As soon as you notice a personal data breach, you must inform the data protection authority within 72 hours. The exception to this is when the personal data breach is not likely to result in a risk to the rights and freedoms of individuals. You must then be able to demonstrate what technical and organizational measures you have in place to mitigate this incident.
The incidents must be logged in any case.
Attention: The loss of a cell phone or memory stick with addresses is also a data breach and must be reported.
Current example: A lost memory stick has resulted in a fine of 120,000 GBP for Heathrow Airport in London.