Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data, reportable to the supervisory authority within 72 hours under Art. 33 GDPR.
A data breach is defined in Art. 4(12) GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Data breaches can be technical in nature — such as hacking attacks, ransomware, or system failures — or caused by human error, such as accidentally sending an email containing customer data to the wrong recipient.
Data breaches trigger strict notification obligations. Under Art. 33 GDPR, the controller must notify the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification must describe the nature, extent, and likely consequences of the breach, as well as the measures taken or proposed to address it. Under Art. 34 GDPR, there may also be an obligation to communicate the breach directly to the affected individuals if a high risk to their rights and freedoms is likely.
For compliance officers, this means that effective data breach management requires clear internal escalation processes so that incidents are identified and assessed promptly. All data breaches must be documented internally under Art. 33(5) GDPR — including those that do not require notification. This documentation protects the organisation and enables later review of the decisions taken. Regular incident response drills and a well-established incident response process are essential components of a mature data protection management system.
Legal Basis
Art. 33, 34 GDPR
Practical Example
On a Friday evening, your IT department reports that a field sales employee's laptop has been stolen. The device contains unencrypted customer data for approximately 300 individuals, including names, addresses, and contract numbers. As compliance officer, you immediately assess the risk: since personal data is affected and there is a risk of unauthorised access, this constitutes a notifiable data breach. You notify the competent supervisory authority via the online reporting portal over the weekend, document the incident internally, and assess whether notification to the affected individuals is required under Art. 34 GDPR. You simultaneously initiate immediate measures: remote locking of the device, filing a criminal complaint, and reviewing the encryption policy for mobile devices.