GDPR and Data Breaches: What Obligations Does Your Company Have?
If your company operates in the EU or processes data of European citizens, the GDPR affects you directly. And when we talk about data breaches, the obligations are strict: 72-hour deadlines, mandatory notifications, and sanctions that can reach 20 million euros. This guide explains everything you need to know.
What does the GDPR say about data breaches?
The General Data Protection Regulation (GDPR) defines a security breach as any incident that causes the destruction, loss, alteration, or unauthorized disclosure of personal data.
This includes:
- A cyberattack that exposes customer data
- An employee who loses a laptop with sensitive information
- A configuration error that leaves a database publicly accessible
- An email sent to the wrong recipient with personal data
Obligation 1: Notify the AEPD within 72 hours
If the breach poses a risk to the rights and freedoms of the affected persons, you must notify the Spanish Data Protection Agency (AEPD) within a maximum of 72 hours from when you became aware of the breach.
What to include in the notification?
- Nature of the breach — What type of incident it was
- Affected data — What categories of data were compromised
- Number of affected — Estimate of people whose data was exposed
- Probable consequences — What risks exist for the affected
- Measures adopted — What you have done to mitigate the damage
- DPO — Contact details of the Data Protection Officer
What if I don't have all the information within 72 hours?
You can make a partial notification and complete it later. The important thing is not to exceed the 72-hour deadline for the first communication.
Obligation 2: Notify the affected parties
If the breach poses a high risk to the affected parties, in addition to notifying the AEPD, you must communicate the breach directly to the affected persons.
When is there "high risk"?
- Exposed financial data (cards, bank accounts)
- Unencrypted or weakly encrypted passwords
- Health data
- Identity documents
- Data that allows identity theft
What to tell the affected?
- What happened (in clear language)
- What data of theirs was affected
- What they can do to protect themselves
- What measures the company has taken
- How to contact the DPO
Sanctions: the cost of non-compliance
| Type of infringement | Maximum fine |
|---|---|
| Not notifying a breach to the AEPD | Up to €10M or 2% global turnover |
| Not notifying the affected | Up to €20M or 4% global turnover |
| Not implementing adequate security measures | Up to €20M or 4% global turnover |
Real examples of sanctions in Spain
- CaixaBank — €6 million for data protection failures
- Vodafone — €8.15 million for multiple infringements
- BBVA — €5 million for unlawful data processing
SMEs are not exempt: the AEPD adapts fines to the size of the company, but sanctions exist for everyone.
Action plan: prepare before it happens
1. Prevention
- Regularly scan corporate emails with SecuryBlack to detect compromised credentials
- Enable 2FA on all systems
- Train your team in good security practices
- Minimize the data you collect — the less data you have, the lower the risk
2. Detection
- Continuous breach monitoring with SecuryBlack
- Access logs to critical systems
- Alerts for suspicious activity
3. Response (have this prepared)
- Breach notification procedure document
- Notification template to the AEPD ready to use
- Communication template to the affected
- DPO data (or designated responsible)
- Legal advisor contact with GDPR experience
4. Record
The GDPR requires keeping a record of all breaches, even those that don't require notification. Document:
- Date and time of discovery
- Nature of the incident
- Affected data
- Measures adopted
- Decision to notify or not (and why)
Useful resources
Prevention starts with knowing your current status. Check your company's emails and enable continuous monitoring.