Immediately after noticing a personal data breach, you have to inform the data protection authority within 72 hours, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. You then have to demonstrate the technical and organisational measures that are in place to reduce this incident.
The incidents have to be minuted in any case.
Take note: Even the loss of a mobile phone or an USB memory stick with addresses on it is a data breach and has to be reported.
Latest example: A lost USB memory stick has caused the Heathrow Airport in London a financial penalty of 120.000 GBP.