Limited resources are no excuse after a personal data breach

View as Markdown
2 mins read • Legal Writer • GDPR • 8 July 2025
  1. What is required of small businesses in a personal data breach?
  2. Practical requirements small firms must still meet

Personal data incidents are not just a big-company problem – smaller organisations are affected too. A misdirected invoice, a lost USB stick or a hacked email account can be enough to trigger GDPR duties on both remedial action and reporting.

Yet many smaller businesses lack preparedness for incident handling. Under the GDPR, every controller carries baseline responsibilities, regardless of size or resources.

What is required of small businesses in a personal data breach?

Where an incident presents a risk to individuals’ rights and freedoms, it must be notified to the Data Protection Agency within 72 hours. This applies equally to small companies, which must be able to demonstrate that they acted responsibly and in a structured manner throughout the event, including gdpr personal data breach notification and appropriate incident response documentation.

Practical requirements small firms must still meet

  • Be able to detect and document incidents quickly and accurately, maintaining clear incident response documentation.
  • Assess whether the incident creates a risk for data subjects and whether it amounts to a personal data breach under GDPR.
  • Notify the Data Protection Agency if it is not unlikely that the incident will result in a risk to data subjects (gdpr personal data breach notification).
  • Inform affected individuals without undue delay if the risk is high, consistent with gdpr personal data breach expectations.
  • Be able to produce procedures and records for any audit or supervisory review, evidencing effective incident management under GDPR and incident response gdpr.

Although solutions can often be simpler for a smaller enterprise, the underlying principles are the same. It is not acceptable to avoid action on the basis that the organisation is small – in fact, that is often when the risks are most acute.

At Morling Consulting, our GDPR lawyers help small businesses understand their obligations, establish practical routines and act correctly when incidents occur. We provide preventive support and urgent assistance across Europe, including measured incident response gdpr and guidance on gdpr personal data breach processes.

Illustration of third-country risk under AMLR showing a simplified EU map, control icons, and a geographic trigger point linking the EU to third countries for enhanced customer due diligence (KYC).

10 March 2026

Third-country risks under AMLR: Articles 29–31 and their significance for customer due diligence
Read more
Illustration of an AMLR KYC process in four steps: ID verification, beneficial ownership check, business purpose assessment, and anomaly flag in registry screening.

3 March 2026

Customer due diligence under AMLR: identity, beneficial ownership and the purpose of the relationship
Read more
Illustration of a KYC block due to insufficient customer due diligence under AMLR, showing a customer profile, checklist, and stop symbol in a legal compliance setting.

24 February 2026

Inability to meet customer due diligence requirements under the AMLR
Read more