Skip to content

Nettsider · · 4 min read

Data breaches — what to do, and what GDPR says

What exactly is a data breach, and what must a small business do if one happens? A calm guide to your duties under GDPR, explained simply.

By Mediseo

Most people think of GDPR as something you deal with when everything's going well. But the rules matter most the day something goes wrong — when personal data ends up where it shouldn't. Here's what a data breach is, and what a small business should actually do.

What a data breach is

A data breach — or "breach of personal data security" — is when personal data is lost, altered, destroyed, or seen by someone who shouldn't see it. It sounds dramatic, but the most common cases are everyday ones:

  • An email with a customer list sent to the wrong recipient.
  • A laptop or phone holding customer data lost or stolen.
  • An account hacked because the password leaked.
  • A spreadsheet of personal data stored somewhere anyone can see.

The point is that a breach doesn't require an advanced attack. Most happen by accident.

The first three things you do

If it happens, the order matters more than the speed. Keep a cool head and do this:

  1. Stop the breach. Get control. Recall the email if you can, change the password on the hacked account, remove the file that was left open.
  2. Work out what happened. Which data is involved, how many people, and how serious is it for them? A leaked email address is one thing; identity numbers or health data are quite another.
  3. Write it down. What happened, when, what you did. This log helps you in the moment and is something you may need later.

When you must report it

Here's a part of GDPR many people don't know about: some breaches must be reported to the data protection authority, and some must also be reported to the people affected.

  • To the authority: the main rule is that breaches posing a risk to individuals must be reported — usually without undue delay, within 72 hours of becoming aware of it. If the risk is low there can be exceptions, but the threshold to report is low.
  • To the people affected: if the risk is high — say with sensitive data or a danger of fraud — the individuals must be notified too, so they can protect themselves.

You don't need to know the rules by heart. But you should know the duty to report exists, and that the deadline is short. That alone makes you react faster.

Why it pays to be prepared

72 hours isn't long if you're starting from scratch. A little preparation makes that day far calmer.

  • Know where your data is. If you have an overview of what you store and where, it's far easier to assess a breach.
  • Have a simple plan. Who does what, who is contacted, where the log is kept. Half a page is enough.
  • Limit the data in advance. Less stored data is less that can leak. What you've deleted can't go astray.

How to reduce the chance in the first place

Most breaches are everyday accidents, and everyday habits prevent them:

  • Double-check the recipient before sending an email with personal data.
  • Use unique passwords and two-factor, so one leaked password doesn't open everything.
  • Give people access only to what they need, and remove access that isn't used.
  • Store personal data safely, not in loose spreadsheets anyone can open.

What we tend to tell businesses is that a data breach isn't primarily a disaster, but a situation you can handle tidily if you've thought it through in advance. Preparation is cheap; panic is expensive.

Frequently asked questions

Do I have to report a misaddressed email with one name?

It depends on the risk to the person. A single email address sent to the wrong recipient is often low risk, while sensitive data is a different matter. If in doubt, the threshold to report is low — and your data protection authority has guidance for the assessment.

What's the 72-hour deadline I've heard about?

It's the main rule for reporting a notifiable breach to the authority: without undue delay, and no later than 72 hours after you became aware of it. That's why detecting and assessing quickly is half the job.

What if I discover the breach too late?

Report it anyway, and explain why it took time. Reporting late is better than not reporting. The most important thing is that you act, limit the damage, and are honest about what happened.

This is general guidance, not legal advice. In an actual breach, check your data protection authority's guidance and, if needed, seek help to assess your specific situation.

What we can do for you and your business.

Tell us briefly what you need help with — a new website, more visibility on Google, or just a once-over. We get back within a working day, usually with something concrete.

Book a free 20-min callBuild a site with us