If determined that the personal data breach is “likely to result in a high risk to the rights and freedoms of individuals,” efforts must be made to communicate about the personal data breach with the affected data subjects “without undue delay,” according to the rules.
If unsure of whether your practices may fall under GDPR, experts advise discussing the question with a legal counselor, GDPR expert, or risk management team.