Skip to content
Step 1 /
flag Introduction

Spotting and reporting a data breach

However well you work, sometimes things go wrong anyway. An email to the wrong person, a lost laptop, an unwanted sign-in: it can happen to anyone. What counts then is how quickly you spot it, report it, and adjust. That is the difference between an incident and a serious problem.

target What you will learn in this module
  • check_circle What a data breach is and how to recognise it in daily work
  • check_circle What to do in the first minutes and who to report it to internally
  • check_circle How the 72-hour reporting obligation works and what cyber insurance adds
report What is a data breach?

A data breach is broader than a hack

A Personal data breach A breach of security that accidentally or unlawfully leads to the loss, destruction, alteration, or unauthorised disclosure of personal data, or to unauthorised access to it. A breach therefore covers much more than a hack: a loss, a wrong recipient, or a faulty system are also breaches. is much more than a hack. It is any situation where personal data is accidentally lost, altered, or ends up in the wrong hands.

Examples from practice:

  • An email with a customer list that accidentally goes to the wrong recipient.
  • A lost or stolen laptop, phone, or USB stick with work data.
  • A hacked account or mailbox, even if “nothing” seems to have happened.
  • A paper file that disappears or ends up in the wrong hands.
  • A fault in a system that lets customers see each other’s data.
info The three kinds of data breach

Officially we talk about loss of confidentiality (someone sees data they were not allowed to see), integrity (data is unintentionally altered), and availability (you lose data or can no longer reach it). For you, the practical question is enough: was personal data unintentionally affected?

warning Early signals

How do you spot it in time?

Some breaches are immediately obvious (the email is already sent, the laptop is really gone). Others creep in quietly. A few signals to stay alert for:

  • A customer or supplier mentions something: “I got your mailing today with other customers’ names in it”, or “I got a strange email that looks like yours”.
  • Unusual activity on your account: unexpected sign-in alerts, emails in your sent folder you did not send, rules that have been changed.
  • A colleague reports something odd: a missing document, an unexplained change, a lost device.
  • IT or your software warns you: an antivirus that fires, an unexpected “password changed”, a notice from your service that someone signed in from abroad.
  • Clicked on phishing? Even if nothing seems to happen, treat it as a possible breach until proven otherwise.
radar For IT and software companies: detection is essential

Does your organisation work with a lot of data, or do you build software yourselves? Then invest in intrusion detection and log monitoring (suspicious sign-ins, abnormal activity, automated alerts). The difference between a breach you spot in fifteen minutes and one you only discover after fifteen weeks is huge: not only in damage, but also in fines and reputation. For SMEs there are affordable cloud options and managed security services today.

forum Better one alert too many than one missed

If you are unsure whether something is a breach, treat it as a possible breach. Your manager, IT lead, or DPO assesses the severity, not you. Better one alert too many than one missed.

emergency First minutes

What do you do in the first minutes?

The first reaction often determines how big the damage becomes. A short order that always works:

  1. Stay calm and do nothing that wipes traces. No rushed panic actions, no emptying mailboxes, no throwing away documents.
  2. Limit the damage if you can: recall a wrongly sent email (Outlook/Gmail), make a shared link unusable, lock a device remotely, or briefly take it off the network.
  3. Report internally, quickly. The email, phone call, or message to your manager, IT lead, or DPO (Data Protection Officer) The internal or external person responsible for data protection within your organisation. Required for some companies under the GDPR, optional but recommended for others. In a possible breach, the DPO is usually the one who decides whether the supervisory authority (the ICO in the UK) must be contacted. can be rough and uncertain. A quick rough report is better than a polished one that comes too late.
  4. Document what you know: what happened, when, which data is involved, who may have seen it. A short timeline on a note is enough.
favorite Do not blame yourself, recovery is a team effort

Everyone makes a mistake once. An organisation that punishes its people for reporting errors gets an organisation where errors are hidden. That is far more dangerous than the original mistake.

schedule The 72-hour rule

The 72-hour rule, briefly and without panic

Under the GDPR your organisation must report a serious data breach within 72 hours to the Supervisory authority In the UK, the Information Commissioner's Office (ICO). It receives breach notifications, handles complaints from individuals, and can audit and sanction organisations. Each country has its own authority (in France: the CNIL; in Germany: the BfDI and the state DPAs). (in the UK, the ICO). For high risk to the data subjects, you must also notify them.

  • The 72 hours start as soon as your organisation becomes aware of the breach. So every hour after your internal report counts.
  • Not every breach has to be reported: a low-risk minor incident is only logged internally. The assessment is made by your manager, IT, or DPO.
  • Your role: report internally quickly and honestly. What happens after that is an organisational task.
menu_book Read more in the knowledge base menu_bookData breach: what to do?

The knowledge base sets out step by step how an SME logs, assesses, and reports a breach. A useful reference for whoever follows up incidents inside your organisation.

health_and_safety Cyber insurance

And cyber insurance?

More and more SMEs take out Cyber insurance An insurance that covers financial damage from cyber incidents: investigation, recovery, legal support, communication to customers, and sometimes ransom in ransomware cases. Not a replacement for good security, but a useful safety net for the damage and the support after a serious incident. as a safety net for serious incidents. It does not only cover financial damage; it also gives access to fast legal and technical support when you need it most.

  • Insurance does not replace good security, but it softens the impact.
  • Many policies require you to meet basic requirements: 2FA, backups, updates, a code of conduct. The habits from this course, in other words.
  • When in doubt, ask your insurance broker exactly what your policy covers and which conditions apply.
menu_book Read more in the knowledge base menu_bookCyber security insurance

Cyber insurance works best in combination with an organisation that has the basics in order. Read in the knowledge base what to look out for when choosing one.

psychology What do you do?

Wrong email sent

forward_to_inbox
You have just emailed a quote to a customer, but you notice you accidentally attached another customer's file. It contains their name, address, and invoice amounts.

What do you do first?

psychology What do you do?

Suspicious activity on your account

warning
In the morning you get an email from your work email provider: "We see a sign-in from Romania at 03:14 last night. Was that you?" You were at home asleep and have never been to Romania.

What do you do?

quiz Practice · question 1 of 2
info Just practice, this does not count toward your certificate
Which statement about what counts as a data breach is true?
Correct: a breach is any security breach where personal data is unintentionally affected. A wrongly sent email, a lost laptop or USB stick, a hacked mailbox, or a paper file that disappears: all are breaches under the GDPR.
quiz Practice · question 2 of 2
What is the first step if you discover a possible data breach?
Correct: reporting internally is always the first step. The assessment whether it must be reported to the supervisory authority (and possibly to the data subjects) is made by your manager, IT, or DPO. The faster you report, the bigger the chance that the 72-hour deadline is met.
summarize Summary

What you take away from module 5

  • bolt A data breach is broader than a hack: a loss, a wrongly sent email, or a hacked account counts too.
  • bolt Stay alert to early signals: a customer who notices something, unusual account activity, a warning from IT.
  • bolt First minutes: stay calm, limit damage if you can, report internally quickly, document briefly.
  • bolt The GDPR 72-hour reporting obligation starts with your organisation. Your role is to report internally quickly and honestly.
  • bolt Cyber insurance is a useful safety net, but it does not replace good security.
  • bolt Better one alert too many than one missed.
workspace_premium Module complete

Module 5 complete 🎉

Ready for the final exam. You have the five building blocks of security awareness in hand: why it matters for everyone, how to protect your accounts, how to handle access and systems, how to work safely with data, and what to do when something goes wrong. Time to confirm it.

lock_open 5 of 6 modules

On your way to your “Security awareness” certificate

Complete all 6 modules and pass the final exam (at least 70%) to receive a personal certificate of attendance in your name.

check_circle Modules 1-5 completeradio_button_unchecked Final exam ≥ 70%
workspace_premium