• Any data breach must be notified to the relevant data protection authority, even if protective measures, such as encryption, are in place; or the likelihood of harm is low. 4 - Prepare your organisation to fulfil the right to be forgotten, right to erasure and the right to data portability.