What Is A GDPR Breach? Definitions, Examples And Next Steps

If you run a small business, the idea of a “GDPR breach” can sound like something that only happens to big tech companies with huge databases.

In reality, a GDPR breach can happen to any business that handles personal data - including a local café with a staff rota spreadsheet, a trades business with customer addresses on a phone, or an eCommerce store processing deliveries and refunds.

This guide explains what a GDPR breach is, what counts (and what doesn’t), real-world examples, and the practical steps you should take next to protect your business.

What Is A GDPR Breach (In Plain English)?

Under the UK GDPR (and the Data Protection Act 2018), a “personal data breach” means a security incident that leads to the:

• accidental or unlawful destruction of personal data,
• loss of personal data,
• alteration of personal data,
• unauthorised disclosure of personal data, or
• unauthorised access to personal data.

That definition is broader than many business owners expect. It’s not limited to hacking. It can include everyday mistakes like sending an email to the wrong person, losing an unencrypted laptop, or giving staff access to data they shouldn’t be able to see.

What Counts As “Personal Data” For Your Business?

Personal data is any information that can identify a person directly or indirectly. Common examples for SMEs include:

• names, email addresses, phone numbers
• postal addresses and delivery details
• IP addresses and online identifiers
• customer account details
• employee HR records
• CCTV footage where people are identifiable

Some data is more sensitive and higher risk. For example, health information, biometric data (used for identification), ethnicity, or details about a person’s sex life or political opinions are “special category” personal data (with stricter rules and higher breach risk).

Is Every Mistake A GDPR Breach?

Not every data issue needs to be reported to the ICO - but many incidents are still personal data breaches that you should document and handle properly.

A useful way to think about it is the “CIA” security principles:

• Confidentiality: was data seen or shared by someone who shouldn’t have it?
• Integrity: was data changed, corrupted, or tampered with?
• Availability: was data lost or made unavailable when you need it?

If the incident affects any of those, you may have a personal data breach. The next question is whether it’s likely to create a risk to people’s rights and freedoms - which affects whether you need to notify the ICO and/or the individuals impacted.

Common GDPR Breach Examples For Small Businesses

When people ask what a GDPR breach looks like, they’re often really asking: “what does this look like in real life for my business?”

Here are common SME scenarios that can count as GDPR breaches:

1. Emailing Personal Data To The Wrong Person

• sending an invoice or order confirmation with someone else’s details
• CC’ing a whole customer list instead of using BCC
• forwarding a customer complaint thread to the wrong supplier

These are “unauthorised disclosures” and are very common.

2. Lost Or Stolen Devices

• a stolen laptop containing customer records
• a lost phone with staff WhatsApp messages containing customer addresses
• a USB drive with payroll details left in a public place

If devices aren’t encrypted and protected, the risk level increases quickly.

3. Ransomware Or Malware Attacks

If an attacker encrypts your files and blocks access to personal data (even if you don’t have evidence the data was “stolen”), that can still be a breach due to loss of availability - and it may also involve confidentiality if data was accessed or exfiltrated.

4. Incorrect Access Permissions

• an intern can view HR files
• ex-employees still have access to Google Drive folders
• a contractor is given full admin access “for convenience”

This is why access controls and offboarding matter. If your team uses cloud tools, it’s also worth checking your setup and contracts - for example, how Google Drive is configured for the way you store and share personal data.

5. CCTV And Workplace Monitoring Missteps

If you use CCTV, door cameras, or monitoring tools, issues can include:

• recording more than you need (e.g. public pavement or neighbouring premises)
• keeping footage for too long without justification
• not telling people clearly that recording is happening
• collecting audio when you didn’t mean to

Audio recording in particular can raise extra legal and privacy risks. If you’re considering it, it’s worth understanding the compliance angle around CCTV with audio.

6. Accidental Sharing Of Employee Data

• publishing a rota with home addresses or phone numbers visible
• sharing sickness information too widely internally
• sending the wrong payslip to the wrong employee

These are often preventable with better processes and clear policies.

Why A GDPR Breach Matters (Beyond Fines)

It’s easy to focus only on the headline risk of “GDPR fines”. While enforcement is real, for many SMEs the more immediate risks are commercial and operational.

Key Risks For Your Business

• Reputation damage: customers (and employees) may lose trust, especially if the breach involves financial or contact details.
• Operational disruption: ransomware or a compromised email account can halt your business for days.
• Legal exposure: individuals may complain to the ICO, and in some cases pursue compensation if they’ve suffered damage or distress.
• Contract issues: you may have contractual obligations to notify clients (especially in B2B service arrangements) if a breach occurs.
• Cost of clean-up: forensic IT, customer comms, additional security controls, and staff time add up quickly.

When You Might Need To Notify The ICO

If a personal data breach is likely to result in a risk to people’s rights and freedoms, you must notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it.

If the breach is likely to result in a high risk to individuals, you may also need to notify the individuals affected.

The assessment depends on the facts - what data was involved, how many people are affected, what harm could happen, and whether you’ve mitigated the risk (e.g. remote wipe of a device, encryption, password resets). If you can’t provide all details within 72 hours, you can usually submit an initial report and follow up with further information.

If you’re unsure, getting advice early can help you assess the risk properly and avoid missing a notification you should have made.

What Should You Do If You Suspect A GDPR Breach?

When a possible breach happens, speed and structure matter. You don’t need to panic - but you do need to act methodically.

Many businesses build these steps into a Data Breach Response Plan so your team isn’t making it up as they go along in the middle of an incident.

Step 1: Contain The Breach Immediately

• Recall the email (if possible) and ask the recipient to delete it (and confirm deletion).
• Disable compromised accounts, reset passwords, and remove access permissions.
• Isolate affected devices from your network if malware is suspected.
• Enable remote wipe for lost devices (if available).

The key is to reduce the chance of further unauthorised access or disclosure.

Step 2: Gather The Facts While They’re Fresh

Document:

• what happened (timeline)
• what systems/data were involved
• who is affected (customers, staff, suppliers)
• how many individuals may be impacted
• who discovered it and when
• what containment measures you’ve taken

Even if you decide the breach isn’t reportable, you should still keep an internal record of it (this is a UK GDPR requirement).

Step 3: Assess The Risk To Individuals

Ask practical questions, including:

• Does the data include financial details, ID documents, or passwords?
• Could someone suffer identity theft, fraud, harassment, or discrimination?
• Are vulnerable individuals involved?
• Is the data encrypted or otherwise protected?
• Was it accessed by a malicious actor, or was it an accidental internal mistake?

This risk assessment drives your notification decision.

Step 4: Decide Whether You Need To Notify The ICO (And Individuals)

If notification is required, you’ll usually need to explain:

• the nature of the breach
• approximate number of individuals and records affected
• likely consequences
• steps taken (or proposed) to address it

If you need to notify individuals, communications should be clear, honest, and focused on what they should do next (e.g. watch out for phishing, reset passwords, contact their bank).

Step 5: Fix The Root Cause (Not Just The Symptoms)

Common follow-up actions include:

• multi-factor authentication (MFA) on email and key systems
• tightening access permissions and offboarding processes
• staff training on phishing and data handling
• updating retention and deletion practices
• reviewing supplier agreements and IT security

This is also the time to look at your broader compliance setup - for example, whether your Privacy Policy is accurate about how you use and protect personal data, and whether you have the right internal documents and processes in place.

How Can You Reduce The Risk Of A GDPR Breach In Your Business?

No business can reduce risk to zero, but you can take sensible steps that dramatically lower the chance of a breach (and reduce the impact if one happens).

1. Only Collect The Data You Actually Need

Data minimisation is a GDPR principle for a reason: the less personal data you hold, the less you can lose.

• Do you really need dates of birth for a standard customer account?
• Do you still need old CVs from hiring rounds years ago?
• Could you store partial information instead of full datasets?

2. Train Staff And Set Clear Rules

Many breaches happen due to human error, not bad intent.

Have practical rules about:

• how to share files internally
• how to verify customer identities before disclosing details
• what to do if a laptop or phone goes missing
• how to spot phishing emails

It also helps to set boundaries around company systems and browsing behaviour. An Acceptable Use Policy can make expectations clear and reduce risky conduct that leads to security incidents.

3. Manage BYOD (Bring Your Own Device) Properly

If staff use their own mobiles for work, it’s convenient - but it can create GDPR headaches if you don’t put guardrails in place.

Think about:

• what business apps are allowed (and which aren’t)
• how you’ll handle lost phones
• whether data is backed up to personal iCloud/Google accounts
• what happens when someone leaves

This is a common risk area, so it’s worth sanity-checking your approach to work phones vs BYOD.

4. Check Your Suppliers And Data Processors

If you use third parties (payroll providers, email marketing platforms, booking systems, cloud storage, IT support), they may be “processors” handling personal data for you.

You’ll usually need the right contractual terms in place, plus confidence they have appropriate security measures.

For many small businesses, a tailored compliance setup (policies, contractual documents, and practical implementation steps) is more effective than trying to patch things together. A GDPR package can help ensure your documentation and processes match what you actually do.

5. Don’t Ignore Physical Security

GDPR breaches aren’t only digital. Paper records left on a counter, printed staff details in an unlocked office, or customer forms in an open bin can be breaches too.

Simple controls help:

• lockable storage for files
• clean desk policy
• secure disposal (e.g. shredding)
• restricted access to back offices

6. Have A Realistic Retention And Deletion Plan

Keeping data “just in case” is tempting, especially when storage is cheap - but long retention increases breach exposure.

Create a retention schedule that matches legal and operational needs, then actually delete data when it’s no longer required.

Key Takeaways

• A GDPR breach (under the UK GDPR) is a security incident causing the loss, destruction, alteration, unauthorised access, or unauthorised disclosure of personal data.
• GDPR breaches don’t just mean hacking - everyday mistakes like misdirected emails, incorrect permissions, and lost devices can qualify.
• Not every breach must be reported, but you should still record it and assess the risk to individuals.
• If a breach is likely to risk people’s rights and freedoms, you may need to notify the ICO within 72 hours of becoming aware of it - and in high-risk cases, notify affected individuals too.
• Strong prevention measures include data minimisation, staff training, access controls, BYOD rules, supplier management, and a practical incident response plan.
• Getting your privacy documentation and processes right from day one can reduce your breach risk and put you in a stronger position if an incident occurs.

If you’d like help putting the right GDPR documents and breach response steps in place for your business, you can reach us at 08081347754 or team@sprintlaw.co.uk.