A personal data breach is not just any IT incident. It is a security breach that causes accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data. It may affect customers, employees, suppliers, users or patients.

The GDPR requires quick action. If the breach may result in a risk to individuals’ rights and freedoms, it must be notified to the supervisory authority without undue delay and, where feasible, within 72 hours after the organisation becomes aware of it.
In this article we will discuss...
When to notify a breach to the AEPD
Notification is required when the breach may create a risk for affected individuals. Examples include exposure of identification, financial or health data, credentials, identity documents, children’s data, sensitive employment information or unauthorised access to databases.
Not every incident requires notification, but every incident should be assessed and documented. If the breach is unlikely to result in risk, notification may not be required, but the assessment should be kept.
When to inform affected individuals
In addition to notifying the AEPD, the organisation may need to communicate the breach to affected individuals when there is a high risk to their rights and freedoms. The communication should be clear and explain what happened, what data was affected, possible consequences and recommended measures.
What to do in the first 72 hours
- Contain the incident: block access, isolate systems or revoke compromised credentials.
- Identify what personal data has been affected.
- Estimate the number of affected individuals and data categories.
- Assess the risk to rights and freedoms.
- Document facts, dates, decisions and measures taken.
- Notify the AEPD where required, even if information must be completed later.
- Prepare communication to affected individuals if there is a high risk.
Common mistakes
- Waiting to know every detail before starting the assessment.
- Not recording incidents internally when they are ultimately not notified.
- Confusing a technical incident with a personal data breach without assessing impact.
- Not reviewing processor contracts when a provider suffered or detected the incident.
- Not having an internal response protocol ready.
Recommended official sources
- AEPD: personal data breach notification guide.
- AEPD: personal data breach notification procedure.
- AEPD: Comunica-Brecha RGPD tool.
- AEPD: communication of breaches to affected individuals.
Conclusion
The key after a data breach is to react quickly, assess risk and document every decision. A prior response protocol reduces mistakes and helps comply with the 72-hour deadline.





Leave a Reply
Want to join the discussion?Feel free to contribute!