What Counts as a Data Breach When You’re a Solo Consultant

You sent a client invoice to the wrong email address. You lost a USB stick with two contract drafts on it. Your laptop got stolen from a café. Your inbox got phished and someone read three months of client emails before you caught it. Are any of those a data breach you have to report? The answer matters a lot more for solo consultants than most people realize, because there is no IT department to absorb the question for you. Under GDPR, a one-person consultancy is treated as a controller the same way a 200-person company is, and the 72-hour notification clock starts ticking the moment you become aware of the incident. This guide explains, in plain English, which incidents qualify as a personal data breach, which ones do not, and what the realistic risk threshold looks like when you’re working alone with client data on a laptop. Here’s how we evaluate GDPR questions for solo workers before publishing them. Verdict preview: most “near misses” do count as breaches under the GDPR definition, but only a subset of those require notification.

What GDPR actually defines as a personal data breach

Article 4(12) of the GDPR (full text published at gdpr-info.eu, accessed 2026-06-05) defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The European Data Protection Board (EDPB) and the UK’s Information Commissioner’s Office (ICO) both confirm this definition covers three broad categories: confidentiality breaches (someone saw data who shouldn’t have), integrity breaches (data was changed or corrupted), and availability breaches (you lost access to data, even temporarily, even if no one else saw it).

The most common misconception among solo consultants is that a breach has to involve a malicious attacker. It does not. The ICO breach reporting guidance (ico.org.uk, updated 28 May 2025) is explicit: accidentally emailing a client list to the wrong recipient is a breach. Losing a phone with client contacts cached on it is a breach. A laptop hard drive failing before you backed up the latest project files is a breach (availability category). The trigger is the security failure, not the intent.

The second misconception is that only large datasets count. Article 4 says “personal data,” singular. One name plus one phone number is personal data. One email address with a recognizable client identity attached is personal data. When you’re a one-person consultancy holding maybe twenty active client files, almost every incident you can imagine touches personal data by definition.

The third misconception is that pseudonymized or partial data is exempt. It is not exempt from the definition; it is only exempt from notification in some cases (covered below). Internal project numbers tied back to a client list still count as personal data while you hold the linking table.

What this means for solo consultants in practice

Three concrete scenarios show how the rule lands when you’re working alone, without a security team, without a data protection officer, and often without anyone to ask in real time.

Scenario one — the wrong-recipient email. You meant to send a project status to client A but autocomplete picked client B’s address. Both clients are individuals or named contacts at small companies. The email contained the first client’s name, the project scope, and one paragraph of confidential context. This is a confidentiality breach under Article 4(12). It happened. It needs to be documented. Whether it needs to be notified to the supervisory authority depends on Article 33’s risk threshold, which we get to below.

Scenario two — the lost USB stick. You had a USB with two unsigned NDAs and one draft scope-of-work, all unencrypted, in your laptop bag. You can’t find it. You don’t know if anyone else has it. Under GDPR, this is a confidentiality breach AND an availability breach (you lost access to the documents, even though copies exist elsewhere). Even if the USB turns up in a coat pocket three days later, the breach was still real during the window of uncertainty. The EDPB guidelines on breach notification treat this as a textbook example.

Scenario three — the phished inbox. You clicked a fake invoice link, your email password leaked, and a third party had inbox access for an unknown number of hours before you reset. Every email read by that third party during the access window is an unauthorized disclosure. The volume matters less than the fact that confidential client correspondence was exposed. This is almost always a notifiable breach because the risk to client confidentiality is high by default.

Based on the GDPR text as written, none of these are gray areas in terms of whether they qualify as a breach. They qualify. The harder question is whether they’re notifiable, and that’s where solo consultants run into trouble — there’s no one in the next office to talk it through with.

How to assess whether a breach is notifiable

Article 33(1) of the GDPR sets the notification trigger: a breach must be notified to the supervisory authority within 72 hours of awareness, unless it is “unlikely to result in a risk to the rights and freedoms of natural persons.” That’s the threshold. Article 34 adds a second layer — if the breach is likely to result in a HIGH risk to those rights and freedoms, you also have to tell the affected individuals directly.

The practical reading, based on ICO and EDPB guidance, looks like this. Ask three questions in order. First, what kind of data was exposed? Names and emails alone usually sit at low risk. Financial details, health information, sensitive personal information, login credentials, or anything that could enable identity fraud sits at high risk. Second, how many people were affected and how identifiable are they? One named individual in a small professional context can be just as identifying as a thousand-row spreadsheet. Third, what realistic harm could follow? Embarrassment, lost business, identity theft, financial loss, discrimination — each shifts the risk tier upward.

For solo consultants, three quick reference points help. A wrong-recipient email with one name and one project line, sent to another known professional contact, is often (but not always) low risk and may not require notification — though you must still document it internally per Article 33(5). A lost unencrypted USB is usually notifiable because you cannot rule out who picks it up. A compromised inbox is almost always notifiable to the supervisory authority AND to affected clients because credential exposure plus correspondence access is a high-risk pattern.

One critical exemption written into Article 34(3): if the affected data was encrypted with technical measures that render it unintelligible to unauthorized persons, the direct-to-individual notification requirement does not apply. This is the strongest argument for full-disk encryption on every laptop, encrypted backups, and end-to-end encrypted client messaging. A stolen laptop is still a breach event you must document, but if the drive was encrypted and powered off at theft, the notification calculus changes substantially.

Tools that reduce breach exposure for solo consultants

The most reliable way to handle breach risk as a solo consultant is to make the high-risk paths less available in the first place. Three tool categories cover most of the realistic exposure.

End-to-end encrypted email and storage. Proton Mail and Proton Drive (proton.me, no affiliate) offer zero-access encryption, meaning Proton itself cannot read your stored mail or files. Pricing starts around 4 to 10 EUR per month for Mail Plus or Unlimited tiers. For a solo consultant, the practical benefit is that a compromised Proton account exposes less data than a compromised Gmail account because most attachments and message bodies are encrypted at rest. This does not eliminate breach risk — phishing still works — but it shrinks the harm surface when something does go wrong.

A real password manager with shared vaults for client work. 1Password Business and Bitwarden (direct links, no affiliate) both publish detailed breach disclosure histories and zero-knowledge architectures. Bitwarden’s free tier is enough for one person. 1Password Business runs around 8 USD per user per month and adds activity logs that help when you need to demonstrate, after the fact, who could have accessed what. Sharing credentials by email is itself a recurring source of breaches; a password manager removes that habit.

A hardware security key for inbox protection. A YubiKey 5 NFC (Amazon affiliate link, aidtaskpro-20) sits at around 50 to 60 USD and blocks the phishing scenario described above almost completely. When your email account requires a physical key for new logins, a credential leak alone is no longer enough to access the inbox. For solo consultants who hold client correspondence as their main work product, this is the single highest-leverage 60 USD you can spend on breach prevention.

None of these tools eliminate the obligation to assess and document incidents. They reduce the frequency and severity of incidents that reach the notifiable threshold.

The verdict

Frequently asked questions

Does sending an invoice to the wrong client count as a data breach?

Yes, it qualifies as a confidentiality breach under Article 4(12) of the GDPR because personal data was disclosed to an unauthorized recipient. Whether you must notify the supervisory authority depends on the Article 33 risk assessment. A one-line invoice with a name and amount sent to another known professional contact is often low risk and may only require internal documentation. The same invoice sent to a stranger or competitor is a different calculation.

Is losing an unencrypted laptop always a notifiable breach?

Almost always, yes. Article 34(3) of the GDPR provides an exemption from notifying affected individuals if the data was encrypted with adequate technical measures, but you still have to document the incident and likely report to the supervisory authority because you cannot demonstrate that the data is safe. If the laptop was unencrypted, you should assume notification is required unless you can prove the data was minimal and low-risk.

Do I have to report a breach if no client data was actually accessed?

You still have to document it. Article 33(5) requires controllers to document all personal data breaches, including the facts, effects, and remedial action — even if the breach falls below the notification threshold. Internal documentation is not optional. Whether you escalate to the supervisory authority depends on the realistic risk that data was accessed, which is your judgment call based on the evidence at the time.

How fast do I really have to report a breach as a solo consultant?

Within 72 hours of becoming aware of the breach, per Article 33(1). The clock does not pause because you’re a one-person operation, you’re traveling, or you need time to investigate. The EDPB and ICO both say you should report what you know and update later rather than wait for a complete picture. Late notifications must be accompanied by reasons for the delay.

Can I just ignore the breach if it was my own mistake and no one complained?

No, that’s the highest-risk move. Failure to notify when notification was required can itself trigger regulatory action and fines, and discovery later (for example, when an affected client raises it) makes the original incident much worse. Document every incident, assess against the Article 33 threshold honestly, and escalate when the assessment says you should. Conservative documentation protects you; silence does not.

Do I need a written breach response plan if I’m just one person?

You are not legally required to have a written plan, but you are legally required to be able to act within 72 hours and to document what you did. In practice, a one-page checklist with the supervisory authority contact, the questions you’ll ask yourself, and a template notification draft is the minimum that makes the deadline realistic. Without it, the first hours of a real breach are spent reading regulations instead of acting.

Sources

• GDPR Article 4 (Definitions) — gdpr-info.eu/art-4-gdpr/ — retrieved 2026-06-05
• GDPR Article 33 (Notification to supervisory authority) — gdpr-info.eu/art-33-gdpr/ — retrieved 2026-06-05
• GDPR Article 34 (Communication to data subject) — gdpr-info.eu/art-34-gdpr/ — retrieved 2026-06-05
• ICO UK GDPR data breach reporting (DPA 2018) — ico.org.uk/for-organisations/report-a-breach/personal-data-breach/ — updated 28 May 2025, retrieved 2026-06-05
• EDPB Guidelines 9/2022 on Personal data breach notification under GDPR — edpb.europa.eu — retrieved 2026-06-05

Reviewed by Jérémy, founder of AidTaskPro and GreenBudgetHub. Based in central France. GDPR analysis sourced from the official EU GDPR text and the ICO’s UK GDPR breach reporting guidance as of 2026-06-05.