A global organisation has experienced a personal data breach. The damage appears contained, and the executive team decides not to notify anyone, determining internally that the breach is "not material."
This decision, based on a company's internal assessment of "materiality," is a dangerous gamble that ignores the strict, statutory notification duties mandated by global data protection laws, particularly in key markets like theUnited Kingdom, the European Union, the UAE, and Saudi Arabia. Here is why self-assessing a breach as "immaterial" may lead directly to high-risk enforcement actions worldwide.
The LegalDefinition of a Breach vs. Business Materiality
Under major data regimes, the definition of a personal data breach is broad and immediate. It means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The legal trigger for notification is based on the risk to the individual's rights and freedoms, not the financial impact on the company.
1. The UK and EU Standard: Risk, Risk, and HighRisk
For companies processing personal data subject to the UK GDPR or EU GDPR, the threshold for reporting is low and the timeline is extremely tight:
• Reporting to the Regulator (The Commissioner/Supervisory Authority): The Controller must notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it.
◦The Exemption: This notification is only excused if the breach is unlikely to result in a risk to the rights and freedoms of natural persons.The company’s determination that the breach is "not material" must equate precisely to this legal standard. If the notification is delayed beyond72 hours, the delay must be accompanied by reasons.
• Reportingto the Data Subject: The Controller has a separate duty to communicate thebreach directly to the data subject without undue delay when the breachis likely to result in a high risk to the rights and freedoms of naturalpersons.
• TheAccountability Principle: Even if the company deems the breach low risk and decides not to notify, they must document the event, including the facts relating to the breach, its effects, and the remedial action taken. This documentation enables the Commissioner to later verify compliance.
The decision to conceal the breach must be supported by verifiable evidence proving the lack of risk; otherwise, the organisation is in violation of its notification duties under Article 33 and Article 34.
2. The Global Requirement for Transparency
If the global company processes data relating to individuals in other jurisdictions, those local laws impose independent and equally strict notification obligations:
• UAEProtection of Personal Data (Federal Decree by Law No. (45) of 2021): TheController must notify the UAE Data Bureau (Office) if the breach or violation would prejudice the privacy, confidentiality and security of data. They must also notify the Data Subject if the breach would prejudice the privacy and confidentiality of the security of his/her Personal Data.
• SaudiArabia Personal Data Protection Law (PDPL): The Controller must notify theCompetent Authority upon knowing of any breach, damage, or illegal access to personal data, in accordance with the Regulations. Furthermore, the Controller must notify the Data Subject if the breach would cause damage to their data or cause prejudice to their rights and interests.
In all these jurisdictions, the legal language focuses on the potential damage or prejudice to the data subject, not the financial quantification of the breach by the company.
The TrueCost of Silence: Aggravating Factors and Massive Fines
Failingto meet these notification duties constitutes a serious infringement of theController's obligations. For a global undertaking operating under the GDPR/UKDPA framework, this violation can result in substantial administrative fines:
•Infringement of notification obligations (under sections 67, 68, or 108 of theDPA 2018 or corresponding GDPR Articles 33 and 34) falls under the"standard maximum amount" category.
• Thismeans fines can reach up to £8,700,000 or 2% of the undertaking'stotal annual worldwide turnover in the preceding financial year, whicheveris higher.
Crucially,when regulatory authorities assess a penalty, the company’s lack oftransparency is considered an aggravating factor:
• Theseverity of the penalty is determined by factors including the manner inwhich the infringement became known to the supervisory authority,specifically checking whether, and if so to what extent, the controller orprocessor notified the infringement.
•Therefore, the company's choice to hide the breach could transform a small incident into a major regulatory failure, substantially increasing the final penalty imposed by the Commissioner.
In summary, a company’s internal belief that a breach is "not material"is legally irrelevant if the breach carries a demonstrable risk (or high risk) to the affected individuals. The failure to notify promptly transforms a technical security failure into a failure of accountability, guaranteeing harsher penalties when the breach inevitably comes to light.
Concealing a data breach is like quietly ignoring a small engine fire on an airplane. The safety manual mandates immediate reporting based on the to passengers, not the cost of the repair. If the plane lands safely, the company might save face briefly, but when regulators investigate the black box (the required documentation), the intentional failure to report, despite the risk, subjects the company to far greater liability than the fire itself.
86-90 Paul Street
London
EC2A 4NE
.png){kind=small}