Legal and Regulatory Obligations After a Data Breach for a Small to Medium Business.

A Donegal healthcare services company experienced a ransomware attack that encrypted patient records. By the time the incident was contained and the scope understood, five days had passed since the initial discovery. On day five, they received a letter from the Data Protection Commission asking them to explain why they had not notified the Commission of a potential personal data breach within the legally required 72-hour window.

The business had not known about the 72-hour requirement. Their solicitor had not flagged it. Their IT provider had not known either. They faced a regulatory process not because of the breach itself, but because of the notification failure — a failure that was entirely preventable.

The GDPR Breach Notification Obligation

Under GDPR, where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, the data controller must notify the supervisory authority — in Ireland, the Data Protection Commission — without undue delay and where feasible within 72 hours of becoming aware of the breach [^1].

The 72-hour clock starts from when the business becomes aware that a breach has occurred — not when the breach began, and not when the full scope of the breach is understood. If you become aware of a potential breach on Monday morning, the 72-hour deadline is Thursday morning.

Breaches that must be reported include: ransomware incidents where personal data has been encrypted or exfiltrated, accidental disclosure of personal data to an unauthorised recipient, theft of devices containing personal data, and unauthorised access to systems holding personal data.

Breaches that do not need to be reported to the DPC are those unlikely to result in any risk to individuals — such as encrypted data on a device that was lost, where the encryption means the data could not be accessed. However, a decision that a breach is unlikely to result in risk should be documented, in case that assessment is later questioned.

If the breach is likely to result in high risk to individuals — for example, financial data or health data that could be used for fraud or discrimination — the data controller must also notify the affected individuals directly, without undue delay.

Does your business have a process for identifying a potential GDPR breach and notifying the DPC within 72 hours? Most Irish SMEs do not — and the deadline is unforgiving. Book a free 20-minute strategy call — we build GDPR breach response into every incident response plan we develop.

The NIS2 Notification Obligation

For Irish businesses classified as essential or important entities under NIS2, a separate notification obligation applies to the NCSC Ireland for significant incidents — within 24 hours for an early warning, within 72 hours for a fuller incident notification, and within one month for the final report [^2].

These obligations are concurrent with, not instead of, the GDPR notification obligation. A ransomware incident affecting a NIS2-regulated business may require notification to both the NCSC Ireland (within 24 hours) and the Data Protection Commission (within 72 hours) simultaneously.

The Legal Exposure

Beyond the notification obligations, a data breach creates potential legal exposure on several fronts.

Regulatory enforcement. The DPC can investigate the circumstances of the breach and issue enforcement action — reprimands, orders to change processing practices, or fines of up to 2% of global annual turnover for some violations. Fines are not typically imposed for a first breach where the organisation cooperated fully and took prompt remedial action.

Individual claims. Individuals whose data was compromised may have a right to compensation under GDPR for material or non-material damage. Irish courts have seen an increase in individual data subject claims following breaches.

Contractual liability. Business clients who shared personal data with your business as a data processor have contractual rights to notification and may have rights to terminate or claim damages if the breach resulted from inadequate security.

Insurance. A breach that triggers regulatory proceedings, individual claims, or client contractual claims is precisely what cyber insurance is designed to cover. Engaging your insurer immediately after a breach — not after the claim landscape is clear — is essential to ensuring coverage applies.

Practical Steps Immediately After Discovery

Preserve evidence. Do not clean, reformat, or restore systems before forensic investigation. The evidence of how the breach occurred, when it began, and what data was accessed is essential for the regulatory notifications, insurance claim, and any subsequent legal proceedings.

Assess scope. What personal data was involved? Whose data? What category of data (financial, health, general personal)? This assessment determines the notification obligations — whether DPC notification is required, whether individual notification is required, and what the regulatory risk profile is.

Contact your legal adviser. Breach notification letters to the DPC must be carefully drafted. The notification should be complete but should not make admissions beyond what is confirmed. Your solicitor should review any notification before it is submitted.

Contact your cyber insurer. The insurer's incident response team will coordinate the legal, forensic, and communications response. Engaging them early means you are not making decisions about these complex issues alone.

What Next

1. Add the DPC notification portal to your incident response plan. The online reporting form is at dataprotection.ie. The 72-hour deadline starts from when you become aware. Name who in your organisation is responsible for making this notification.

2. Identify a solicitor with data protection experience before you need one. The middle of an incident is not the time to search for a solicitor who understands GDPR. Have a named contact, reviewed in advance.

3. Brief your incident response team on the notification timelines. 24 hours to NCSC (if NIS2 applicable). 72 hours to DPC. These deadlines run concurrently from the moment of awareness.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• NIS2 Incident Reporting: The 24-Hour Deadline Irish Businesses Must Meet
• Crisis Communications: What to Tell Customers, Staff and Regulators After an Incident
• Cyber Insurance: What Insurers Now Expect You to Have in Place Before They Will Pay Out

[^1]: Data Protection Commission Ireland — Reporting a Breach [^2]: NCSC Ireland — NIS2 Incident Reporting [^3]: An Garda Síochána — National Cyber Crime Bureau

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.