Laws around the world impose strict data security obligations on organisations that process personal data, and in some cases require them to report data breaches to data protection authorities and individuals affected. Failure to comply with these laws may lead to significant sanctions, loss of stakeholder trust, reputational damage, and disruption of business activities. Investing in data security to prevent data breaches and being prepared to respond in the event of a data breach is therefore worthwhile not only to comply with the legal obligations, but also to avoid negative consequences. This article elaborates on what constitutes a personal data breach and what a data breach prevention and response strategy might look like.