How to respond to a data breach in your SME effectively and securely
A data breach is one of the main reasons for sanctions imposed by the Spanish Data Protection Agency (AEPD). According to the AEPD’s 2024 Annual Report (published in May 2025), the agency opened 30 sanctioning or warning proceedings related to data breaches last year, with total fines amounting to €13.18 million—37% of all sanctions imposed.
For small and medium-sized enterprises (SMEs), these figures highlight a real risk: 70% of the sanctions in 2024 were issued to SMEs and self-employed professionals. Beyond fines, the average cost of a cyberattack for an SME—considering system recovery, business disruption, and reputational damage—is estimated at around €75,000.
What is a data breach?
Under the General Data Protection Regulation (GDPR), a data breach is defined as: “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
A mere technical error is not enough to qualify. To be considered a breach, the incident must compromise the confidentiality, integrity, or availability of personal data in a way that could affect individuals’ rights and freedoms.
Breaches may occur due to accidents or malicious actions, such as human error, lost devices, ransomware attacks, or unauthorised access.
How should an SME respond to a data breach?
The GDPR’s accountability principle requires companies to adopt appropriate technical and organisational measures to prevent incidents—and to demonstrate this compliance. This includes having security policies, staff training, and clear internal protocols. Once a breach is detected, the company must act immediately to contain it, assess its scope, and document the entire response. An effective breach response aims to resolve the incident, minimise harm, and prevent recurrence.
Recommended steps after a breach:
Document the incident: Record the date and time, nature of the breach (what happened), and which data were affected.
- Contain the breach: Isolate compromised systems (e.g. disconnect infected devices), or restore data from backups.
- Record the breach in the incident log: Keep an internal register of all data breaches, including relevant details and actions taken. This record is mandatory, and the AEPD may request it as evidence of due diligence.
- Assess the risk: Analyse whether the breach poses a risk to individuals’ rights and freedoms. Document this assessment, considering:
- Type and volume of data involved
- Number of individuals affected and how easily they can be identified
- Possible harm or consequences for data subjects
Notifying the AEPD
If the risk assessment reveals any risk to individuals’ rights and freedoms, the data controller must notify the AEPD within 72 hours of becoming aware of the breach. Notification must be made via the official form available on the AEPD’s online portal.
The notification must include:
- A description of the breach and the type of data affected
- Estimated number of individuals and records impacted
- Potential consequences
- Measures taken or planned to address the breach
- Contact details of the Data Protection Officer (DPO) or responsible person
Failure to comply with the 72-hour deadline may increase the severity of any sanctions imposed.
Communicating with affected individuals
If the breach poses a high risk to the rights and freedoms of individuals, the data controller must promptly inform the affected persons in clear and plain language. This communication should include:
- What happened (nature of the breach)
- Likely risks to the individual
- Measures the company has taken
- Practical advice (e.g. change passwords)
Contact details for queries or support
Data breaches are not just a concern for large corporations. Increasingly, SMEs and self-employed professionals are being targeted for non-compliance and lack of due diligence.
Having a response plan, clear protocols, and appropriate technical and organisational measures in place reduces the impact of a breach and can mean the difference between a formal warning and a financial penalty.
Do you need advice? Access our security breach related areas: