How should we respond in the case of a data breach?

Under the GDPR, you need to report any breach to the Data Protection Authority generally within 72 hours of becoming aware of it. You also have to inform the individuals whose data you have processed, when it is likely that the breach could have a negative impact on them – for example if financial data is leaked, or if unauthorised persons might have access to their medical information.