GDPR Data Breach Notification (Ireland)

A GDPR Data Breach Notification in Ireland notifies the regulator or affected individuals of a personal-data breach and records the facts, risks, and remedial steps taken, as regulated by the Data Protection Act 2018 (GDPR).

A 'personal data breach' is defined in Article 4(12) of the GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. This broad definition covers three categories of breach: a confidentiality breach (unauthorised or accidental disclosure or access to personal data); an availability breach (accidental or unauthorised loss of access to, or destruction of, personal data); and an integrity breach (unauthorised or accidental alteration of personal data). A single incident may involve multiple types of breach — for example, a ransomware attack may be both an availability breach (encrypted data is temporarily inaccessible) and a confidentiality breach (data may have been exfiltrated before encryption).

Article 33(1) of the GDPR requires that, in the case of a personal data breach, the controller notify the competent supervisory authority — in Ireland, the DPC — without undue delay and, where feasible, not later than 72 hours after becoming aware of it. If the notification is not made within 72 hours, it must be accompanied by reasons for the delay. The notification must include the mandatory information specified in Article 33(3). The controller is not required to notify the DPC where the breach is unlikely to result in a risk to the rights and freedoms of natural persons — this exception is deliberately narrow and should be applied cautiously.

Article 34(1) of the GDPR requires the controller to communicate the breach to the affected data subjects without undue delay where the breach is likely to result in a high risk to the rights and freedoms of natural persons. The communication must describe the nature of the breach and provide the data subject with the information required by Article 34(2), in clear and plain language.

The DPC provides an online breach notification portal at dataprotection.ie through which Irish controllers can submit Article 33 notifications. The DPC publishes annual reports on breach notifications, which provide statistical data on the volume and nature of breaches reported in Ireland and insights into the DPC's approach to breach assessment and enforcement.

Under Article 33(5) of the GDPR, controllers are required to document all personal data breaches, regardless of whether they are notifiable to the DPC. This internal breach register must record the facts relating to the breach, its effects, and the remedial actions taken, and must be made available to the DPC on request. Maintaining a thorough breach register is a key accountability obligation under Article 5(2) of the GDPR. The DPC has the power under Article 83 of the GDPR to impose administrative fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher, for infringements of the breach notification obligations under Articles 33 and 34, and has issued significant fines against Irish-based organisations following investigations into breach notification failures.

A GDPR Data Breach Notification is needed whenever an Irish data controller becomes aware of a personal data breach and needs to comply with the notification obligations under Articles 33 and/or 34 of the GDPR. The notification obligation applies automatically upon awareness of the breach — it is not dependent on the controller's subjective assessment of responsibility or fault.

You need a Data Breach Notification when: a cyberattack (ransomware, phishing, hacking, or malware) has resulted in the compromise of systems containing personal data; personal data has been accidentally sent to the wrong recipient — by email, post, fax, or other communication channel; a device or paper record containing personal data has been lost or stolen; an employee or contractor has accessed personal data without authorisation; a system configuration error has exposed personal data online or to unauthorised users; a third-party processor has notified you that personal data processed on your behalf has been compromised; or any other security incident has resulted in the accidental or unlawful destruction, loss, alteration, disclosure, or access to personal data.

The notification obligation arises for all Irish organisations that act as data controllers — which, under the GDPR's broad definition, includes virtually every business, public body, charity, and professional practice that processes personal data. Small businesses and sole traders are equally obliged to notify the DPC as large corporations. The DPC does not apply a de minimis threshold based on the scale of the organisation or the volume of data involved.

From a practical standpoint, the 72-hour notification window under Article 33(1) is extremely tight and requires organisations to have established breach response plans and notification procedures in place before a breach occurs. An organisation that has not established these procedures will likely struggle to compile a compliant notification within 72 hours of becoming aware of a breach, particularly where the breach involves complex systems, large volumes of data, or multiple jurisdictions.

A data breach notification document template is valuable as part of an organisation's incident response toolkit — it provides a pre-formatted structure for recording and communicating the mandatory information required by Article 33(3) of the GDPR, both to the DPC and (where required under Article 34) to affected data subjects. Having a pre-prepared template reduces the risk that key information will be omitted from the notification and supports the organisation's accountability obligations under Article 5(2) of the GDPR.

For Irish organisations that are subject to the DPC's oversight as lead supervisory authority for cross-border processing activities — including many technology companies with EU headquarters in Ireland — data breach notifications may trigger a cross-border investigation involving multiple EU supervisory authorities under the GDPR's consistency mechanism (Articles 60 to 67). In such cases, the quality and completeness of the initial breach notification is particularly important, as it forms the basis for the DPC's assessment and any cooperation with other supervisory authorities.

For data processors established in Ireland, a breach notification document is needed to fulfil the obligation under Article 33(2) of the GDPR to notify the data controller without undue delay after becoming aware of a personal data breach, enabling the controller to comply with its own 72-hour notification obligation to the DPC.

A thorough GDPR Data Breach Notification for an Irish controller should contain the following elements, reflecting the mandatory requirements of Articles 33 and 34 of the GDPR and the DPC's guidance on breach notification.

The controller identification section identifies the notifying organisation as the data controller, including the company name, registered address, CRO number, and contact details of the designated notification contact (typically the Data Protection Officer (DPO) or the data protection lead where no DPO has been appointed).

The nature of the breach section describes the security incident that constitutes the personal data breach — the type of breach (confidentiality, availability, or integrity breach), the cause (cyberattack, human error, system failure, physical loss, etc.), the date and time the breach occurred (or the estimated period), and the date and time the controller became aware of the breach. This section should also confirm whether the breach has been contained at the time of notification or is still ongoing.

The categories and number of data subjects section identifies the categories of individuals whose personal data has been affected (customers, employees, service users, children, etc.) and provides the approximate number of data subjects affected. Where the exact number is not yet known at the time of notification, a reasonable estimate should be provided, with a commitment to provide updated information in a supplementary notification.

The categories and volume of personal data section describes the categories of personal data affected by the breach — names, contact details, financial data, health data, special categories of data, etc. — and the approximate number of data records affected. Notifications involving special categories of data (health, biometric, genetic, racial or ethnic origin, etc.) under Article 9 of the GDPR will attract closer DPC scrutiny and are more likely to require data subject notification under Article 34.

The likely consequences section sets out the controller's assessment of the likely consequences of the breach for affected data subjects — including the risk of identity theft, financial fraud, discrimination, reputational damage, or other harm. This assessment informs the DPC's risk evaluation and the determination of whether Article 34 data subject notification is required.

The remediation measures section describes the steps taken or proposed by the controller to address the breach and to mitigate its adverse effects — including technical measures (containing the breach, patching vulnerabilities, revoking compromised credentials, restoring from backups), organisational measures (staff notifications, process changes, disciplinary actions), and communication measures (notifying affected data subjects, engaging with law enforcement).

The data subject notification section (for Article 34 notifications) contains the communication to be sent to affected data subjects — describing the nature of the breach, the contact details for further information, the likely consequences, and the steps data subjects can take to protect themselves. The communication must be in clear and plain language, accessible to the intended recipients.

The DPC notification section confirms the date and time of submission of the notification to the DPC through the DPC's online breach notification portal at dataprotection.ie, and includes the DPC reference number assigned to the notification (where available).

The breach register entry section records the information required by Article 33(5) of the GDPR for the organisation's internal breach register — the date of the breach, the date of awareness, the date of DPC notification, the nature of the breach, the categories and volume of data and data subjects affected, the risk assessment, the notification decisions made (DPC and data subject notification), and the remediation actions completed.

All breach notifications should be reviewed by the organisation's DPO or legal counsel before submission to the DPC, to confirm completeness, accuracy, and compliance with Article 33(3) of the GDPR.

The post-incident review section documents the lessons learned from the breach — the root cause analysis, the gaps in technical or organisational security measures that enabled the breach, and the corrective actions implemented to prevent recurrence. This section supports the organisation's obligations under Article 32 of the GDPR to implement appropriate technical and organisational measures to confirm a level of security appropriate to the risk, and demonstrates accountability under Article 5(2). For Irish organisations that are subject to the Network and Information Security (NIS2) Directive (EU) 2022/2555, Ireland's transposition of NIS2 is being effected through the National Cyber Security Bill 2024 (the General Scheme of which was published on 30 August 2024), which will replace the existing S.I. No. 360 of 2018 regulations. The National Cyber Security Centre (NCSC) will be the lead competent authority under NIS2. Under the NIS2 framework, significant cybersecurity incidents must be reported to the NCSC with an early warning within 24 hours of awareness, followed by a full incident report within 72 hours, in addition to any GDPR breach notification obligation to the DPC. The forms-legal.com GDPR Data Breach Notification (Ireland) template covers the mandatory elements under Data Protection Act 2018 (GDPR).