GDPR Data Breach: An Overview

Confused about what a GDPR Data Breach is? Any unauthorised access to, disclosure of, or destruction of Personal Data is referred to as a Data Breach. This could be the result of a hacker getting into a company's database or an employee providing private information to the incorrect person by accident. A Data Breach can be very harmful to both people and organisations, regardless of why it happened. 

According to IBM, the average time it takes to uncover a Data Breach is 197 days, and the average time it takes to contain a breach is 69 days. Under the GDPR, organisations that experience a Data Breach must report it to the relevant authorities without undue delay. GDPR Breach is a process of reporting requirements & fines and how to alert EU authorities. Learn more about the General Data Protection Regulations (GDPR).  

Table of Contents

1) Meaning of a Data Breach under GDPR 

2) What is a Personal Data Breach?  

3) Data Breach risk assessment  

4) When informing people of a Breach, what details must be shared?  

5) How long do we have before we have to notify a Breach?  

6) Penalty for a Data Breach  

7) Who protects the data?  

8) Types of Data Breach?  

9) Conclusion  

Meaning of a Data Breach under GDPR  

A Data Breach is defined by the General Data Protection Regulation (GDPR) as a security breach that results in unintentional or unlawful destruction, loss, unauthorised disclosure, alteration, or access to Personal Data transmitted, stored, or otherwise processed. A Data Breach is said to have occurred when Personal Data is accidentally or purposefully made available to unknown people or organisations.   

Cyberattacks, the theft or loss of physical equipment carrying Personal Data, A human error such as sending an email containing Personal Data to the incorrect recipient, and other methods can all lead to this. In compliance with the GDPR, Data Controllers must notify the appropriate supervisory authority of certain categories of Data Breaches within 72 hours of becoming aware. This wouldn’t be necessary unless it appears highly unlikely that the breach will endanger people's rights and freedom. Additionally, if the Breach poses a significant risk to the affected people's rights and freedoms, Data Controllers are required to notify those affected.

What is a Personal Data Breach? 

A Personal Data Breach refers to a security incident that results in the unintended or unlawful destruction, loss, alteration, unauthorised disclosure, or access to Personal Data. Such Breaches can occur due to both accidental and deliberate actions or inactions. It's important to understand that a Breach involves more than just the mere loss of Personal Data. 

For instance, Personal Data Breaches can encompass various scenarios, such as: 

a) Unauthorised access by a third party. 

b) Intentional or unintentional actions (or lack of action) by a Data Controller or processor. 

c) Sending Personal Data to an incorrect recipient. 

d) Loss or theft of computing devices containing Personal Data. 

e) Unauthorised alteration of Personal Data. 

f) Loss of access to Personal Data, leading to significant negative consequences for individuals. 

A Personal Data Breach is a security event that impacts the confidentiality, integrity, or availability of Personal Data. In simpler terms, it occurs whenever Personal Data is accidentally lost, destroyed, tampered with, or disclosed without proper authorisation, or when data becomes unavailable in a manner that significantly harms individuals. 

Data Breach risk assessment 

Recital 87 of the UK General Data Protection Regulation (UK GDPR) emphasises the importance of swift action when a security incident occurs. The primary objective is to promptly determine whether a Personal Data Breach has transpired and, if so, take immediate steps to address it, including notifying the Information Commissioner's Office (ICO) if necessary. It's crucial to note that the objective of assessing Breach risk reporting revolves around the potential negative impacts on individuals.   

In essence, a Breach can lead to a wide range of adverse consequences for individuals, including emotional distress, physical harm, and financial loss. The severity of these impacts can vary from case to case, depending on various factors. For example, a Breach involving the theft of a customer database, which could potentially be used for identity fraud, should be reported due to its likely significant impact on affected individuals, potentially leading to financial losses or other serious consequences. However, there might be situations, like the loss or inappropriate alteration of a staff telephone list, where notification to the ICO may not be necessary. 

Upon discovering a Breach, it is essential to contain it and assess the potential adverse effects on individuals, taking into account the severity and likelihood of such impacts. Detailed guidelines on GDPR risk assessment can be found in Section IV of the Article 29 Working Party Guidelines on Personal Data Breach notification.

Join the ranks of GDPR compliance experts and gain essential skills for protecting Personal Data. Sign up for our Certified EU General Data Protection Regulation (EU GDPR) Foundation course today! 

When informing people of a Breach, what details must be shared?  

Under the UK General Data Protection Regulation, if a Breach is expected to pose a substantial risk to the rights and freedoms of individuals, you are obligated to directly inform those individuals promptly and without undue delay. Essentially, this means taking action as swiftly as possible. The determination of a "high risk" signifies that the obligation to notify individuals takes precedence over notifying the Information Commissioner's Office (ICO).  

To make this assessment, you must evaluate both the severity of the potential or actual impact on individuals resulting from the Breach and the likelihood of these consequences occurring. If the potential impact is severe or the likelihood of it happening is significant, the risk is considered higher, necessitating prompt notification to affected individuals. 

 This is especially crucial if there is an immediate need to mitigate potential harm to them. One of the primary reasons for notifying individuals is to empower them to take measures to safeguard themselves from the repercussions of the Breach. However, if you opt not to notify individuals, you are still obligated to notify the ICO unless you can demonstrate that the Breach is unlikely to result in a risk to their rights and freedoms. 

It's essential to note that the ICO possesses the authority to compel you to inform affected individuals if they perceive a high risk. Regardless of the decision you make, it is imperative to thoroughly document your decision-making process in GDPR compliance with the accountability principle.

How long do we have before we have to notify a Breach? 

According to the UK General Data Protection Regulation, it is imperative to report a notifiable Breach to the Information Commissioner's Office (ICO) promptly and within a maximum timeframe of 72 hours from the moment you become aware of it. If, for any reason, you exceed this 72-hour window, you are obligated to provide an explanation for the delay. 

For further clarification on when a Data Controller is deemed to have "become aware" of a Breach, you can refer to Section II of the Article 29 Working Party Guidelines on Personal Data Breach notification. It offers more comprehensive details on the concept of awareness in the context of Breach notification obligations. 

Protect Personal Data and avoid GDPR non-compliance by seeking GDPR awareness. Register for our course EU General Data Protection Regulation (EU GDPR) Awareness right away! 

Penalty for a Data Breach  

Organisations that violate the GDPR Data Protection rules, notably those relating to Data Breaches, are subject to substantial fines and penalties. Depending on the kind and extent of the violation, the GDPR offers two degrees of administrative fines:  

a) Up to €10 million, or 2% of the prior fiscal year's total yearly revenue, whichever is greater  

b) 4% of the previous financial year's global annual turnover or up to €20 million, whichever is greater  

Violations involving data processing activities, such as failing to keep accurate records, failing to disclose a Data Breach, and failing to implement suitable security measures, are subject to the first level of fines.  

The second level of fines applies to more serious offences, such as failing to obtain consent, violating the rights of Data Subjects, and failing to implement appropriate Data Protection processes and policies. Data Controllers may face legal action from impacted parties in addition to financial fines, which could cause substantial losses and harm to their reputations.  

Who protects the data?  

No matter where they are situated, all organisations that collect, process, and store the Personal Data of EU individuals must adhere to the GDPR Principles to preserve the privacy and security of that data.    

This includes Data Processors that handle data for Data Controllers as well as Data Controllers themselves, who decide the methods and purposes for processing Personal Data. To ensure that Personal Data is safeguarded and handled securely and legally, the GDPR is enforced by a combination of national Data Protection authorities, the European Data Protection Board (EDPB), and the European Data Protection Supervisor (EDPS). 



 

Types of Data Breach 

GDPR requires Controllers to promptly delete Personal Data when there is no lawful basis for storage. The rules aim to prevent excessive retention and ensure proper data destruction and adherence to these guidelines.

Data loss 

Data loss refers to a situation where data is no longer available, whether it is due to accidental or intentional deletion, system failures, hardware or software malfunctions, cyberattacks, or other events that make the data inaccessible or unusable.  

Data loss can result in the loss of important information and can have serious consequences for individuals, businesses, or organisations. It is one such breach of GDPR which requires implementation of proper data backup and recovery procedures to prevent data loss and minimise its impact. 

Data alteration 

Data alteration in GDPR refers to the unauthorised or intentional modification of Personal Data, such as changing, falsifying, or deleting information without permission. Data alteration can occur from various sources, including insiders such as employees and contractors, outsiders like hackers and unauthorised users, and third-party processors and entities. Regardless of the source, data alteration can be detrimental, and organisations must implement appropriate measures to protect against it.  

Join the ranks of GDPR compliance experts and gain essential skills for protecting Personal Data. Sign up for our Certified EU General Data Protection Regulation (EU GDPR) Foundation course today! 

Disclosure of unauthorised data 

Personal Data GDPR Breaches happen when there is an unauthorised or accidental disclosure of Personal Data, which could result in the destruction, loss, alteration, unauthorised disclosure, or access of Personal Data. An example of unauthorised disclosure of Personal Data under GDPR is an employee accidentally emailing a spreadsheet containing customer’s Personal information to the wrong recipient. 

Data transmission 

Data transmission, as used in the GDPR, describes the transfer of Personal Data from one entity to another, whether inside the same company or to a different one. This can involve emailing data, putting it on a cloud service, or sharing it with another company to process it. For example, when a company sends a customer’s Personal information to a cloud storage provider for backup purposes, this becomes data transmission. Companies can enable end-to-end encryption using email encryption certificates while sending and receiving Personal Data over email.    

Advance your career in data protection and become an expert in GDPR compliance by registering for our Certified Data Protection Officer (CDPO) course today! 

Stored data 

Personal Data kept by an organisation in any type, whether electronic, paper, or other formats, is referred to as stored data. Examples of stored data include names, addresses, email addresses, financial data, and additional personally identifiable information. Cloud storage platforms and servers can also be used to store data.   

Data processing 

Data processing is any activity or series of activities conducted on Personal Data, whether automated or not. The steps involved include gathering, storing, processing, sharing, and deleting Personal Data. Data controllers are in charge of ensuring that any data processing activities they conduct comply with the law. 

Conclusion 

We hope this blog gave you a detailed understanding of a GDPR Data Breach, along with GDPR Breach examples and the types of Data Breaches. To prevent future breaches and comply with GDPR regulations, organisations should review their data security measures, implement appropriate technical and organisational measures, and provide employee training on data protection. One should thoroughly understand what is a Data Breach in GDPR, as non-compliance can result in significant fines and reputational damage, As a result, it is critical for businesses to understand Why GDPR is important. and take proactive measures to prevent breaches.  

Avoid costly non-compliance penalties and protect Personal Data effectively. Join our GDPR training course today.