If a breach occurs it must be reported within 72 hours of becoming aware of it. Affected individuals also need to be informed if the breach could adversely impact them.
A breach detection procedure to ensure decisions and assessments of the severity of a breach are made quickly is key.
Data breaches need to be logged even if notification was deemed unnecessary.