As per the GDPR regulation a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data be it when stored, transmitted or otherwise processed.

GDPR aims to ensure all firms take personal data serious and look after it with great care. A data breach is a most serious event with potential serious repercussions both for the firm and any of the persons affected.

All firms are required to keep a log of any and all breaches, even the smallest incidents should be recorded. The log should describe the incident itself, the cause, repercussions, risk of future damage, affected data and measures taken to mitigate the risks to further damage. You can explore our template for such incident log here.

Breaches with a likely impact to rights and freedoms of individuals must be reported to the supervisory authority and potentially the affected individuals.

It is vital that firms implement appropriate technical and organisational measures to avoid possible data breaches. At the same time firms will need to make sure their systems are monitored for data breaches. One can not report on potential personal data breaches if one has no way of detecting such breach. Specialised software exists to detect system intrusion and you should confirm with your software vendors and IT teams that those are deployed for your processing.

Not all data breaches are caused by malicious third parties like hackers. There are plenty of examples of accidental loss or accidental unauthorised access:

  • A member of staff losing a USB stick/drive that had personal data files on it with the drive nor the data files being encrypted
  • A member of the sales staff accidentally posts a revenue report containing names and financial details from customers on the public website rather than the intranet team site
  • A member of staff attaches the wrong file to an email, resulting in accidental disclosure of personal data
  • A member of staff accidentally deletes client records leading to loss of personal data

A corporate culture where data security & privacy are a core value will not only help prevent such accidents it will often also help minimise the impact. The human factor and ensuring all staff go through regular security & privacy awareness trainings is key to establishing the right security & privacy culture.