Since the GDPR came into force, there's been a surge in data breach reporting across the EU. The flood of reports though, over 280,000 data breaches submitted across the EU, resulted only in around 500 fines to companies. The vast majority of data breaches were likely reported to Supervisory Authorities unnecessarily.

The EDPB has released a new example-based guidelines which should help controllers and DPOs in deciding whether or not to notify their Data Protection Authority.

As a reminder, the GDPR requires to internally document all breaches, whether they are notifiable or not: in this last case the controller/DPO have to precisely describe why they are not notifying data subjects and/or the Data Protection Authority. The data breach register, with its supporting SOP(s), is a mandatory obligation and failure to do so can lead to proceedings being brought.

https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2021/guidelines-012021-examples-regarding-data-breach_en