GDPR data breach notification: when are you required to report?
## Who this guide is for
GDPR data breach notification: when are you required to report?
Who this guide is for
This guide is for freelancers, healthcare providers, small organisations, and anyone who may have to decide quickly whether a data incident triggers GDPR notification duties.
It fits especially:
- people handling personal data in a professional role
- readers who need a practical first decision path after an incident
- organisations without an in-house privacy or compliance team on standby
What you gain, and what it costs
If you use this guide properly, you gain:
- a quicker first assessment of whether an incident is likely reportable
- a better sense of when the 72-hour clock matters
- a more structured response before guesswork turns into delay
What it costs:
- time under pressure
- the discipline to document facts instead of reacting purely on instinct
- accepting that this guide helps you classify the incident, but does not replace legal advice in borderline or high-stakes cases
When this is overkill
If the incident clearly does not involve personal data, you do not need a full GDPR breach-notification analysis.
If the breach is large, regulated, cross-border, or likely to cause serious harm, this guide should be treated as a first pass, not the final word. Then you escalate to legal or specialist advice immediately.
An incident has occurred. Your laptop was stolen, an email was sent to the wrong person, or your system was compromised. Do you need to report it?
The GDPR requires organisations to report data breaches under certain conditions — to your national supervisory authority and sometimes to the affected individuals as well. The deadline is 72 hours from discovery. The question is: when does a breach trigger the notification obligation?
What is a data breach?
A data breach is any security incident resulting in the accidental or unlawful loss, alteration, unauthorised disclosure, or access to personal data.
Examples that qualify as a data breach:
- Stolen laptop containing unencrypted personal data
- Email with medical information sent to the wrong recipient
- Ransomware attack that encrypts files (even if data was not exfiltrated)
- USB drive with patient records that has gone missing
- Intrusion into a system where customer data was accessed
- Employee accidentally sharing a file publicly
Not a data breach:
- Incident involving no personal data
- Data that was already publicly available
- File sent internally to the wrong colleague (same organisation, same access level)
The decision tree
Step 1: Does it involve personal data?
No → Not a data breach under GDPR. No notification obligation.
Yes → Continue to step 2.
Step 2: What exactly happened?
| Situation | Classification |
|---|---|
| Data was lost or destroyed (unrecoverable) | Data breach |
| Data was altered without authorisation | Data breach |
| Data was accessed by unauthorised parties | Data breach |
| Data was shared with the wrong recipient | Data breach |
| Data was temporarily unavailable (system down) but intact | Not a data breach |
Step 3: Is there a risk to the individuals affected?
Not every breach must be reported. The threshold is: does the breach pose a risk to the rights and freedoms of the individuals affected?
Always report (high risk):
- Special categories of data: health, national ID numbers, financial data, criminal records, religion, sexual orientation
- Data relating to vulnerable groups: children, patients
- Large numbers of affected individuals
- Data that enables identity fraud
- Unencrypted data on a stolen device
May need to report (assess case by case):
- Small number of individuals, no special category data
- Wrong recipient who did not view the data or has already deleted it
- Name + generic email address (low sensitivity)
No notification required:
- Encrypted device lost (key not accessible to third parties)
- Name + business phone number, no further context
- Incident resolved internally with no risk to individuals
Rule of thumb: When in doubt, report. Supervisory authorities do not impose sanctions for good-faith reports of borderline cases.
Step 4: What is your role in this processing?
Data controller (you decide why and how the data is used): → Notify your supervisory authority within 72 hours → Assess whether you must also notify the affected individuals (mandatory if high risk)
Data processor (you process data on behalf of another organisation): → Notify the data controller as soon as possible — they are responsible for the 72-hour report to the supervisory authority → Do not report directly to the supervisory authority yourself (unless your data processing agreement requires it)
The 72-hour deadline
The clock starts at the moment of discovery, not at the moment the incident occurred. If a breach happened on Monday but you discover it on Friday, the 72 hours begin on Friday.
The notification does not need to be complete at the time of filing — you can submit an initial report and supplement it later.
Where to report: Your national supervisory authority’s breach notification portal. Examples: ICO (UK), AP (Netherlands), BfDI (Germany), CNIL (France), DPC (Ireland).
Notifying affected individuals
In addition to reporting to the supervisory authority, you may also be required to notify the individuals whose data was affected.
Mandatory if:
- The breach is likely to result in high risk to their rights and freedoms
- Special category data was involved
- Identity fraud or other serious harm is foreseeable
Not required if:
- The data was encrypted and the key was not compromised
- The supervisory authority determines that notification would involve disproportionate effort and has issued a public notice instead
- The risk is negligible
Notify affected individuals as soon as possible after discovery — do not wait until after you have filed the supervisory authority report.
Specific considerations for healthcare providers
Healthcare providers process special category data (health data). The notification threshold is therefore lower:
- Any unintended access to patient data by unauthorised parties constitutes a data breach
- A stolen laptop with patient records — even if encrypted — is reportable if it cannot be confirmed that the encryption was adequate
- Email with medical information sent to the wrong address: almost always reportable
Report to:
- If you work within an organisation: your Data Protection Officer (DPO)
- If you are a sole trader / freelancer: directly to your national supervisory authority
- Consider also reporting to your national health-sector CERT or cybersecurity agency for technical support
Maintaining an internal register
GDPR also requires you to keep an internal record of all data breaches — including breaches you are not required to report to the supervisory authority. This register must be available for inspection.
Minimum record per incident:
- Date of discovery
- Description of what happened
- Which data, how many individuals affected
- Measures taken
- Reason for reporting or not reporting
Next step
Go further
- Data processing agreement explained — clarify controller vs. processor roles and what changes about your obligations
- Backup implementation guide — prevent breaches caused by data loss
- Spyware detection guide — if you suspect a compromised device
Profiles
- Threat profile: healthcare provider — GDPR obligations in healthcare
- Threat profile: small business owner — GDPR for freelancers and SMEs