Data breaches: understanding, reacting and protecting your organization

Data breaches have become one of the major risks facing businesses, government agencies, and associations. In France alone, the CNIL (National Commission for Information Technology and Civil Liberties) more than 5,600 breaches in 2024, an increase of 20% over the previous year. Globally, the average cost of a data breach still stands at $4.44 million in 2025, with peaks of over $10 million in the United States.

A leak of sensitive information can have serious consequences: loss of clients trust, damage to reputation, regulatory sanctions, and even direct financial impacts.

In this article, we will explain what a data breach is, how to respond effectively, and what measures to put in place to limit its impact. Understanding these issues is now essential for any organization.

1. What is a data breach?

According to the General Data Protection Regulation (GDPR), a personal data breach refers to a security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or processed.

In practice, this may concern both individuals and businesses:

• unauthorized access by a third party to clients files, user accounts, or HR records,
• the accidental sending of sensitive information to the wrong Data recipient, compromising data confidentiality,
• the loss or theft of a laptop containing personal data and health data,
• computer hacking that compromised a database or browser cookies.

2. The most common causes

Data breaches can have several causes, with each type of breach having its own specific characteristics:

• Human error: an employee sharing a document with the wrong people or losing an unencrypted USB drive.
• Cyberattacks: phishing, ransomware, exploitation of software vulnerabilities affecting system availability.
• Technical failures: server failure, lack of backup, incorrect configuration of tools or cookie manager.
• Unauthorized physical access: theft of computers, intrusion into premises requiring police intervention.

3. What are the consequences of a data breach?

A data breach is never a trivial incident. Its repercussions can affect both the individuals concerned and the organization responsible, with legal, financial, and reputational impacts that can sometimes be considerable.

For those affected

Leakage of banking data, identity theft, Breach of privacy rights reputation, particularly serious when it affects a large number of people.

For the organization

The consequences are manifold:

• Damage to brand image and loss of clients confidence.
• Financial costs (technical remediation, legal assistance, crisis communication).
• Risk of administrative penalties by supervisory authorities (such as the CNIL (National Commission for Information Technology and Civil Liberties) France), which may amount to up to €20 million or 4% of global annual turnover, according to the GDPR. Class action may also be initiated by an association defending individual freedoms.

5. Data breach: who is responsible?

When a personal data breach occurs, one question always arises: who should be Accountability

The data controller remains, in all circumstances, the main party responsible before the law. Even if the breach originates from a service provider, it is the organization that decides how the data is used that remains legally responsible.

The processor, for its part, is not exempt: it must implement security measures, comply with its contractual obligations, and promptly report any incidents.

In practice, a data controller cannot delegate their Accountability. They must select reliable service providers, regularly check their GDPR compliance GDPR regulate the relationship contractually.
It is this vigilance that reduces the risk of violations related to external partners.

6. Legal obligations and regulatory references in the event of a violation

The GDPR a clear procedure in the event of a data breach:

• Notification to the supervisory authority (in France, the CNIL (National Commission for Information Technology and Civil Liberties)) within 72 hours of becoming aware of the breach, unless the breach poses no risk to the individuals concerned. This breach notification obligation is fundamental.
• Notification of data subjects when the breach is likely to result in a high risk to their rights and freedoms.
• Internal documentation: Each violation must be recorded in an internal register, even if it is not reported, to serve as a reference for future audits.

These obligations aim to increase transparency and encourage organizations to strengthen their security practices.

7. In practical terms, how should you respond to a data breach?

When a breach occurs, time is of the essence. Here are the key steps to follow in this emergency procedure:

1️⃣ Accurately identify the nature and extent of the breach

Start by understanding what happened:

• What types of data are involved (emails, health data, banking data, login credentials, etc.)?
• How many people are affected?
• Is the violation proven or merely suspected?

2️⃣ Stop the leak and secure the systems

Take immediate technical measures to limit the incident: cut off compromised access, change passwords, isolate an infected server, suspend a service provider, etc.
Without this step, the assessment and notifications are based on a situation that is still active, which increases the risk.

3️⃣ Assess the level of risk of the data breach

Once the breach has been identified, its severity must be assessed. This step determines whether the incident should be reported to the CNIL (National Commission for Information Technology and Civil Liberties), communicated to the individuals concerned, or simply recorded internally.

To assess the risk, ask yourself three questions:

1. Nature of the data concerned: is it basic contact data (e.g., email) or sensitive data (e.g., health, financial data, login credentials)?
2. Extent of the incident: how many people are affected? Has the data been made public or is it limited to a small circle?
3. Possible consequences: what specific harm could individuals suffer (identity theft, fraud, damage to reputation, loss of confidentiality)?

By cross-referencing these criteria, we can classify the violation into three levels:

• Low risk: limited impact, low sensitivity of data, low probability of exploitation.
• Moderate risk: more sensitive data, limited but real dissemination, possible consequences.
• High risk: sensitive or critical data, large number of people affected, potentially serious consequences.

This classification is essential because it determines the follow-up action to be taken: notification, informing individuals, or simple internal documentation.

4️⃣ Notify the CNIL (National Commission for Information Technology and Civil Liberties) 72 hours.

If the breach is likely to adversely affect the rights and freedoms of the individuals concerned, notification is mandatory. The legal deadline is 72 hours after the incident is discovered.

5️⃣ Inform the persons concerned (if high risk)

When the breach poses a high risk to individuals' rights and freedoms (e.g., health data, financial information, sensitive identifiers), the organization must directly notify the individuals affected.

Information must be:

• Clear and understandable: avoid technical jargon, use accessible language.
• Transparent: explain the nature of the breach and the data involved.
• Helpful: indicate the possible consequences and, above all, the measures that the person can take to protect themselves.
• Proactive: provide contact details (internal department or dedicated email address) for asking questions or obtaining assistance.

You can inform the people concerned via a personalized email (the fastest and most direct solution) or via a message sent through a client area or a notification in an application if this guarantees that the message will be received.

Please note: simply publishing the information on a website or in a press release is not sufficient, except in exceptional cases where direct contact is impossible (e.g., very large number of people or missing contact details).

6️⃣ Document the incident (even without notification)

Even if no external notification is required, each incident must be recorded in an internal breach log. This log may be requested during an inspection CNIL (National Commission for Information Technology and Civil Liberties) in the event of a complaint. It proves that the organization has identified and managed the incident.

7️⃣Keep track of all your actions

Keep a complete record of each step: risk assessment, decisions made, deadlines met, notifications, corrective actions.
In the event of an audit, this traceability demonstrates your ability to manage a crisis in a responsible and structured manner.

8. Best practices for limiting risks

Although there is no such thing as zero risk, several measures can significantly reduce the likelihood and impact of a data breach:

• Implement a clear and regularly updated IT security policy.
• Train and raise awareness among employees about digital risks and best practices.
• Protect access with strong passwords and multi-factor authentication.
• Encrypt sensitive data, whether in storage or during transmission.
• Perform regular backups and test their restoration.
• Regularly monitor and audit systems to detect vulnerabilities.
• Prepare a crisis management plan to respond effectively in the event of an incident, defining which internal department will be responsible for management.

Conclusion: Data breaches, a strategic issue

Data breaches are not just a technical issue: they directly affect the trust of your clients, partners, and employees.

Adopting proactive governance and appropriate cybersecurity measures has become essential. These actions are not just a legal obligation: they protect people, preserve reputation, and ensure business continuity.

At Dipeeo, as an external DPO, we support our clients anticipating and managing data breach risks: GDPR compliance, incident response procedures, and team awareness. Our mission: to make GDPR compliance GDPR best business ally.