Legal Obligations: Under the GDPR, organisations have a legal obligation to report certain types of data breaches to the appropriate data protection authorities. The aim is to ensure transparency and protect individuals' rights and freedoms.

Reportable Breaches: Organisations must report data breaches if they are likely to result in a risk to the rights and freedoms of individuals. This includes breaches that may lead to financial loss, identity theft, discrimination, damage to reputation, or other significant consequences.

Notification Criteria: Breaches should be reported if they involve personal data, are likely to result in harm, and if the organisation is the data controller responsible for that data.