There are penalties that apply when a breach has occurred – possibly up to €20M
or 4% of turnover, whichever is the greater. The maximum fine depends on which article
and/or what type of data loss has occurred.

For the purposes of the GDPR, a data breach is one that comes from destruction (either unlawful or accidental), alteration, loss or unauthorised disclosure or access to personal data.

You must inform the regulator, also known as the Supervisory Authority, within 72 hours that a breach has taken place. In the UK, the Supervisory Authority is the Information Commissioner’s Office (ICO). http://ico.org.uk
If you tell the regulator after 72 hours have passed, then there must be ‘reasoned justification’ for the delay in reporting it. In addition to the regulator, you must inform the data subjects without delay if the data breach is likely to be high risk to the freedom rights of the data subjects.

Much of this relates to the cultural set-up of a firm, which can be translated into the principles of good governance. All staff within your firm from Solicitors to Admin staff need to be both informed and involved if you are to avoid stumbling over one of the numerous tripwires contained in the Regulation.
Law firms are all going to need to think carefully about the resources needed to support the smooth and secure operation of GDPR.  There are strict time limits involved in certain aspects of the GDPR portfolio, crucially in the issues of DSAR’s and Breach reporting. To ensure that there is continuing compliance they need to be documented, regular processes and systems reviews. One of the most significant of these is the importance of a culture of openness and transparency in dealing with breaches and Data Subject Access Requests (DSAR’s).