Data Breach and GDPR: What It Is, Notification Duties and Fines
9 min read · AstraLoop Studio
If you run a business, the term "data breach" almost always reaches you at the worst possible moment, that is, once it has already happened. An employee clicks the wrong email, a piece of management software gets breached, a backup ends up on an exposed server. From that moment a very concrete clock starts ticking, the 72 hours the GDPR gives you to notify the breach to the Data Protection Authority (the Garante). Anyone who doesn't know this, or finds out too late, risks fines that start at a few thousand euros and can climb high enough to shut a business down.
Let's look at what actually counts as a data breach under EU Regulation 2016/679 (GDPR), when the notification duty kicks in, how much the fines are worth based on the Garante's latest figures, and, above all, why prevention costs a fraction of what it costs to manage the incident after the fact.

What is a data breach under the GDPR
The formal definition sits in Article 4 of the GDPR. A data breach ("personal data breach") is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
In practical terms, you don't need a Hollywood-style hack. A data breach is any event that compromises one of three properties of personal data:
- Confidentiality: someone accesses the data without authorisation (stolen credentials, an exposed database, an email sent to the wrong recipient).
- Integrity: the data is altered unintentionally (ransomware that encrypts it, an unlawful modification).
- Availability: the data becomes inaccessible or is lost (a destroyed server, a deleted backup, a folder encrypted by an attack).
This means the definition also covers events the average business owner wouldn't think of as a "breach": a stolen laptop containing the customer database, a lost USB drive, an employee who accidentally sends an invoice with tax data to the wrong client, a fire that destroys paper records with no backup copy. All of these are data breaches to every legal effect.
A data breach doesn't necessarily mean a cyberattack
This is the most common misconception. Most breaches notified to the Garante do have a technical origin (malware, ransomware, phishing), but a substantial share stems from human error or organisational gaps. That's why talking only about "defending against hackers" misses the point: protecting data depends on procedures, permissions, training and vendor oversight, not just antivirus software.
The Garante's numbers: how widespread is the problem in Italy
Figures published by Italy's Data Protection Authority (Garante per la Protezione dei Dati Personali) point to steady growth. Data breach notifications received reached 2,204 in one year, an increase of roughly 22% over the previous period. Enforcement activity has intensified in parallel: we're talking about roughly €24 million in fines issued.
These figures need to be read alongside the wider picture of the cyber threat landscape for Italian SMEs. The Clusit 2026 Report puts Italy at around 10% of global incidents, with a 23% rise in severe attacks in the first quarter and small and medium businesses targeted in 72% of cases. A data breach is no longer a big-corporation problem: it's the operational norm for a company with 10, 30 or 50 employees.
One figure worth flagging: roughly 30% of breaches involve a third party, meaning a supplier, an external consultant, a piece of management software, a cloud service. The perimeter you need to protect doesn't stop at your company's own walls.
The notification duty: the 72-hour rule
This is the core of the GDPR's obligations, and where many businesses get it wrong. Article 33 of the Regulation states that, in the event of a personal data breach, the data controller (i.e., the company) must notify the breach to the Garante within 72 hours of becoming aware of it.
The 72 hours don't start from the attack, but from awareness of the breach. Which makes it critical to have systems that let you notice quickly: a breach discovered three months later doesn't cancel the obligation, if anything it worsens your position because it demonstrates inadequate monitoring.
When notification is NOT mandatory
Not every breach needs to be notified. Article 33 provides an exception: notification to the Garante isn't required if "the breach is unlikely to result in a risk to the rights and freedoms of natural persons." A classic example: a file encrypted with a strong key gets stolen, but the data remains unreadable. In that case the risk is low.
Careful though, that assessment must be documented. Even when you decide not to notify, you must keep a record of the reasoning in the breach register, mandatory under Article 33(5). The Garante can request it at any time.
When you also have to notify the people affected
There's a second level. Article 34 states that, if the breach poses a high risk to people's rights (think health data, banking data, login credentials), you must also inform the affected individuals directly, that is, the customers, patients or employees involved. Without undue delay and in clear language.
This step carries an enormous reputational cost: telling thousands of customers that their data has been exposed is a blow to trust that's hard to recover from. We go into detail on this when we cover exactly what to do in the 72 hours after a data breach.

The fines: how much is really at stake
The GDPR sets out two penalty tiers, defined by Article 83. A poorly handled data breach can fall into either one.
| Tier | Maximum | Typical violations |
|---|---|---|
| First tier | Up to €10 million or 2% of annual worldwide turnover | Failure to keep a register, inadequate security measures (Art. 32), failure to notify (Art. 33 and 34) |
| Second tier | Up to €20 million or 4% of annual worldwide turnover | Violation of processing principles, of data subjects' rights, unlawful data transfers |
The higher of the two figures, fixed amount or percentage of turnover, always applies. For an SME, the theoretical €20 million ceiling is out of reach, but 4% of turnover certainly isn't: for a company with €3 million in revenue, that's potentially €120,000. And when calibrating the fine, the Garante looks at whether you had adequate measures in place before the incident.
Here's the point few people explain to business owners: the fine doesn't just punish the breach itself, it punishes the negligence that made it possible. A company that can show it carried out an audit, adopted technical and organisational measures, trained its staff and responded on time is treated very differently from one that had no safeguards at all. Documented prevention is the first line of defence even at the enforcement stage.
The real cost isn't just the fine
The Garante's fine is the most visible line item, but not the heaviest. On top of a data breach you have operational downtime, system restoration, legal and forensic consulting, lost customers and, increasingly, extortion. Ransomware in Italy is evolving toward double and triple extortion, with an average cost for SMEs between €35,000 and €250,000. We break down all of these cost items in our analysis of the real cost of a data breach and the ROI of prevention.
The difference between a hefty fine and an orderly response is decided before the incident happens. Request an assessment of your exposure to data breaches and let's find out together where you're exposed.
GDPR isn't the only obligation: NIS2 is here
From 2026 the regulatory picture widens. The NIS2 directive introduces cybersecurity and incident-notification obligations for a far broader range of companies than before, with operational deadlines throughout 2026 and one heavy new element: direct liability for CEOs and management bodies, no longer something you can delegate to IT.
NIS2 incident notification runs alongside GDPR notification: they're two separate tracks (one focused on service security, the other on personal data protection) that often trigger together. If you want to know whether these obligations apply to you, start by checking whether NIS2 applies to your company and by reviewing the concrete 2026 deadlines. The risk is finding yourself managing a breach with two clocks running in parallel and no procedure ready.
How to prevent a data breach
Notification is the reaction. Prevention is what decides whether the breach happens at all, how severe it is, and where you stand in front of the Garante. The measures that make a difference are concrete and, for the most part, within reach of any SME:
- Map your personal data: know what data you process, where it's stored and who can access it. You can't protect what you don't know you have.
- Access control: minimum necessary permissions, two-factor authentication, immediate revocation of access for anyone who leaves the company.
- Tested backups: a backup you've never tried restoring isn't a backup. It's the single best defence against ransomware.
- Staff training: most breaches start with a click. Anti-phishing training cuts risk more than a lot of expensive tools do.
- Vendor oversight: anyone who processes your data (management software, cloud, consultants) must guarantee adequate measures. 30% of breaches pass through third parties.
- Governance of AI use: more and more employees paste company data into ChatGPT or similar tools. This issue, known as Shadow AI, is a growing source of data leaks and potential GDPR violations.
The security audit: the snapshot you need
All of these measures need a starting point, namely knowing where you're weak. That's what a full IT security audit does: it identifies technical and organisational vulnerabilities before an attacker does, and produces the documentation that demonstrates due diligence in front of the Garante.
A serious audit isn't a cheap automated scan spitting out a PDF of generic warnings. It's an analysis grounded in your actual processes, the data you handle and how you handle it. If you want to get into the technical detail, the distinction between a vulnerability assessment and a penetration test is the first fork in the road for choosing the level of testing that fits your situation.
In short
A data breach is any event that compromises the confidentiality, integrity or availability of personal data, not just a hacker attack. The GDPR requires you to notify the Garante within 72 hours of discovery and, in high-risk cases, to notify the affected individuals too. Fines run up to €20 million or 4% of turnover, but they're calibrated on how prepared you were beforehand. The most effective lever isn't reacting better, it's preventing, documenting, and not being caught unprepared the moment the 72-hour clock starts running.
Frequently asked questions
What exactly counts as a data breach under the GDPR?
It's a security breach that leads to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It covers cyberattacks but also human error, stolen laptops, emails sent to the wrong recipient, or lost backups.
How quickly must a data breach be reported to the Garante?
Within 72 hours of the company becoming aware of the breach, under Article 33 of the GDPR. The clock starts from discovery, not from the attack. If the risk to affected individuals is unlikely, notification to the Garante may not be required, but the assessment must still be documented.
What are the fines for a poorly handled data breach?
The GDPR sets two tiers: up to €10 million or 2% of turnover for inadequate security measures and failure to notify, up to €20 million or 4% of turnover for more serious violations. The higher of the fixed amount and the percentage always applies.
Do I have to notify affected customers as well?
Yes, if the breach poses a high risk to people's rights (for example health data, banking data or login credentials). Article 34 of the GDPR requires you to inform the affected individuals without undue delay and in clear language.
Does a human error count as a data breach?
Yes. Sending an email with personal data to the wrong recipient, losing a USB drive, or accidentally deleting an archive with no backup are all data breaches in every legal sense, with the same notification obligations as a cyberattack.
How can an SME prevent a data breach?
By mapping the data it processes, restricting access, testing backups, training staff against phishing, vetting suppliers, and governing the use of AI tools. The starting point is a security audit that identifies vulnerabilities and documents the diligence adopted.
Want to be ready for the moment the 72-hour clock starts running? Talk to us and let's assess a security audit tailored to your company.