately resolved with no external consequences

In doubt? Report it. An unnecessary notification has no consequences; a missed one can result in a fine.

Step 2: Report to the supervisory authority (within 72 hours)

If you decide to report, you have a maximum of 72 hours after discovery. Not after the incident itself, but after the moment you discover it. If you need more information, you can report in phases: initial notification within 72 hours, supplementary information later.

Where to report:

Country	Authority	How
Belgium	Data Protection Authority (GBA)	Online form at gegevensbeschermingsautoriteit.be
Netherlands	Data Protection Authority (AP)	Breach reporting desk at autoriteitpersoonsgegevens.nl
Germany	BfDI / State authority	Varies per state
France	CNIL	Online form at cnil.fr
UK	ICO	Online form at ico.org.uk

description

Template: Data Breach Notification

A notification form with all mandatory fields, plus a template for notifying data subjects.

View the template arrow_forward

Step 3: Inform data subjects (for high risk)

If the breach poses a high risk, you must also inform the data subjects themselves. Tell them:

What happened
Which data was involved
What you have done to resolve it
What they can do themselves (change password, be alert to phishing)

The breach register

Every data breach, even if you don’t report it to the supervisory authority, must be recorded in a breach register. The authority can request this register at any time.

Per incident, document:

Date of discovery and date of incident
Description of what happened
Which data and how many data subjects were affected
Consequences and measures taken
Whether you reported it to the authority (and if not, why not)
Whether you informed data subjects (and if not, why not)

Common mistakes

“It was just an email” - a misdirected email with personal data is also a data breach
Prioritising internal investigation over reporting - start the notification within 72 hours, you can supplement with investigation results later
Not informing data subjects at high risk - this is a separate obligation
Not keeping a breach register - even unreported breaches must be documented
Treating WhatsApp groups as secure - sharing customer data in a WhatsApp group with employees is risky

Prevention is better than reporting

The best breach procedure is one you rarely need to use:

Encrypt laptops, USB sticks, and mobile devices
Limit access to personal data based on necessity
Use strong passwords and 2FA for all systems with personal data
Train your employees - most breaches arise from human error
Remove accounts of departing employees immediately
Don’t use WhatsApp for sharing customer or personnel data

auto_awesome Do you know what data you process?

GDPRWise automatically maps which personal data you collect and with whom you share it. So in case of a breach, you know exactly what's affected.

Start your free scan

Data Breach: What Is It and What Should You Do?