Data breach notifications — what to do
When personal data is exposed in a breach — leaked, lost, stolen, or improperly disclosed — GDPR requires the organisation to notify the regulator within 72 hours and, if the breach is likely to result in high risk to your rights and freedoms, to notify you directly. This page covers what notification you should receive, what to do when you get one, and what your rights are if a breach affecting you has not been notified.
Two notification duties — to the regulator and to you
| To the regulator (DPC) | To affected individuals | |
|---|---|---|
| When | Within 72 hours of becoming aware of the breach | Without undue delay, when likely to result in high risk to rights and freedoms |
| What must be included | Nature of breach, categories + approximate numbers of affected individuals, likely consequences, mitigation measures | Plain-language description of the breach, contact for further information, likely consequences, mitigation measures and steps you can take |
| Exception | None — must always notify, even for low-risk breaches | No notification needed if data was encrypted, if subsequent measures prevent high risk materialising, or if individual notification would involve disproportionate effort (in which case public communication is required instead) |
What "high risk" means
You only need to be notified individually if the breach is likely to cause "high risk" to your rights and freedoms. Factors that push a breach into the high-risk category include:
- Sensitive data exposed (health, financial, sexual orientation, religion).
- Identifiers that enable identity theft (PPS numbers, passport numbers, ID document images).
- Credentials that allow account takeover (passwords, tokens).
- Volume — affecting many individuals.
- Vulnerability of affected individuals (children, refugees, people in protection contexts).
What a proper breach notification looks like
A compliant notification (Article 34) tells you:
- The nature of the breach in plain language.
- What personal data of yours was affected (or likely affected — sometimes the controller doesn't know exactly).
- The name and contact details of their Data Protection Officer or a contact who can answer your questions.
- The likely consequences of the breach.
- What measures the organisation has taken or proposes to take.
- What specific steps you can take to mitigate harm — change passwords, watch for follow-on phishing, freeze cards, etc.
What to do when you receive a breach notification
Don't panic, but don't ignore it
Most breach notifications are about data that's already exposed — the immediate harm has typically already happened or already started. The notification is about limiting what comes next.
Read the specifics of what data was exposed
"Email and password" requires different action from "name and date of birth". Adjust your response to the actual data.
Change the password on the breached account immediately
And on any account that shares the same password. Use a password manager so the new ones are strong and not reused.
Enable 2FA on the breached account
If it isn't already on.
Watch for follow-on phishing
Breached data is sold and re-used for months afterwards. Highly-personalised phishing in the weeks after a breach is the most common follow-up. See scam-watch for current patterns.
If financial data was exposed, watch your bank account and credit file
Request your free annual credit report from the Central Credit Register (centralcreditregister.ie) and review for unfamiliar entries.
If the breach is serious, document it
Save the notification, the date, any subsequent updates. If you suffer actual loss later, the documentation is the foundation of any claim.
If you've suffered actual loss, you may have a civil claim
Article 82 GDPR establishes a right to compensation for material or non-material damage caused by a breach. The threshold is being developed in case law. Speak to a solicitor.
What to do if you believe a breach affecting you has NOT been notified
Sometimes you become aware of a breach through the news, a third-party data-leak monitoring service, or because something specific has happened to your account. If the organisation hasn't notified you:
- Contact the organisation directly. Ask whether they have had a breach affecting your data and, if so, why you haven't been notified.
- If they don't respond, or say there has been no breach when you believe there has, file a complaint with the Data Protection Commission. See DPC complaints.
- You can also file a Subject Access Request (see SAR template) and use the audit trail in the response to corroborate or refute the suspected breach.
"Have I been pwned"
Public services like haveibeenpwned.com aggregate publicly-known data breaches. They can tell you if your email address appears in a known breach. Useful as a starting point; not exhaustive (breaches that haven't been publicly disclosed won't appear).
The harder cases — state-body breaches
Breaches by Irish state bodies are subject to the same notification rules as private organisations. The Department of Social Protection, the HSE, individual local authorities, and other state bodies have all been the subject of DPC investigations into breach handling at various points. If a state body has a breach affecting your data, you should be notified directly unless one of the exceptions applies. If the notification you receive is opaque, vague, or incomplete, you can request specifics — and complain to the DPC if specifics aren't forthcoming.
Primary sources
- Data Protection Commission — breach notification guidance.
- GDPR Article 33 — notification to the supervisory authority.
- GDPR Article 34 — communication to the data subject.
- GDPR Article 82 — right to compensation.