GDPR Jargon Buster - (Personal data) breaches

A personal data breach covers any situation where the confidentiality, integrity or availability of personal data has been compromised.It might involve malicious third parties, but breaches are often caused by negligent data handling or storage.

Article 4(12) of the UK GDPR defines a personal data breach as:
“a breach of security, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data”.

Article 4(12) of the UK GDPR defines a personal data breach as:

“a breach of security, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data”.

Key points

A personal data breach covers any situation where the confidentiality, integrity or availability of personal data has been compromised. It might involve malicious third parties, but breaches are often caused by negligent data handling or storage.

Organisations must ensure appropriate technical and security measures are in place to protect against data breaches, and such measures should be risk based.

Practical measures

The Information Commissioner’s Office (ICO) recommends that organisations implement practical measures to help manage data breach situations, such as:

Having a personal data breach management plan, to identify and respond to a potential data breach
Having a personal data breach log, to record all data breaches
Undertaking regular data breach testing, to identify and remedy any system vulnerabilities, and
Ensuring training for employees.

Recording data breaches

Organisations must record all data breaches, including:

The facts surrounding the breach
The effects of the breach, and
The remedial action taken, such as investigating root causes and further training.

A personal data breach that is likely to result in a risk to individuals’ rights and freedoms must be reported to the Information Commissioner’s Office without undue delay, and in any event within 72 hours of becoming aware of the breach. In these cases, organisations must also promptly inform the individuals affected.

Compensation and fines

Individuals can claim compensation for financial losses or distress caused by a personal data breach.

The ICO has the authority to impose substantial fines. Fines can amount to £17.5m or 4% of the organisation's annual turnover, whichever is greater.

For more information or advice on data protection compliance, please contact Beverley Flynn or any member of the technology and commercial team.

Contact our experts for further advice

Beverley Flynn

Sinead Hughes