With cyber security attacks on the increase, the recent announcement that the Dutch DPA has fined Booking.com for reporting a data breach 22 days after it should have done, is a timely reminder of the need to act quickly to assess data breaches and if necessary, make a report. 

Unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects, both the EU GDPR and UK GDPR require notification to the relevant supervisory authority (in the UK this is the Information Commissioner's Office) without undue delay, and no later than 72 hours after becoming aware.

In the case of Booking.com the risk to the rights and freedoms of data subjects was clear: by means of a telephone scam, criminals persuaded hotel staff to provide access to booking details of 4,109 people and credit card information of 283 people.