← All posts
7 min read

What Happens When Your Organisation Has a Data Breach — and What Should Be in Place Before It Does

A client file sent to the wrong person. A laptop left on a bus. A misconfigured shared drive. For most social service agencies, a data breach isn't a theoretical risk — it's a matter of when. Here's what the rules require, and what good preparation actually looks like.

data protectionGDPRPDPAnonprofitcompliance

The email goes to the wrong person at 4:47 on a Thursday afternoon.

A support worker is closing out her day, replying to a referral from a partner agency. She means to attach a blank intake form. Instead, she attaches a case summary — six pages, including the client's full name, home address, mental health diagnosis, and the reason she left her previous shelter. The receiving agency is legitimate. But the case manager who opens it has no relationship with this client, no authorisation to hold this information, and no idea what to do with it.

The support worker realises what she's done about twenty minutes later. She sends a follow-up email asking the recipient to delete the file. The recipient says they will. And then — in most organisations — nothing else happens.

No one logs the incident. No one checks whether the deletion actually occurred. No one asks whether the client should be told. The organisation's leadership doesn't find out. Three weeks later, the file is still sitting in an inbox on a server the support worker's organisation has no visibility over.

This is not an unusual story. It is, in fact, a remarkably common one. And in most of the jurisdictions where charities and social service agencies operate, it constitutes a personal data breach that may have required regulatory notification within three days.

What Actually Counts as a Breach

There is a persistent assumption in the sector that a "data breach" means a hacking incident — a cyberattack, a ransomware notice, a headline. That assumption is wrong, and it causes real harm.

Under both the UK and EU GDPR, a personal data breach is defined as any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data. Singapore's PDPA uses similar framing: a data breach occurs when personal data in your organisation's possession is accessed, collected, used, disclosed, copied, modified, or disposed of in a manner not authorised by the organisation.

This definition captures:

  • A case summary emailed to the wrong address
  • A laptop left on a bus with unencrypted client files
  • A shared drive misconfigured so that volunteers can view case notes they shouldn't
  • A departing staff member whose system access wasn't revoked before they left
  • A paper file left in a meeting room and photographed

None of these require a sophisticated attacker. Most of them require only a tired person having a bad afternoon.

For social service organisations, this matters more than it might for other sectors. The data you hold is not merely personal — it is often sensitive in the legal sense. Mental health records, details of family violence, information about children, financial hardship assessments, immigration status, substance use history. These categories attract heightened obligations under data protection law precisely because their exposure can cause serious, sometimes irreversible harm.

The Clock Starts Immediately

Here is the part that most charities and nonprofits are not prepared for.

Under the UK GDPR and EU GDPR, when an organisation becomes aware of a personal data breach, the clock starts. If the breach is likely to result in a risk to the rights and freedoms of individuals — a threshold that is met more often than organisations assume — the organisation must notify its supervisory authority within 72 hours. Not 72 business hours. 72 hours, including weekends.

If the breach is likely to result in a high risk to those rights and freedoms, the affected individuals must also be notified, without undue delay.

Under Singapore's PDPA, the obligation is similar but uses slightly different language. An organisation that suffers a breach of a "significant scale" (affecting 500 or more individuals) or that is likely to result in significant harm to affected individuals must notify the Personal Data Protection Commission within three calendar days of assessing the breach. Affected individuals must also be notified as soon as is reasonably practicable.

Three calendar days. Over a weekend, that is Saturday, Sunday, Monday.

The guidance published by regulators makes clear that the assessment of whether notification is required cannot be deferred indefinitely. The 72-hour or three-day clock runs from when the organisation has sufficient information to make that assessment — not from when a final internal investigation is complete. Waiting to be certain, in other words, is itself a compliance failure.

What "Significant Harm" Looks Like in This Sector

Regulators and guidance documents typically describe significant harm in terms of the type of data exposed, who might access it, and what they might do with it. For social service organisations, this framing points directly at the kinds of records you routinely hold.

A case summary containing a mental health diagnosis and a home address represents exactly the kind of data that regulators treat as high-sensitivity. The combination of details — a person's name, their diagnosis, their location, the fact that they are engaged with a social service — creates a profile that can be used for harassment, exploitation, or discrimination. If a client is fleeing domestic violence and their current address is disclosed to the wrong party, the harm is not theoretical. It is immediate.

Children's information sits in its own category of sensitivity under most data protection frameworks. Financial information that reveals hardship — benefit status, debt, housing insecurity — can cause concrete damage if disclosed to employers, landlords, or creditors. Immigration-related details can have life-altering consequences.

The test is not whether harm has actually occurred. It is whether harm is likely. In almost any scenario where a social service case record is disclosed to an unauthorised person, that threshold is arguable — which means the decision not to notify cannot simply be made by assuming everything will be fine.

What Needs to Be in Place Before It Happens

The 72-hour window is too short to build a response from scratch. By the time you have called a meeting, found the relevant regulation, debated whether this counts as a real breach, and drafted a notification, the clock has usually expired. Preparation is not bureaucratic excess. It is the only thing that makes a prompt, proportionate response possible.

An incident register

Every potential breach — including the ones that turn out to be minor — should be logged when they are first discovered. The log should record what happened, when it was discovered, what data was involved, how many individuals may be affected, and what immediate steps were taken. This serves two purposes: it gives you the documentation you need if a regulator asks, and it forces the decision about notification to be made explicitly rather than by default.

Regulators are not primarily interested in punishing organisations that have breaches. They are interested in whether the organisation took the breach seriously and responded in good faith. An incident register that shows a pattern of thoughtful, documented decisions — including documented decisions not to notify, with clear reasoning — is evidence of exactly that.

A written response procedure

This does not need to be a long document. It needs to answer four questions: who gets told first inside the organisation, who is authorised to decide whether to notify the regulator, what information needs to be gathered before that decision can be made, and where the relevant regulatory notification portal or contact point is.

In a small charity, the answer to "who is authorised to decide" might be the executive director. In a larger organisation, it might involve the data protection officer, legal counsel, and senior leadership. What matters is that this is agreed in advance, written down, and known — so that when something happens at 4:47 on a Thursday, the support worker knows to call a specific person, and that person knows what to do.

Staff who know what to do in the first hour

The most expensive breaches, from a regulatory and reputational standpoint, are the ones where staff did not recognise that something had gone wrong, or recognised it but did not know who to tell. Training does not need to be extensive. It needs to be concrete: here is an example of what a breach looks like. If you think something like this has happened, call this person immediately. Do not wait until you are sure. Do not try to resolve it yourself.

The Mistake That Turns a Manageable Situation Into a Serious One

Most regulatory enforcement against charities and nonprofits for data breach failures does not arise because the breach was catastrophic. It arises because the organisation's response was poor. The breach happened, no one logged it, no one escalated it, and six months later a complaint from the affected individual triggered an investigation. At that point, the organisation cannot demonstrate that they took it seriously, because there is no evidence they considered it at all.

The specific failures that attract regulatory attention are: waiting to see whether a breach "becomes serious" before logging it; involving only one or two people in the notification decision when more should have been consulted; deciding not to notify but failing to document that decision and the reasoning; and not telling affected individuals when the risk to them warranted it.

A breach that was logged, assessed, documented, and followed up — even if notification was ultimately judged unnecessary — almost always receives a different response from regulators than one that was ignored and only surfaced later.

The regulator's underlying concern is not whether a breach happened. People make mistakes. Files go to wrong addresses. Laptops get left on buses. The concern is whether the organisation had the structures to catch those mistakes, respond to them promptly, and protect the people whose data was involved.

That is a question of preparation. And preparation happens before Thursday at 4:47.

Socianote includes a built-in data breach incident log where staff can record potential breaches immediately, capture the key details regulators ask for, and document the assessment and response — alongside role-based access controls, a full audit trail on every record, and hard-delete capability for right-to-erasure requests. Start a free trial →

← All posts