Notifications for data breaches to the Office of the Data Protection Commissioner must be made without delay and no later than 72 hours from the date of the breach. There is no general requirement to notify if the breach is considered “unlikely to result in risk”.