Data Breach in Ireland: What Businesses Must Do Within 72 Hours (2025)
A personal data breach can happen to any organisation — a misdirected email, a stolen laptop, a cyberattack, or an accidental disclosure. Under GDPR, when a breach occurs, the clock starts immediately. You have just 72 hours to notify the Data Protection Commission (DPC) if the breach is likely to result in a risk to individuals’ rights and freedoms. Acting quickly and correctly can make a significant difference to your legal liability and reputation. This guide explains exactly what to do.
What Is a Personal Data Breach?
Under GDPR, a personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes:
- Sending personal data to the wrong recipient by email or post
- A ransomware or cyberattack accessing or encrypting personal data
- Loss or theft of a device (laptop, USB drive, phone) containing personal data
- Unauthorised access to your systems by an employee or third party
- Accidental deletion of personal data without a backup
- A third-party processor suffering a breach affecting your data
Step 1: Contain the Breach (Immediately)
As soon as you become aware of a breach, act immediately to limit further damage:
- Isolate affected systems or revoke access
- Change passwords and access credentials
- Retrieve misdirected communications where possible
- Preserve all evidence — do not delete anything that could be relevant
Step 2: Assess the Risk (Within Hours)
Not every breach requires notification to the DPC. You must assess whether the breach is likely to result in a risk to individuals’ rights and freedoms. Factors to consider include:
- The type and sensitivity of data involved (health data, financial data, and special category data carry higher risk)
- The number of people affected
- The likely consequences — identity theft, fraud, discrimination, distress
- Whether the data was encrypted or otherwise protected
If in doubt, notify. The DPC takes a more sympathetic view of organisations that self-report promptly than those that fail to report at all.
Step 3: Notify the DPC Within 72 Hours (If Required)
If the breach is likely to result in a risk to individuals, you must notify the DPC within 72 hours of becoming aware of it. Late notification — or failure to notify — is itself a GDPR breach and can result in fines.
Your DPC notification must include:
- A description of the nature of the breach, including the categories and approximate number of individuals affected
- The name and contact details of your Data Protection Officer (or other contact point)
- A description of the likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
Step 4: Notify Affected Individuals (If High Risk)
If the breach is likely to result in a high risk to individuals’ rights and freedoms, you must also notify the affected individuals directly — without undue delay. This notification must be in clear, plain language and explain the nature of the breach, likely consequences, and steps they can take to protect themselves.
Step 5: Document Everything
All data breaches — whether notifiable or not — must be documented in your internal breach register. This includes the facts, effects, and remedial actions taken.
Step 6: Review and Improve
Following a breach, review what went wrong and implement measures to prevent recurrence. This demonstrates accountability to the DPC and can mitigate any potential fine.
Need help navigating a data breach or strengthening your GDPR compliance? Our GDPR Privacy Policy service and 30-minute consultation are a great starting point. Also see our GDPR guide for small businesses.
This article is for informational purposes only and does not constitute legal advice.
