Firstly, you need to decide if a breach poses a significant risk to the rights and freedoms of individuals. If so, the UK GDPR mandates direct and prompt notification to the affected parties. This notification should occur without unnecessary delay, essentially emphasising the need for immediate action.

One of the primary purposes of informing affected individuals is to empower them to take measures to safeguard themselves from the repercussions of a breach.

While this may sound straightforward, there are many variables involved in GDPR breaches and without experience, decision making can be tricky. If you decide not to inform your customers of a breach, you should clearly document your reasoning to demonstrate due process.