The administration manager's phone rings at eight in the morning. The email provider reports that unauthorised access to the company account has been detected overnight. At that moment, even before anyone in the organisation has made a single decision, the clock under Article 33 of Regulation (EU) 2016/679 (GDPR) has already started ticking. They have 72 hours to notify the Spanish Data Protection Agency (AEPD) if the incident poses a risk to the rights and freedoms of the individuals affected.
This article explains what a personal data breach is, how to classify its severity, what specific obligations the GDPR — and Organic Law 3/2018 on Personal Data Protection and the Guarantee of Digital Rights (LOPDGDD) — impose, and what an SME must do in the first few hours to avoid compounding its legal exposure.
What is a personal data breach?
Article 4(12) of the GDPR defines it as «a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed».
The definition is deliberately broad. It does not require an external attack or publication of the data. Three situations are equally breaches:
- Confidentiality breach: unauthorised or accidental disclosure of or access to personal data (a cyberattack extracting a client database, an email sent to the wrong address with personal data attached).
- Integrity breach: unauthorised or accidental alteration of personal data (malicious modification of records, file corruption caused by malware).
- Availability breach: accidental or unauthorised loss of access to or destruction of personal data (ransomware encrypting servers, accidental deletion of a database without a backup).
What all three categories share is that they affect personal data: any information that allows a natural person to be identified. Employee records, customer lists, medical histories, email addresses or telephone numbers are personal data. A server configuration file with no names or identifiers is not.
Types of data breaches: real examples in SMEs
Breaches are not just a problem for large corporations. The AEPD publishes annual statistics showing that more than half of notifications received come from small and medium-sized businesses. These are the most common types in Spain's business fabric:
| Incident type | Concrete example | Breach category | Typical risk level |
|---|---|---|---|
| Ransomware / malicious encryption | An employee opens a fraudulent attachment; malware encrypts all files on the shared server, including the client database | Availability (+ confidentiality if exfiltration occurs) | High or very high |
| Device theft or loss | A salesperson loses an unencrypted laptop containing client contracts in PDF format and a contact list | Confidentiality | Medium–high (depends on disk encryption) |
| Misdirected email | An accountancy firm sends one employee's payslip to another by confusing addresses | Confidentiality | Low (if recipient destroys it) or medium |
| Unauthorised access by former employee | A dismissed worker retains active credentials and downloads the CRM before leaving | Confidentiality | High |
| Web or e-commerce vulnerability | An outdated WordPress plugin allows SQL injection; order data with names, addresses and phone numbers is exposed | Confidentiality | High |
| Accidental data deletion | A clinic accidentally deletes the last year of appointment records with no recent backup | Availability | Medium (if no identifiable harm to specific individuals) |
When is there an obligation to notify the AEPD?
Not every breach requires notification. Article 33 of the GDPR establishes the obligation when the breach «is likely to result in a risk to the rights and freedoms of natural persons». The regulation also provides an exception: if the violation «is unlikely to result in a risk», notification is not mandatory — but it must still be documented internally in the Security Breach Register that every data controller is required to maintain.
In practice, the AEPD and the European Data Protection Board (EDPB) have published guidelines for assessing risk, considering factors such as:
- The type and volume of data affected (special category data — health, beliefs, racial origin, sexual orientation — are treated as more serious).
- The number of individuals affected.
- The ease of identifying data subjects from the exposed data.
- Whether the controller could have prevented the incident (negligence).
- The reversibility of the potential harm.
The 72-hour deadline runs from the moment the controller becomes aware of the incident, not from when it occurred. If the investigation is not complete by then, the GDPR permits a phased notification: an initial communication with available data, supplemented later when full information is available. What the regulation does not allow is waiting until everything is clear before notifying.
When must affected individuals be notified?
Article 34 of the GDPR adds a second obligation when a breach «is likely to result in a high risk to the rights and freedoms of natural persons»: communicating it directly to each affected person «without undue delay». This communication must use clear, plain language and include at least:
- The nature of the breach.
- The name and contact details of the Data Protection Officer (DPO) or designated contact point.
- The likely consequences of the breach.
- The measures taken or proposed to remedy the breach and, where appropriate, to mitigate its adverse effects.
The controller may avoid individual communication only if adequate technical measures make the data unintelligible (for example, robust encryption with an uncompromised key), if subsequent measures have been taken that are sufficient to neutralise the risk, or if individual notification would involve disproportionate effort — in which case a public communication must be made instead.
Action protocol in the first 72 hours
The difference between an SME that manages a breach well and one that compounds its legal exposure is almost always decided in the first few hours:
- Immediate containment: isolate affected systems, revoke compromised credentials, block identified access vectors. Do not indiscriminately power off servers if doing so would destroy forensic evidence.
- Preliminary scope assessment: determine which data were affected, how many individuals and since when. This assessment need not be definitive, but it must be sufficient to decide whether to notify.
- Activate the internal breach protocol: if the organisation has a DPO, involve them immediately. If not, the data controller assumes coordination.
- Document everything from minute one: time of detection, who detected the incident, measures taken, conversations with technical providers. This documentation is the evidence of due diligence before the AEPD.
- Decide whether to notify the AEPD: if there is risk to data subjects — which is the case in most incidents unless data are encrypted or the incident is trivial — notify through the AEPD's electronic registry before 72 hours have elapsed from awareness of the incident.
- Assess whether communication to affected individuals is required and, if so, draft and send the message with the information required by Article 34 GDPR.
Sanctions framework: what the AEPD can impose
Article 83 of the GDPR sets out the sanctions framework without fixing mandatory amounts: the supervisory authority has discretion to calibrate the sanction according to gravity, intent, number of individuals affected, categories of data involved and measures taken to remedy the harm. The maximum ceiling is 20 million euros or 4% of total worldwide annual turnover of the preceding financial year (whichever is higher). The AEPD has imposed significant penalties on both large companies and SMEs for poor breach management, including late notification or failure to notify when required.
How to prevent data breaches: technical and organisational measures
Article 32 of the GDPR requires data controllers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. There is no closed catalogue: appropriateness depends on the state of the art, the cost of implementation and the nature of the data processed. For a Spanish SME, reasonable minimum measures include:
- Encryption of mobile devices and laptops containing personal data (neutralises breaches from loss or theft).
- Strong password policy and two-factor authentication for systems holding personal data.
- Regular, verified backups with at least one copy off the main server (reduces the impact of ransomware and accidental deletion).
- Credential lifecycle management: immediate revocation of access when an employment or contractual relationship ends.
- Security updates applied promptly to all systems, especially CMS platforms, plugins and web applications.
- Written breach management protocol defining who receives the alert, who decides to notify and who drafts the communication to the AEPD.
The role of the DPO in breach management
Articles 37 to 39 of the GDPR regulate the Data Protection Officer (DPO): designation is mandatory for certain organisations (public authorities, entities carrying out large-scale processing of special category data or large-scale systematic monitoring). Where a DPO exists, they are the natural interlocutor with the AEPD in the event of a breach and responsible for coordinating the internal protocol.
For SMEs without a legal obligation to designate a DPO but that process sensitive data — clinics, educational centres, professional firms, companies with extensive CRM databases — engaging an external DPO provides the same coverage at manageable cost, typically including breach management as part of the service.
If your company does not yet have a breach management protocol or a clearly designated data protection lead, now is the time to address your GDPR compliance on data breach management. Summum Consultora supports SMEs in Castilla y León and the Canary Islands with protocol design, Security Breach Register drafting and real-incident response.
Frequently asked questions
What happens if I discover a breach several days after it occurred?
The 72-hour deadline starts from the moment the controller becomes aware of the incident, not from when it happened. If the breach is detected late, the clock starts at detection. In your notification to the AEPD, you must state both the probable date of the incident and the date of discovery; a large discrepancy may attract scrutiny if it appears disproportionate.
Does an internal breach — without external access — also need to be reported?
Yes. If an employee accesses data about other employees or clients without authorisation, that is a confidentiality breach subject to the same obligations as an external intrusion. Whether the access is internal or external does not determine the obligation; the risk to data subjects does.
Is there a register where all breaches — even those not notified — must be recorded?
Yes. Article 33(5) of the GDPR requires data controllers to document all personal data breaches, including those that do not meet the risk threshold requiring notification to the supervisory authority. This Security Breach Register must be available to the AEPD on request.