A data breach can happen to any business, for example, a misdirected email, a lost laptop, a ransomware attack, or an employee accessing records they should not see. Under GDPR, when a personal data breach occurs, Irish companies must notify the Data Protection Commission within 72 hours if the breach poses a risk to individuals. As outlined in their annual report, in 2024, the DPC received 7,781 valid breach notifications, an 11% increase on the previous year. Approximately 50% of those notifications stemmed from correspondence being sent to the wrong recipient.
The consequences of failing to report are serious. The DPC has imposed fines and reprimands specifically for failures to notify breaches on time. This guide explains what counts as a breach , when and how to report it, and how to build a response process before you need one.
What counts as a personal data breach under GDPR?
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This definition covers three types of breach:
Confidentiality breach: Unauthorised or accidental disclosure of, or access to, personal data. Example: sending a client's financial details to the wrong email address, or an employee accessing customer records without authorisation.Integrity breach: Unauthorised or accidental alteration of personal data. Example: a database corruption that changes customer records, or an attacker modifying stored data.Availability breach: Unauthorised or accidental loss of access to, or destruction of, personal data. Example: a ransomware attack that encrypts your customer database, or permanent loss of data due to a failed backup.
Breaches are not limited to cyberattacks. The DPC's breach statistics show that the most common breaches are mundane, such as emails sent to the wrong person, documents posted to the wrong address, lost USB drives, and misfiled paper records. If personal data is exposed, altered, or lost in a way that was not intended, it is a breach regardless of the cause.
In our experience, a breach does not have to involve malicious intent. An employee accidentally emailing a spreadsheet of customer names to the wrong recipient is a breach. A filing cabinet left unlocked overnight in an unsecured area is a potential breach. The question is not whether someone intended harm, but whether personal data security was compromised.
When must you notify the DPC?
Under Article 33 of the GDPR, you must notify the DPC of a personal data breach unless it is "unlikely to result in a risk to the rights and freedoms of natural persons." In practice, this means most breaches need to be reported. The threshold is low, if there is any reasonable possibility that the breach could negatively affect someone, you should notify.
The notification must be made within 72 hours of becoming aware of the breach. The clock starts when you have a reasonable degree of certainty that a breach has occurred, not when the investigation is complete. If you cannot provide all the required information within 72 hours, you may provide it in phases, but it is important to be aware that the initial notification must be made on time.
What the notification must include
Your notification to the DPC must contain, at a minimum:
The nature of the breach: What happened, including the categories and approximate number of individuals affected, and the categories and approximate number of personal data records concernedContact details: The name and contact details of your Data Protection Officer (if you have one) or another contact point where the DPC can get more informationLikely consequences: A description of the likely consequences of the breach for the affected individualsMeasures taken: The measures you have taken or propose to take to address the breach, including measures to mitigate its possible adverse effects
The DPC provides an online breach notification form on its website. We recommend that you use it, as it guides you through the required information and ensures nothing is missed.
What happens if you miss the 72-hour deadline?
If your notification is late, you must provide reasons for the delay alongside the notification. You should be aware that the DPC takes timeliness seriously. In its 2024 annual report, it noted that 81% of breach notifications received were concluded by year-end, suggesting efficient processing of timely reports. Late notifications attract additional scrutiny and may result in separate enforcement action for the notification failure itself, independent of any action related to the underlying breach. A university received a €40,000 fine with a reprimand covering Articles 5(1)(f), 32(1), and 33(1), security measures and breach reporting.
Meta was fined €251 million by the DPC in December 2024 for multiple infringements, including failures in breach notification under Article 33(3) and 33(5). These are not edge cases; they are the DPC's standard approach.
Author's tip: Do not wait until you have all the answers before notifying. The GDPR allows phased notification. Report what you know within 72 hours and supplement with additional details as your investigation progresses. A prompt but incomplete notification is always better than a late but comprehensive one.
When must you notify affected individuals?
Under Article 34 of the GDPR, you must communicate a breach directly to affected individuals when it is "likely to result in a high risk to the rights and freedoms" of those individuals. This is a higher threshold than the DPC notification requirement.
High risk typically applies when the breach could lead to:
Identity theft or fraud
Financial loss
Damage to reputation
Loss of confidentiality of data protected by professional secrecy
Discrimination or social disadvantage
Any other significant economic or social disadvantage
Your notification to individuals must include:
A clear description of what happened, in plain language
The name and contact details of your DPO or other contact point
The likely consequences of the breach
The measures you have taken or propose to take, including what individuals can do to protect themselves
You do not need to notify individuals if:
You have applied appropriate technical measures (such as encryption) that render the data unintelligible to unauthorised persons
You have taken subsequent measures that ensure the high risk is no longer likely to materialise
Individual notification would involve disproportionate effort, in which case you must make a public communication or similar measure that informs individuals equally effectively
For guidance on managing your vendor's breach notification obligations to you, see our vendor data compliance guide .
What should your internal breach response procedure look like?
Every Irish business should have a breach response plan in place before a breach occurs. Scrambling to create a process during an active incident leads to missed deadlines, incomplete notifications, and poor decisions.
Assemble a breach response team
Designate who is involved when a breach is detected:
Incident lead: The person who coordinates the response (often the DPO or a senior manager)IT/Security: To contain the breach, preserve evidence, and assess technical impactLegal: To advise on notification obligations and legal exposureCommunications: To manage internal and external messaging if neededSenior management: To make decisions about notification, remediation, and resource allocation
For small businesses, these roles may overlap. The key is that everyone knows their responsibilities before an incident occurs.
Containment and assessment
When a breach is detected, you should undertake the following actions:
Contain immediately: Stop the breach from getting worse. This might mean disabling a compromised account, isolating an affected system, or recalling a misdirected email.Preserve evidence: Do not delete logs, emails, or other evidence that may be needed for investigation or DPC inquiry.Assess the scope: Determine what data was affected, how many individuals are involved, what categories of data are compromised, and whether the data has been recovered or is still exposed.Assess the risk: Evaluate the likely impact on affected individuals. Consider the sensitivity of the data, the number of people affected, and whether the data could be used to cause harm.
Document from the start
Begin documenting the breach the moment it is detected. Record the following:
When the breach was discovered and by whom
What happened (the facts as understood at each stage)
What data was affected
Who was affected
What containment and remediation steps were taken
All communications related to the breach
This documentation serves multiple purposes: it supports your DPC notification, demonstrates accountability under GDPR, and provides the factual record for your breach register.
Engage external advisors when needed
For significant breaches, such as those involving sensitive data, large numbers of individuals, or potential criminal activity, consider engaging external legal counsel, forensic IT specialists, and communications advisors. The cost of expert support during a breach is far less than the cost of a poorly managed response.
How do you maintain a breach register?
Article 33(5) of the GDPR requires you to document all personal data breaches, not just those you report to the DPC. This includes the facts relating to the breach, its effects, and the remedial action taken. The documentation must enable the DPC to verify your compliance.
Your breach register should record:
Date and time of the breach (and when you became aware)Nature of the breach (confidentiality, integrity, availability)Description of what happened Categories and approximate number of individuals affected Categories and approximate number of data records affected Likely consequences for affected individualsMeasures taken to contain and remediate the breachWhether the DPC was notified (and if not, the reasoning for why notification was not required)Whether affected individuals were notified Outcome and lessons learned
Even breaches that do not meet the notification threshold must be recorded. If the DPC audits your organisation, the breach register is one of the first documents they will ask for. A complete, well-maintained register demonstrates that you take breach management seriously and have a functioning process.
Your records of processing activities should complement your breach register by mapping the data and processing activities affected.
What are the consequences of getting breach notification wrong?
The DPC has broad enforcement powers and has demonstrated willingness to use them:
Administrative fines: The DPC can impose fines of up to €10 million or 2% of global turnover for breach notification failures (Article 83(4)). For the underlying security failure, fines can reach €20 million or 4% of turnover.Reprimands and compliance orders: The DPC frequently issues reprimands alongside fines, requiring organisations to bring their processing into compliance within a specified timeframe.Reputational damage: Breach notifications become public through DPC annual reports and media coverage. The DPC's 2024 report named specific organisations and the nature of their failures.Civil liability: Under Article 82, individuals affected by a breach can claim compensation for material and non-material damage. Irish courts have demonstrated willingness to award damages for data protection failures.
Ireland's DPC remains Europe's largest data enforcer by a significant margin. As of January 2026, the DPC has issued €4.04 billion in fines since May 2018, with eight of the top ten GDPR fines ever issued coming from the Irish authority. While the largest fines target multinational technology companies, the DPC also pursues enforcement against smaller organisations.
For a broader overview of your data protection obligations, see our GDPR compliance guide for startups .
What practical steps should you take now?
Do not wait for a breach to happen before building your response capability. Here is what to do now:
Create a breach response plan
Write a simple, clear document that covers:
Who to contact when a breach is suspected (names, phone numbers, email addresses)
The steps for containment, assessment, and documentation
The decision-making process for DPC notification
The process for notifying affected individuals
Templates for breach register entries and notification communications
Train staff to recognise and report incidents
Every employee should know what a data breach looks like and what to do when they spot one. Training should cover:
Common breach scenarios (misdirected emails, lost devices, suspicious access)
The importance of reporting immediately, even if unsure
Who to report to and how
That there is no penalty for reporting a potential breach that turns out not to be one
Test your response with tabletop exercises
Run a simulated breach scenario at least once a year. Walk through the response plan with your team, identify gaps, and refine the process. This is far more effective than reading a document and hoping it works when needed.
Review your data processing agreements
Your data processing agreements with processors should include clear breach notification obligations. Under Article 33(2), processors must notify you of a breach "without undue delay", your DPA should define what this means in practice and set a specific timeframe (e.g., 24 hours).
Review your insurance coverage
Cyber insurance can cover the costs of breach response, including forensic investigation, legal advice, notification costs, and liability . Review your current coverage to ensure it is adequate for the data you hold and the risks you face.
Need help building your breach response capability? legal and compliance foundations right, from company formation to GDPR readiness. We handle the complexity so you can focus on building your product.Get started with Open Forest
