Manuel Martinez

Reporting An SME Data Breach Under The GDPR: How, When And Why

Reporting An SME Data Breach Under The GDPR: How, When And Why

Share this content

A data breach is not only costly for your organisation in terms of the time spent to rectify a breach and the reputational damage caused, but it can also be costly from a regulatory perspective when you fail to notify. As an SME, it is important that your organisation understands when to notify a data breach under the UK General Data Protection Regulation (GDPR), and to whom and how to notify it.

Not sure what counts as a data breach? Read our previous blog post below to find out!

10 Examples of SME data breaches and how to prevent them

When should data subjects be notified?

Communication of personal data breaches to data subjects is governed by Article 34 GDPR which states that your organisation should report a data breach without undue delay if there is "a high risk to the rights and freedoms of natural persons".

Recital 85 of the GDPR clarifies this to mean physical, material, or non-material damage to natural persons, if a breach is not addressed in a timely manner, such as:

  • loss of control over their personal data or limitation of their rights
  • discrimination
  • identity theft or fraud
  • financial loss
  • unauthorised reversal of pseudonymisation
  • damage to reputation
  • loss of confidentiality of personal data protected by professional secrecy or
  • any other significant economic or social disadvantage to the natural person concerned.

The loss of bank details, the sharing of private information related to someone’s address or information that can allow someone else to steal an identity are all examples of risks to a person's rights and freedoms.

However, the Information Commissioner's Office (ICO) suggests that the threshold for reporting to data subjects is much higher than that of reporting to the ICO and this is partly because you may cause unnecessary worry if you notify data subjects of minor issues, especially when the breach is unlikely to cause a high risk to their safety or freedom.

In fact, too many notifications may cause data subjects to become complacent and disregard it when an important one asks them to act in securing their personal data rights.

Generally, the GDPR notes that notification to data subjects is not required when:

  • the controller has implemented appropriate technical and organisational protection measures which were applied to the personal data affected by the data breach, such as encryption;
  • the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; or
  • it would involve disproportionate effort - in such a case, there should instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

How to notify a data breach to data subjects

In case you do need to notify data subjects, the GDPR notes that the communication to data subjects:

  • should be in clear and plain language as to what the breach was;
  • should contain the name and contact details of the data protection officer (DPO) or other contact within the organisation that can give them more information and answer their questions; and
  • should describe the measures taken or will be taken by your organisation as the data controller to address the personal data breach and measures to mitigate possible adverse side effects, if there is likely to be any.

When should the ICO be notified?

The threshold for reporting a personal data breach to the ICO is much lower than that of data subjects but this does not mean that every data breach needs to be notified. You should only notify if it poses a risk to people and the likelihood and severity of the risk is to people’s rights and freedoms, following the breach. After this assessment, if it’s likely there will be a risk then you must notify the ICO.

If you are reporting a breach, it should be reported to the ICO without undue delay and within the first 72 hours of the breach, starting from when your organisation becomes aware of it. Remember, a failure to notify the ICO of a relevant data breach may lead to a fine of up to EUR 10m or 2% of your annual global turnover, whichever is higher.

Click here for an assessment of whether you should report to the ICO.

How to notify a data breach to the ICO

Call the ICO on 0303 123 1113. Alternatively, if you think you have dealt with the breach appropriately, you can notify the ICO online by clicking on the image below.

Click the above to go to the ICO website to download the word document.

Below are a list of things to think about:

  • Describe the situation
  • Describe how the incident occurred
  • How did the organisation discover the breach?
  • What preventive measures were already in place before the breach?
  • Was the breach caused by a cyber incident?
  • What time did the breach happen?
  • What time was the breach discovered?
  • What types of personal data were involved in the breach?
  • How many personal data records were involved?
  • How many data subjects will be affected?
  • What groups of data subjects are likely to be affected?
  • Is the breach likely to result in a high risk to data subjects?
  • Has the staff member involved in the breach been trained on data protection regulations in the last two years?
  • Was there a delay in reporting the breach and if so why?
  • What actions did you take due to the breach?
  • What actions have you taken to remedy the breach?
  • What processes or procedures will you implement in the future to prevent a recurrence?
  • Have you notified data subjects of this breach?
  • Who is your organisation’s Data Protection Officer (DPO)?

How to prevent a data breach

The Privasee dashboard is a quick and simple way for your organisation to prevent a data breach and in a worst case scenario, keep on top of data breaches. With features that help you record the time and date of a personal data breach and the person responsible for dealing with them, it can better help you manage your overall privacy risks with increased oversight.

Preventing data breaches need not be costly nor a headache with the right tools.

If you require assistance with notifying a data breach, please contact a member of the Privasee team at and receive a free consultation.


This article does not constitute legal advice in any form and only seeks to break down some of the main points set out by publicly available sources such as the ICO.

Further information and Sources

Article 34 GDPR, Recital 85 GDPR:


August 12, 2021

Frequently asked questions

Do I need to connect all my tools and third parties?

We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools.  There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.

What is the scope of my privacy policy?

Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!

Do I need to replace my current policy for the privacy portal?

We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.

Do I need help filling out my details?

Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.

Why can’t I just use a template and add it to my website myself?

A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.

What if you don’t have the tools and third parties that I have?

We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.

Which plan should I choose?

Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.

Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.

Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.

Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.

Feel free to get in touch to discuss our GDPR Compliance Software solution.

How easy is it to set up?

Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!

What size companies is Privasee aimed at?

Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.

I already have a privacy policy, do I need Privasee?

You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.

Still have questions?

Support details to capture customers that might be on the fence.