Skip to content

Data Breach

Navigate the complexities of data breach reporting and compliance with the GDPR. Learn the steps for responsible data management and the consequences of non-compliance.

The Critical Nature of Data Breach Reporting in the GDPR Era

A data breach, as defined under the General Data Protection Regulation (GDPR), is a security incident that results in the unauthorized access, loss, or disclosure of personal data. The GDPR, which has been in full force since May 2018, requires organizations within the EU to adhere to strict data protection standards, including mandatory reporting of certain types of data breaches.

What Constitutes a Data Breach?

A breach can take many forms, such as a lost or stolen laptop, an email sent to the wrong recipient, or unauthorized access due to insufficient security measures. Even if there is no certainty about whether personal data was indeed accessed or compromised, organizations must err on the side of caution and often treat potential vulnerabilities as breaches.

The Obligation to Report Data Breaches

Since January 1, 2016, the Netherlands has mandated that organizations report data breaches to the Autoriteit Persoonsgegevens (AP), the Dutch Data Protection Authority. Under the GDPR, this obligation extends to all EU member states, requiring prompt notification within 72 hours of becoming aware of the breach.

Communicating Data Breaches to Affected Parties

Beyond notifying the supervisory authority, organizations must also inform affected individuals, particularly when the breach poses a high risk to their rights and freedoms, such as potential identity theft or discrimination.

Penalties for Failing to Report Data Breaches

Non-compliance with data breach notification requirements can result in severe penalties under the GDPR. Fines can reach up to €10 million or 2% of the company's annual global turnover, whichever is higher. Additional enforcement actions may include orders to notify affected individuals or cease data processing activities.


1. What is a data breach under the GDPR?

A data breach is an incident where personal data is lost, accessed, or disclosed without authorization, posing potential harm to individuals' privacy and rights.

2. When are organizations required to report a data breach?

Organizations must report a data breach to the relevant data protection authority within 72 hours of discovery, especially if it poses a serious risk to personal data protection.

3. What are the consequences of not reporting a data breach?

Failing to report a data breach can result in heavy fines under the GDPR, up to €10 million or 2% of the worldwide annual revenue, along with other regulatory actions.

4. Do organizations need to inform individuals about a data breach?

Yes, if the breach is likely to result in a high risk to the rights and freedoms of individuals, the organization must inform those affected without undue delay.

5. How can organizations prepare for potential data breaches? Organizations can prepare by implementing strong data security measures, establishing clear data breach response protocols, and providing GDPR training to their employees.