Q4 - Do all breaches need to be reported to affected individuals, or only severe ones?

Answer

Companies must notify individuals if the breach is likely to cause significant harm (financial loss, identity theft, reputational damage, etc.).
Trivial breaches that do not affect individuals may only need to be reported to the Board.

Example

If ABC Pharma Ltd. loses anonymized research data with no patient identifiers, individuals may not need to be notified.
But if prescription details of 50,000 patients are exposed, every affected patient must be informed promptly.