For the purposes of the GDPR, a data breach is one that comes from destruction (either unlawful or accidental), alteration, loss or unauthorised disclosure or access to personal data.
You must inform the regulator, also known as the Supervisory Authority, within 72 hours that a breach has taken place. In the UK, the Supervisory Authority is the Information Commissioner’s Office (ICO). http://ico.org.uk
If you tell the regulator after 72 hours have passed, then there must be ‘reasoned justification’ for the delay in reporting it. In addition to the regulator, you must inform the data subjects without delay if the data breach is likely to be high risk to the freedom rights of the data subjects.