Personal Data Breach: First 72 Hours Action Guide

Table of Contents

Who should read this?

Founders, senior operators, and teams at small companies handling personal data under GDPR, particularly without in-house legal or security experts.

They'll learn precise steps to contain, assess, notify, and document breaches in the critical first 72 hours, thresholds for DPC and individual notifications, and how to avoid enforcement actions.

Key Takeaways

Contain the breach first: isolate systems, wipe devices, reset credentials, act on known info immediately.
Assess severity: data type (e.g., special category higher risk), number affected, misuse likelihood, recovery status.
Notify DPC within 72 hours if risk to individuals; prefer over-notification, use dataprotection.ie portal.
Notify individuals directly if high risk; clear language on breach, impacts, self-protection, your response.
Document all breaches internally: facts, effects, actions; essential for DPC compliance and defense.

What Counts as a Personal Data Breach?

Most founders picture a breach as a sophisticated cyberattack, hackers accessing a database, ransomware locking down systems, a coordinated intrusion by an external party. Those are breaches, but they represent only one category of a much broader definition.

Under Article 4 of the GDPR, a personal data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

In practice, that covers a wide range of everyday incidents, including:

A laptop or phone containing personal data that is lost or stolen
An email containing personal data sent to the wrong recipient
A document containing personal data uploaded to the wrong shared folder
An employee accessing personal data they have no authorisation to view
A third-party supplier suffering a breach that affects your data
A ransomware or phishing attack that results in unauthorised access to personal data
Personal data accidentally deleted without a backup

The common thread is that personal data has been exposed to, accessed by, or made unavailable to someone who should not have access to it, or that data that should exist no longer does.

Step 1: Contain the Breach Immediately

Before you assess anything, your first priority is to stop the breach from getting worse.

Containment will look different depending on the nature of the incident, but the immediate questions are:

Can access to the affected system be revoked or the system isolated?
Can the misdirected email be recalled, or can the recipient be contacted to confirm deletion?
Has the lost device been remotely wiped, or can it be?
Have compromised credentials been reset or accounts suspended?

Containment does not need to wait for a full understanding of what happened, act on what you know, then investigate. Every hour of delay in containment is an hour in which the exposure may be widening.

Assign a named person to manage the response from this point. In a small company, that will likely be a founder or senior operator. The important thing is that one person is coordinating the response and keeping a contemporaneous record of decisions made and actions taken.

Step 2: Assess the Breach

Once containment is underway, the next step is to understand what actually happened, what data was affected, and who is at risk.

Your assessment should address:

What type of data was involved? The severity of a breach depends heavily on the category of data affected. Basic contact information carries different risk to financial data, health information, or data about children. Special category data, which includes health, racial or ethnic origin, religious beliefs, sexual orientation, and criminal records, carries higher risk and will trigger a lower threshold for notification.

How many individuals are affected? A breach affecting one person's data is assessed differently to one affecting thousands of records.

How likely is the data to be misused? A laptop stolen from a car in a smash-and-grab theft, where the device is encrypted, carries significantly lower risk than an unencrypted device stolen in circumstances suggesting targeted theft.

Has the data been recovered or confirmed deleted? A misdirected email where the recipient has confirmed deletion and provided written confirmation is a lower-risk incident than one where no response has been received.

Document your assessment as you go, including the evidence you relied on and the conclusions you reached. This record is your primary defence if the DPC ever questions how you handled the incident.

Step 3: Decide Whether to Notify the DPC

Under Article 33 of the GDPR, you must notify the Data Protection Commission of a breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

That last qualifier matters. Not every breach requires notification, only those that carry a risk to individuals. The question is not whether something went wrong, but whether the breach is likely to cause harm.

Breaches that are unlikely to require DPC notification include:

An email sent to the wrong internal recipient containing non-sensitive data, where the recipient promptly deleted it and confirmed deletion
A device lost in circumstances where it was encrypted, password-protected, and remote wipe was activated before any likely access

Breaches that are likely to require DPC notification include:

Any breach involving special category data
Unauthorised access to financial, medical, or identity information
A breach affecting a significant number of individuals
A breach where the affected data could enable identity theft, fraud, or direct harm to individuals
A ransomware attack where the attacker has access to personal data

When in doubt, the safer approach is to notify. The DPC has been clear that over-notification is preferable to under-notification, and notifying a breach that turns out to be low-risk carries no penalty, whereas failing to notify a breach that should have been reported is itself a GDPR violation.

Notification to the DPC is made through the DPC's online breach notification portal, which is available on their website at dataprotection.ie.

Step 4: Decide Whether to Notify Affected Individuals

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, a higher threshold than for DPC notification, you must also notify the affected individuals directly, without undue delay under Article 34 of the GDPR.

High risk indicators include breaches that could enable identity theft or financial fraud, breaches involving special category data, breaches that could damage reputation or relationships, or breaches involving vulnerable individuals.

The notification to individuals must:

Describe the nature of the breach in clear and plain language
Provide the contact details of the person handling the breach
Describe the likely consequences of the breach
Describe the steps the individual can take to protect themselves
Describe the measures the company has taken or is taking in response

You do not need to notify individuals individually if doing so would require disproportionate effort, in that case, a public communication is permitted, though this is rarely appropriate for small companies with identifiable affected individuals.

Step 5: Document Everything

Every personal data breach must be documented internally, regardless of whether it requires notification to the DPC or to individuals.

Article 33(5) requires controllers to maintain a record of all personal data breaches, including those that do not meet the notification threshold. That record must contain:

The facts relating to the breach: what happened, when, how, and how it was discovered
Its effects: what data was affected, how many individuals, and the likely consequences
The remedial actions taken: what was done to contain it, what was done to prevent recurrence

This documentation serves two purposes. First, it demonstrates to the DPC that you have a functioning breach response process, which is itself an organisational security measure required under Article 32. Second, it gives you a clear record to refer back to if the incident gives rise to a claim or investigation later.

What Happens If You Miss the 72-Hour Window?

Missing the notification deadline without a valid reason is itself a breach of Article 33 and can be the subject of enforcement action by the DPC, independent of the underlying breach.

The DPC's enforcement powers include issuing reprimands, imposing temporary or permanent bans on processing, and levying fines for Article 33 violations.

In practice, the DPC takes a more proportionate approach with small companies acting in good faith, particularly where a delayed notification is accompanied by a clear explanation of the timeline and a thorough account of the response taken. What the DPC responds to badly is non-notification, inadequate documentation, and evidence that the breach was not taken seriously.

If you become aware of a breach close to the 72-hour deadline and your investigation is not yet complete, submit an initial notification with what you know and follow up, do not wait until you have the full picture.

About the Author:

Connect:

Laura Ryan is a practising Barrister at the Bar of Ireland. She graduated from the Honourable Society of King’s Inns in 2024, having previously qualified and practised as a Chartered Accountant in a big four accounting firm.

Legal

March 2026

Personal Data Breach: First 72 Hours Response

Key Takeaways

How to Handle a DSAR Request

What Does a Probation Period Actually Do?

Hiring Your First Employee: Legal Checklist

What Happens to Shares if Founder Dies

Whistleblowing Policies: New Legal Obligations

Non-Compete Clauses: What's Enforceable

Co-founder competing against your business: Irish legal remedies

Unauthorised share transfers in Ireland: Your legal remedies

Shareholder oppression in Ireland: Your complete legal guide

Shareholder dividend rights: When can you demand payment in Ireland?

Frequently Asked Questions

What counts as a personal data breach?

How do you contain a breach immediately?

When must you notify the DPC?

Do you need to notify affected individuals?

What must you document for every breach?

Explore our other topics

Can Directors of Private Companies Trade Their Own Shares Legally in Ireland? Market Abuse Guide

Founder Equity Split Guide: How to Divide Startup Ownership

Workplace Policies: Must-Haves for Small Companies