If your business handles personal data, and most do, it’s essential to understand your obligations under GDPR when something goes wrong. Whether it’s a misdirected email, a stolen laptop, or a cyberattack, you may be legally required to report the incident to Ireland’s Data Protection Commission (DPC).
In this guide, we explain what counts as a personal data breach, when (and when not) to report a breach to the DPC, who else you may need to inform (including affected individuals), and practical steps to stay compliant and protect your business.
What Is a Personal Data Breach?
A personal data breach happens when personal information is accidentally or unlawfully accessed, disclosed, lost, altered, or destroyed. This includes sending customer or staff data to the wrong person, losing a laptop or USB stick with unencrypted data, having data stolen in a ransomware or phishing attack, or allowing unauthorised access to systems holding personal information.
Personal data means any information that can identify an individual. This includes names, addresses, phone numbers, email addresses, IP addresses, staff records, and even online identifiers.
When Must You Report a Breach to the DPC?
You must notify the DPC within 72 hours of becoming aware of a breach if it poses a risk to people’s rights and freedoms for example, their privacy, identity, finances, reputation, or safety.
Examples of breaches that must be reported include a file with employee payroll data sent to the wrong external email address, a laptop containing unencrypted customer contact details being stolen, or your CRM being hacked and customer contact data exfiltrated.
When You Don’t Need to Report a Breach
If the breach is unlikely to result in any harm to individuals, you don’t need to notify the DPC. For example, a company device lost but protected by full encryption and strong passwords, or a file accessed internally by someone authorised to view it.
Even if you don’t report it, you must document it.
Do You Need to Notify the People Affected?
If a breach is likely to cause serious harm to the individuals involved, you must tell them without delay. This applies when data was unencrypted or easily accessible, the breach could lead to fraud, identity theft, or significant distress, or the incident involves sensitive categories of data (e.g., medical or financial info).
The DPC expects you to use plain language (no legal jargon), clearly explain what happened, share what you’re doing about it, and let people know what steps they can take.
Why You Shouldn’t Fear Reporting a Breach
No one wants to report a breach. But transparency works in your favour. The DPC has said it prefers openness and a strong accountability record over silence. Hiding breaches may result in higher penalties. Larger fines like Meta’s €91 million are typically for serious, repeated failures to protect data or to report breaches, not for prompt and responsible disclosure by SMEs.
Remember that reporting doesn’t mean you’ll face enforcement. You can report initial details and follow up later. As the DPC puts it: “The 72-hour deadline does not require all information to be available at the time of submission.”
Checklist: What to Do If a Breach Happens
Here’s a general overview of typical steps followed by Irish businesses in response to a data breach:
1. Contain the breach and prevent further loss or access.
2. Assess what data is involved and whether it’s sensitive.
3. Evaluate the risk to individuals’ rights and freedoms.
4. Decide whether you need to notify the DPC and/or affected people.
5. Report to the DPC within 72 hours, if required.
6. Document the breach, your decisions, and remediation steps.
Build Stronger Data Security and Breach Readiness
The best way to reduce breach risk and demonstrate accountability is to put robust information security controls in place. For SMEs, this might include obtaining Cyber Essentials or ISO 27001 certification, implementing strong access controls and encryption, providing staff training on phishing and data handling, and conducting regular risk assessments and audit logs.
What Is Cyber Essentials Certification?
Cyber Essentials is a certification scheme designed to help organisations protect themselves against common cyber threats. It focuses on essential security controls like firewalls, secure configuration, access control, and malware protection. While originally UK-based, many Irish SMEs adopt Cyber Essentials to demonstrate basic cybersecurity hygiene to customers and partners around the world.
What Is ISO 27001 Certification?
ISO/IEC 27001:2022, also known as ISO 27001, is an internationally recognised information security management standard. It requires organisations to implement a comprehensive system for managing sensitive data securely, including risk assessment, policies, controls, staff training, and ongoing audit. ISO 27001 certification shows a business is committed to protecting information systematically and continually improving its security posture.
Why These Certifications Matter
For Irish businesses, Cyber Essentials and ISO 27001 certification provide clear evidence of your commitment to data security. They help meet GDPR’s accountability principle by formalising risk management, reduce the chance of breaches through proven best practices, build trust with customers, suppliers, and regulators, and may be a requirement for contracts or tenders in certain industries.
Benefits of Certification for Your Business
Benefits include a stronger security posture with fewer vulnerabilities, formal policies and processes to handle incidents effectively, competitive advantage when bidding for business or partnering, confidence that your business is aligned with Irish and EU data protection laws, and potentially lower insurance premiums and reduced financial risks.
How Amtivo Supports Your Certification Journey
At Amtivo, our expert team specialise in auditing Irish businesses to identify any gaps in your data protection practices. Our thorough and impartial audits highlight the areas your business needs to address to meet the requirements necessary for certification in data protection standards such as ISO 27001.
Choosing Amtivo means you receive expertise from a trusted, Ireland-based provider who understands local regulations and business challenges, empowering you to confidently strengthen your data security and compliance.
Contact us to learn more about our GDPR and information security-related services today.
