Data breach notification

What is data breach notification?

Data breach notification is the process of informing the competent supervisory authority and, in certain cases, the individuals affected that a personal data breach has occurred. Under the GDPR, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. This is a legal concept with specific consequences for controllers and, in some situations, processors.

In practice, data breach notification is not limited to large-scale cyberattacks. It may also concern misdirected emails, loss of a device containing personal data, unauthorised access to systems, publication of data to the wrong audience, or accidental deletion of records. The legal assessment does not depend only on the technical incident itself, but on whether the event creates a risk to the rights and freedoms of natural persons.

For most organisations, the key issue is timing and proper qualification of the incident. Article 33 GDPR requires the controller to notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Article 34 GDPR further requires communication to affected individuals where the breach is likely to result in a high risk to their rights and freedoms. These duties are interpreted with reference to the specific facts, the categories of data involved, the scale of the incident, and the possible consequences for individuals.

What does data breach notification involve in practice?

Data breach notification usually begins with incident identification and internal escalation. An organisation must first determine what happened, what data was affected, how many individuals may be involved, whether the data was protected, and what harm could follow. This often requires cooperation between legal, compliance, IT, cybersecurity, management, and operational teams.

The notification to the supervisory authority should include, at minimum, the nature of the personal data breach, the categories and approximate number of data subjects concerned, the categories and approximate number of personal data records concerned, the likely consequences of the breach, and the measures taken or proposed to address it. If full information is not yet available, the GDPR allows phased reporting, provided the initial notification is made on time and supplemented without undue delay.

Communication to affected individuals requires a different assessment. It should be made in clear and plain language and describe the nature of the breach, likely consequences, and steps the individual can take to reduce possible harm. In some cases, communication to individuals may not be required, for example where appropriate technical and organisational measures – such as encryption – rendered the data unintelligible to unauthorised persons, or where subsequent measures eliminated the high risk. The exact scope of these exceptions must be analysed carefully.

Documentation is also a mandatory part of the process. Under Article 33(5) GDPR, controllers must document personal data breaches, including the facts relating to the breach, its effects, and the remedial action taken. This obligation applies even where notification to the authority is not required. Proper records are often essential during audits, investigations, internal reviews, and disputes over compliance.

When is legal support for data breach notification advisable?

Legal support is often important when the incident is not straightforward, the facts are still developing, or the organisation operates in a regulated or high-risk environment. This applies in particular where special categories of personal data are involved, where employee or customer data was exposed, where the incident affects several jurisdictions, or where contractual obligations toward business partners also require separate notice.

Private individuals may also need legal assistance where their data has been exposed and they want to understand whether the organisation complied with its obligations, whether the communication they received was sufficient, and whether further action may be justified. For businesses, the issues are usually broader and may include regulatory exposure, contractual liability, internal accountability, insurance implications, and reputational consequences.

A prompt legal assessment can help distinguish between an incident that must be reported and one that only requires internal documentation. It can also help avoid two common errors – failing to notify where notification was legally required, and over-reporting without a proper legal and factual basis. Both situations may create avoidable risk. Early consultation also supports defensible decision-making, preserves evidence, and improves consistency between regulatory filings, internal records, and external communications.

Where an incident may lead to claims, inspections, or public scrutiny, the legal strategy should cover not only GDPR notification duties, but also related issues such as processor obligations, confidentiality, employment matters, cybersecurity governance, and communication management. In cross-border cases, it may also be necessary to consider the lead supervisory authority mechanism and the approach taken by other EU data protection authorities.

Law firm support in the area of data breach notification may include in particular:

assessment of whether an incident qualifies as a personal data breach under the GDPR,
analysis of risk and high risk to the rights and freedoms of natural persons,
preparation or review of notifications to the supervisory authority,
preparation or review of communications to affected individuals,
support in documenting the breach and remedial measures,
advice on controller-processor responsibilities and contractual notification clauses,
support during supervisory proceedings, inspections, and internal investigations,
review of incident response procedures and breach notification workflows.

If you need support with data breach notification, contact us.

Data breach notification