Read also: 3,191 unanswered messages—is that common? Email to the wrong person
3,191 data breaches were reported to the Norwegian Data Protection Authority in 2024. Most were everyday incidents — an email sent to the wrong recipient, a spreadsheet shared with the wrong group, a link that granted access to something it shouldn't have.
The deadline to report starts when you discover the breach. Not when it happened. If you discover it Thursday after lunch, the deadline is Sunday after lunch. Then no one is working. If you discover it Friday evening, the deadline is Monday evening — and in the meantime, someone must decide whether those affected should be notified, what the notification should contain, and who will send it.
72 hours sounds spacious. It is not.
What does this mean to you?
Make a simple contingency plan for personal data breaches — on one A4 page. Who decides, who reports to the Data Protection Authority, who notifies the affected parties. Write the template for the notification in advance. It is difficult to write well under pressure.
Inspired by: The Norwegian Data Protection Authority