Most small business owners, if asked whether they’ve ever had a data breach, would say no. Some of them are right. But a significant proportion are wrong — they’ve simply never detected the breach, or didn’t realise that what happened qualified as one.

Understanding what a data breach is, what your obligations are when one occurs, and what you can do to both prevent breaches and detect them quickly is increasingly essential for any business that handles personal data. In Europe, that means virtually every business.

What Counts as a Data Breach

The GDPR definition of a personal data breach is broader than most people assume. It’s not just hackers stealing your customer database. A data breach is any incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

This includes:

  • A laptop containing customer data being stolen or lost
  • An email sent to the wrong recipient that contains personal information
  • A ransomware attack that encrypts and potentially exfiltrates customer records
  • A staff member accessing records they’re not authorised to view
  • A cloud storage misconfiguration that makes private files publicly accessible
  • Your systems being accessed by an unauthorised third party

The question is not “was it a dramatic hack?” but “was personal data compromised?” If the answer is yes, you almost certainly have breach notification obligations.

If you operate in the EU or handle data belonging to EU residents, GDPR applies to you regardless of where your business is based. The key obligations following a data breach:

72-hour notification to the supervisory authority. If a breach is likely to result in a risk to the rights and freedoms of individuals, you must notify your relevant data protection authority within 72 hours of becoming aware of it. In Spain, that’s the AEPD. In the UK post-Brexit, the ICO.

This timeline is short. Organisations that take weeks to investigate a breach before notifying — which is common — are already in violation of this obligation.

Notification to affected individuals. If the breach is likely to result in a high risk to individuals’ rights and freedoms (financial loss, discrimination, reputational damage, identity theft), you must also notify those individuals directly, without undue delay.

Documentation. Even where notification is not required, you must document all breaches internally — including those that are unlikely to result in significant risk. This documentation must be available for regulatory inspection.

Penalties. GDPR fines for serious breaches can reach €20 million or 4% of annual global turnover, whichever is higher. For significant breaches with poor response, regulatory action is a genuine risk.

Why Most Small Businesses Are Not Ready

There are three compounding problems:

Breaches go undetected. The average time to identify a data breach is 194 days. Without network monitoring, without logging, without visibility into who is accessing what — many breaches are never detected at all, or are only discovered months later, well after the 72-hour notification window has closed.

Businesses don’t know their obligations. GDPR notification requirements are frequently misunderstood. Many businesses believe they only apply to large organisations, or only apply if the data was “definitely stolen,” or that the 72-hour clock starts when you’ve completed your investigation (it doesn’t — it starts when you become aware of the incident).

No response plan exists. Even businesses that understand their obligations often have no documented process for responding to a breach. Who does what? Who makes the notification? Who contacts affected customers? Who preserves the forensic evidence? In the panic of an active incident, the absence of a plan is costly.

What Proactive Data Breach Management Looks Like

Detection capability. You cannot respond to a breach you don’t know about. Network monitoring, system logging, and anomaly detection dramatically reduce the time between a breach occurring and your awareness of it. This directly affects your ability to meet the 72-hour notification window.

An incident response plan. A documented, tested plan covering the first hours and days of a breach response. Who is the incident lead? Who contacts the regulator? Who handles customer communications? Who provides technical forensics? This plan should exist before you need it.

Clear data inventory. Knowing what personal data you hold, where it’s stored, and who has access to it is essential for assessing the impact of a breach quickly. Most small businesses don’t have this documented.

Staff awareness. Staff are often the first to discover a breach — and the first to inadvertently make it worse. Training on what to do (and what not to do) when something seems wrong is a basic but important control.

A trusted technology partner. When a breach occurs, having a relationship with an IT provider who understands your environment and can assist with investigation and response is invaluable. Beginning that relationship in a crisis is significantly harder than having it established in advance.

W3IT helps small businesses establish the monitoring, documentation, and response capability that makes breach detection faster and response more effective. We’re not lawyers — but we work with businesses to ensure the technical foundations of good data protection practice are in place.

If you’ve never audited your data holdings, documented your breach response process, or considered what you would actually do in the first 72 hours of a serious incident, that’s where to start.

Book a free security check →