Data leak in startup practice: GDPR reporting and damage limitation

Young start-ups and solopreneurs often focus on agile development and rapid growth – but a data leak can put an abrupt brake on this momentum. A data leak (also known as a “data breach” or officially a data breach) is a security incident in which personal data is lost, stolen or disclosed without authorization. Whether a hacker attack, an accidentally publicly accessible server or a lost laptop – such incidents entail serious legal obligations. In particular, the EU General Data ProtectionRegulation (GDPR), the German Federal Data Protection Act(BDSG) and international data protection laws require a structured approach to limit the damage. This blog post explains which steps startups must follow when dealing with a data breach, which reporting obligations exist under Art. 33 and 34 GDPR, when other jurisdictions such as the Californian CCPA or British and Swiss law become relevant and how to minimize both legal and reputational damage through smart crisis management. The liability risks (Art. 82 GDPR) in the event of an inadequate response and the benefits of cyber insurance are also highlighted.

Statutory reporting obligations under the GDPR and BDSG

Art. 33 GDPR – Notification to the supervisory authority: As soon as a company becomes aware of a data breach, it must notify the competent data protection supervisory authority immediately, at the latest within 72 hours. This obligation always applies if the breach may entail risks to the rights and freedoms of the data subjects – which is the case in practice for most genuine data leaks. The notification must include the type of incident, the scope (number of persons affected and data types), the countermeasures already taken or planned and contact details for queries. If, in exceptional cases, the notification is only made after 72 hours (e.g. because the extent only became fully clear later), this must be justified.

Art. 34 GDPR – Notification of data subjects: If the data leak is likely to result in a high risk to the personal rights of the data subjects (e.g. sensitive data or risk of identity theft), the data subjects must also be informed immediately. This notification (e.g. by email or letter) should explain in clear, simple language which data is affected, what consequences there could be and what measures the company is taking or what steps the users themselves should take to protect themselves. Transparency here is not only a legal obligation, but also a matter of trust. An exception to the obligation to provide direct notification exists, for example, if the company was able to avert the high risk for those affected through subsequent measures (e.g. by subsequently making the data illegible) or if the information could only be provided individually with disproportionate effort – in the latter case, information must then be provided publicly (e.g. via a press release).

BDSG – national supplements: The German Federal Data Protection Act specifies the GDPR in some places, but does not repeal the European reporting obligations. For example, the BDSG itself does not have any deviating deadlines for data breach notifications – only the GDPR requirement applies here. However, the BDSG does contain provisions on administrative offenses and criminal offenses for data breaches in sections 43 and 44. Intentional or grossly negligent failure to report a reportable data breach can result in severe fines as a violation of the GDPR (Art. 83 GDPR) and may also result in sanctions under national law. Startups should therefore take their reporting obligations very seriously and play it safe when in doubt: Better one notification too many than too few.

Step-by-step response to a data leak

A structured emergency plan helps to ensure that no important steps are forgotten in the chaos of a data breach. The following step-by-step guide has proven itself in practice:

1. Damage limitation and initial analysis: First of all, any further data outflow must be stopped immediately. Affected systems should be disconnected from the network immediately, compromised passwords should be changed without delay and digital evidence should be secured. At the same time, an initial inventory should be carried out: What type of data is affected? How many people could be affected? Is it confidential or sensitive information? This assessment of the risk level is important in order to determine further obligations (reporting/notification).
2. Notification to the supervisory authority (within 72 hours): As soon as it is clear that personal data is affected and a risk cannot be ruled out, the responsible data protection authority must be informed as soon as possible. For start-ups in Germany, this is usually the data protection officer of the federal state in which the company is based. Many authorities offer online forms for reporting data breaches. It is important to provide all known facts (see above: scope, cause, measures taken) and to name a contact person. If it has not yet been possible to gather all the details, the notification can be made provisionally – missing information can be submitted later. Please note: The 72-hour deadline runs from the moment the breach becomes known (i.e. as soon as someone in the company becomes aware of the incident), not from the conclusion of the internal investigation.
3. Informing the data subjects: At the same time, it should be checked whether Art. 34 GDPR applies – i.e. whether there is a high risk for the data subjects. If this is the case, customers/users must be informed immediately and directly. To this end, a clear letter should be drawn up that discloses the situation: What has happened? What personal data is likely to be affected? What effects are possible and what is the startup doing to prevent damage? It is also helpful to give those affected specific advice, e.g. to change passwords, be particularly vigilant with suspicious emails or monitor credit card transactions. An honest approach and tangible offers of help can go a long way to protecting trust and show that the company is taking responsibility.
4. Internal documentation of the data breach: The GDPR requires that every data breach is documented internally – regardless of any reporting obligation. This means that the startup should create an internal incident log in which all the facts about the incident are recorded: Time of discovery, type and cause of the breach, affected systems and data categories, number of affected parties, immediate measures taken, content and time of notification to authorities and affected parties as well as follow-up measures. This documentation serves to demonstrate compliance with the regulations to the supervisory authorities. It also helps internally in analyzing how the breakdown occurred in order to learn from mistakes.
5. Follow-up and prevention: After dealing with the acute phase, the startup should debrief the incident: What was the cause (e.g. insecure configuration, human error, external attack)? What gaps need to be closed in the future (e.g. improved security measures, employee training, stricter access authorizations)? Open communication within the team without apportioning blame is important in order to learn from the incident. If necessary, the internal processes should also be adapted, such as the emergency plan itself: Was responsibility clearly defined? Were all contact details (authorities, customers) quickly available? The risk of future data leaks can only be reduced by taking such preventative steps.

International legal situation: CCPA, UK-GDPR and Swiss nDSG

Start-ups often operate globally – be it through international customers via the internet or through expansion into new markets. As a result, German companies may also have to comply with foreign regulations in the event of data protection incidents:

• USA (California – CCPA/CPRA): In the USA, there is no uniform nationwide data protection law like the GDPR, but rules do exist at state level. The California Consumer Privacy Act (CCPA) and its extension by the CPRA are particularly well known. This applies to companies that process the personal data of Californian consumers on a large scale. For example, a German startup that offers an app worldwide and also collects data from users in California may fall under the scope of the CCPA. When it comes to data leaks, the CCPA stipulates one thing above all: Companies must take appropriate security precautions. If a breach nevertheless occurs and there were insufficient protective measures in place, the CCPA grants affected consumers the right to sue for damages (including lump-sum punitive damages per incident). Independently of the CCPA, all US states, including California, have data breach notification laws that stipulate that affected individuals and usually also government agencies must be informed if certain sensitive data (such as financial or health data) has been compromised. German start-ups with US customers should therefore check whether they have reporting obligations in the USA in the event of an emergency – it is often advisable to involve specialized law firms here, as the requirements vary from state to state.
• United Kingdom (UK-GDPR): After Brexit, the UK has its own version of the GDPR, often referred to as the UK-GDPR, which still largely corresponds to the European GDPR in terms of content. A German company that also processes the data of people in the UK (e.g. British customers in the online store) must therefore also comply with the UK regulations in the event of a data breach. In practical terms, this means: a similar 72-hour notification obligation to the UK data protection authority (Information Commissioner’s Office, ICO) and, if necessary, notification of affected persons in the UK according to the same criteria as in the EU. Important: If the startup does not have a branch in the UK, it may be obliged to appoint a representative in the UK to act as a point of contact for the authorities. However, in the event of an acute leak, the primary priority should be rapid reporting and communication – official responsibilities are often clarified in cooperation between the EU and UK supervisory authorities.
• Switzerland (new DPA): The revised Data Protection Act(nDPA), which incorporates many elements of the GDPR, has been in force in Switzerland since September 2023. There is also an obligation to report data breaches here: Swiss companies – and foreign companies that process the data of individuals in Switzerland – must report serious data breaches to the Federal Data Protection and Information Commissioner(FDPIC) as quickly as possible and inform those affected if there is a high risk for them. Although the new DPA does not specify a rigid 72-hour deadline like the GDPR, the phrase “as soon as possible” makes the pressure to act clear. German start-ups that serve customers in Switzerland or have branches there should therefore add these requirements to their incident response plan. It should be noted that violations of the nDSG – such as failing to make a required notification – can even result in fines for responsible persons in Switzerland.

In short: as soon as a startup operates internationally or processes data from people from other countries, it must think multinationally in the event of a data leak. This can mean informing several supervisory authorities and coordinating different notification obligations. A centrally coordinated approach and, if necessary, advice from international data protection experts are worth their weight in gold here.

Crisis management: moral and economic aspects

A data leak is not only a legal problem, but also always a crisis of confidence. For young companies in particular, the damage caused by a loss of trust can be more serious than some fines. Therefore, in addition to fulfilling legal obligations, it is also important to pay attention to crisis management and external impact:

Openness and transparency: Even if the first impulse may be to cover up the mishap, honesty pays off in the long term. Customers, users and business partners appreciate it when a company deals with problems openly. Through proactive communication (e.g. an email to all customers, an explanatory statement on the website), the startup signals that it takes the issue seriously and has nothing to hide. This transparency can help to maintain or even strengthen trust – according to the motto: “We have discovered a problem, but we are solving it professionally and providing transparent information about all steps.”

Empathy and support for those affected: In its communication, the company should focus on those affected. A sincere apology and acknowledgement of the customer’s potential concerns are appropriate. In addition, concrete offers of help can defuse the situation: For example, covering the cost of a credit monitoring service, providing a hotline for questions, or practical tips to protect against potential misuse of data. Such measures show a sense of responsibility and can mitigate the negative effects.

Speed and professionalism: time is a critical factor. Not only the 72-hour deadline for the authorities – a company that reacts quickly also appears competent in the eyes of the public. A well thought-out communication plan for crisis situations should be prepared: Who will release what information and when? Is the press statement ready in case of media inquiries? For start-ups that do not yet have their own PR department, it can be useful to know an external PR consultant for emergencies in advance. A well-managed incident can be managed in such a way that the company is perceived as capable of acting and responsible – which can ultimately be a competitive advantage.

Marketing strategies for damage limitation: After the acute incident, it can be helpful to rebuild trust through positive actions. For example, the startup could hold out the prospect of implementing additional security standards in the future or having independent security audits carried out, and then communicate this. Some companies launch transparency initiatives after an incident (e.g. quarterly reports on IT security) or invite customers to provide feedback to show: “We have understood and are continuously improving.” It is important that such measures are meant honestly – pure PR platitudes without substance are quickly seen through and can deepen the damage to trust.

Liability risks and consequences of inadequate response

In addition to the direct damage to the company’s image, a data breach also poses legal liability risks for the startup. Art. 82 GDPR entitles any person who suffers damage as a result of a data breach to compensation. This expressly includes both material damage (such as financial loss due to identity theft) and immaterial damage such as stress, anxiety or loss of privacy. The latter in particular – known as compensation for data protection violations – is becoming increasingly important. Affected users are increasingly suing for non-material damages, even if no direct financial loss has been incurred. Courts in Europe have sometimes applied different standards here, but the European Court of Justice emphasizes that any real disadvantage resulting from the loss of control over personal data can be compensable. It can therefore be very expensive for a startup if thousands of users are entitled to, say, a few hundred euros in compensation – the sums can quickly threaten its existence.

There is a particular risk if the company has acted in breach of duty – for example, if it allowed the breach to occur through inadequate security precautions or, even more seriously, if it covered up the incident or reported it too late. The supervisory authorities show little leniency here: anyone who tries to sweep a data leak under the carpet must expect not only a loss of trust but also severe fines. According to Art. 83 GDPR, a breach of reporting and notification obligations can be punished with a fine of up to 10 million euros or 2% of annual global turnover. A prominent example is a case in which a company deliberately concealed a leak: when this came to light, the regulatory fine was significantly higher than the original breach would probably have resulted in – the authorities justified this with a lack of cooperation and intent. In terms of civil liability, a cover-up also means a worsening of the company’s position: a court will interpret it negatively if the responsible party has deliberately disregarded its obligations, which is more likely to make claims for damages by those affected successful.

Startups should therefore never make the mistake of trying to keep a data breach quiet. The truth often comes to light anyway – be it through whistleblowers, external information or in the course of investigations. The damage caused to trust and reputation is almost impossible to repair afterwards. It is much wiser to openly admit the incident, fulfill your duties and actively work on solving the problem. In this way, you at least retain control over how events are presented and can possibly prevent worse things from happening.

Why cyber insurance makes sense

Even with the greatest care, any company can be hit – there is no such thing as absolute data security. This is where cyber insurance comes into play, which has been specially developed to cover the consequences of IT security incidents. Such insurance can make sense for start-ups for several reasons:

• Financial protection: Depending on the policy, cyber insurance covers many of the direct costs of a data breach. These include expenses for forensic experts, IT specialists to restore systems, legal advice to comply with reporting obligations, notification of customers (including postage for letters, for example) and often also costs for any credit monitoring services for those affected. Some policies even cover extortion payments in the event of ransomware attacks or reimburse loss of revenue due to business interruption.
• Crisis management support: Good cyber insurers offer not only money, but also practical help. A network of experts is often available in the event of a claim: IT forensic experts, PR consultants for crisis communication, specialized law firms – a startup can call on all these experts in an emergency, usually via a hotline provided by the insurer. This is extremely valuable, especially for small companies that do not have such resources available internally in order to react quickly and professionally.
• Cover for liability claims: If claims for damages are brought by data subjects (keyword: Art. 82 GDPR) or fines are imposed by the authorities, cyber insurance can also cover these, depending on how it is structured. However, it should be noted that not all policies cover fines (and in some jurisdictions, insuring fines is legally controversial). Nevertheless, many insurance policies at least offer coverage for legal fees and court costs in the defense against claims and for settlement payments.
• Prevention and risk awareness: The process of taking out cyber insurance often forces the startup to take a close look at its own IT security. Insurers ask questions about existing protection, often demand minimum measures (e.g. regular backups, antivirus, employee training) and reward better security precautions with lower premiums. This strengthens the company’s risk culture in advance. In the best case scenario, this prevents most incidents – and the insurance company doesn’t even have to step in.

Of course, cyber insurance is not a carte blanche: Even the best policy will not pay out if gross negligence is committed or obligations are disregarded. And no insurance can completely heal the damage to your image. Nevertheless, this cover can be vital in the worst-case scenario – it gives start-ups the financial backing they need to cope with a serious incident without being driven to ruin.

Conclusion

For start-ups and solopreneurs pursuing big goals with limited resources, a data leak is a particularly tricky challenge. This makes it all the more important to know the legal requirements of the GDPR and BDSG and to implement them quickly in an emergency: Notification to the authorities within 72 hours, open communication with those affected and complete documentation. However, the right crisis management also determines whether a security incident ends in lost trust and chaos – or as a test of strength and experience for the startup. Transparency, a sense of responsibility and empathy are the keys to successful damage limitation, not only in legal terms, but also in human and business terms. With the support of experts and sensible precautions such as cyber insurance, even young companies can overcome serious data breaches without shattering their dream of success.