< Glossary
 /  
Legal

Data Breach

/ˈdeɪtə briːtʃ/

A data breach is a security incident where personal data is lost, accessed, disclosed, altered, or destroyed without authorisation.

Table of Contents
Example H2
Example H3
Example H4
Example H5
Example H6

Get Your
Irish Company
Today

From €99 including government fees.

5-day setup
Government fees included
Legal documents included
Free automated compliance tracking
Free legal data room
Ongoing legal support
Pricing
Share:

What is a data breach?

‍A data breach is a security incident involving personal data. Under GDPR, it can include accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The incident does not need to involve a hacker. Sending payroll data to the wrong recipient, losing an unencrypted laptop, deleting customer records by mistake, or exposing a database through misconfigured permissions can all be data breaches.

‍For Irish companies, the key issue is speed and judgement. Once a business becomes aware of a personal data breach, it must assess the risk to affected individuals and decide whether the breach must be notified to the Data Protection Commission. In higher risk cases, affected individuals may also need to be informed.

‍Data breaches are not only legal events. They are operational, technical, communications, and trust events. A calm response depends on preparation before the incident happens. Companies that know where personal data is stored, who has access, and how to investigate incidents are in a much stronger position than teams improvising under pressure.

Examples of data breaches

‍A confidentiality breach happens when personal data is disclosed to someone who should not receive it. Examples include emailing customer information to the wrong address, sharing a spreadsheet with the wrong permissions, or allowing an employee to access records outside their role.

‍An availability breach happens when personal data is lost or unavailable when needed. This could include accidental deletion, ransomware, failed backups, or system outages that prevent access to records. If the loss affects individuals or creates risk, it may still be a personal data breach.

‍An integrity breach happens when personal data is altered without authorisation or by mistake. For example, incorrect changes to medical, payroll, identity, or account records can affect people even where the data has not been disclosed externally.

Where would I first see data breach?

You will most likely encounter a data breach when a security incident is reported, a customer complains about exposed information, a supplier alerts you to an issue, or an employee realises personal data was sent to the wrong person.

What to do after a breach

‍The first step is containment. Stop the exposure, secure systems, revoke access, recover data if possible, and preserve evidence. Do not delete logs or make undocumented changes that make investigation harder. Assign clear ownership so that technical, legal, and communications workstreams move together.

‍Next, assess the breach. What data was involved? How many people are affected? Is the data sensitive? Was it encrypted? Who accessed it? Could it lead to identity theft, financial loss, discrimination, reputational harm, or distress? The answers determine whether notification is required and how urgent the response should be.

‍If the breach is notifiable, GDPR generally requires notification to the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. If the risk to individuals is high, affected individuals may also need clear information about what happened, what the company is doing, and what steps they should take.

Why breach preparation matters

‍A breach response plan saves time. The 72-hour window can pass quickly, especially if the incident is discovered late on a Friday or involves a third-party supplier. A plan should identify decision-makers, escalation channels, external advisers, evidence to capture, and draft communication templates.

‍Supplier management is equally important. Many startups rely on cloud tools, processors, and outsourced service providers. Contracts should require suppliers to notify incidents quickly and provide enough information for the company to meet its own obligations under data processing agreements.

‍Preparation also reduces harm. Data minimisation, access controls, encryption, backups, logging, and staff training can prevent incidents or limit their impact. These controls are practical examples of Privacy by Design.

Practical tips for founders

‍Create a simple breach response process before you need it. Make sure employees know how to report suspicious emails, lost devices, misdirected messages, and unusual system activity. A breach hidden for a week is much harder to manage than one escalated immediately.

‍Keep a breach register. Even breaches that are not notified should be recorded with the facts, risk assessment, decision, and remedial actions. This shows accountability if the regulator later asks how the company handled the incident.

‍Finally, run a tabletop exercise. Choose a realistic scenario, such as a lost laptop or exposed customer export, and walk through the response. This reveals gaps in ownership, access to logs, supplier contacts, and decision-making before a real incident occurs.

People Also Asked:
Book Value
Register of Members
PAYE System
Loan Agreement
Company Extract
Share Option Scheme
Restricted Stock Units (RSUs)
Written Resolution
Joint Venture Agreement
Breach Notification
Break-even Analysis
Bootstrapping
Security Agreement
Stakeholder Management
Institutional Investor
Accruals
Form B1
Data Processing Agreement
Capital Allowances
Economic Crime and Corporate Transparency Act (ECCT)
Register Now
Chat with us