A personal data breach is a security breach “leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data,” (GDPR, Article 4.12).
Not all data breaches need to be reported to the relevant supervisory authority (e.g. the Information Commissioner Office (ICO) in the UK). However, all data breaches must be reported to your data protection officer (DPO) and recorded on the company breach register.
This article explains the three most common kinds of data breaches, and how to record and report a personal data breach under GDPR.
Three kinds of data breaches
There are three types of personal data breaches, known as the CIA triad: Confidentiality, Integrity, and Availability breaches. A security incident can cover one or more of these data breach types. Data breaches include incidents that are accidental or deliberate, irrespective of risk/harm.
1. Confidentiality Breach
A confidentiality breach occurs when someone sees or has access to personal data when they shouldn’t.
- HR accidentally emailed a payslip to the wrong recipient
- Hackers releasing passwords of your entire customer base
2. Integrity Breach
An integrity breach is when personal data is changed when they are not authorised to do so.
- A ransomware attack where your data is encrypted by a malicious party
- Hacking your social media accounts to post on your behalf
- Employees accidentally altering personal data
Many integrity breaches will also be availability breaches because your data will no longer be available to relevant parties.
3. Availability Breach
An availability breach is the “accidental or unauthorised loss of access to, or destruction of, personal data”. In other words, personal data is no longer available to relevant parties, and this lack of availability was unplanned.
- An unexpected server failure, e.g. during a power failure
- A ransomware attack where you can no longer access your data
What to do when a data breach occurs
When a breach takes place, irrespective of the intent and risk, it must be recorded and investigated.
Your investigation must determine:
- The number of people affected
- The data affected
- If the breach is a likely risk to those affected. If the risk is high, you must notify individuals before you report the breach to the supervisory authority (e.g. ICO)
- What your obligations are including who you need to inform
- What you can learn from the breach
Besides the above, your records should also include the following details of the breach:
- Description of what took place
- How did you become aware of the breach
- Description of the data e.g. is the data about addresses, birthdates, etc.
- Consequences of the breach, including if individuals were informed
- What remedial actions you will take
- The dates of when you first notified relevant parties (if applicable)
- When you first notified supervisory authorities (if relevant)
Most supervisory authorities provide a personal data breach report template on their websites.
When to report a breach
Only data breaches that are likely to “result in a risk to the rights and freedoms of natural persons” (GDPR, Article 33) should be reported to the relevant supervisory authority. You must alert the supervisory authority within 72 hours of becoming aware of the breach.
The flowchart below will help you decide if the relevant supervisory authority should be contacted. In all cases, the controller is required to document the breach and maintain the records.