A personal data breach is a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data. If a data breach occurs, the organisation must report certain incidents to the supervisory authority within 72 hours. In some cases where the data breach is likely to cause negative consequences for the data subject, they must be informed without undue delay. Having poor breach detection, investigation, or reporting may lead to high exposure of the data you hold and financial sanctions against your organisation. In this article, you will get a guide on how to successfully identify, manage and report a personal data breach. Reading time: 19 min
What is a personal data breach?
A personal data breach is a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data (article 4.12 GDPR).
Examples of incidents that are data breaches:
- Unauthorised access by a supplier
- Sending personal data to an incorrect recipient
- Loss of portable discs and storage media containing personal data
- Wrongful alteration
- Loss of availability to personal data
- Deficiencies in systems leading to the disclosure of personal data
- Incorrectly assigned authorisation
- Spoofing, phishing and malware attacks
Common causes for data breaches
- Unpatched security vulnerabilities
- Insider misuse and human error
- Malware
- Loss and/or theft of portable devices
- Weak or stolen credentials (login information)
- Insufficient information in polices
- Technical system errors
- Antagonistic attacks
- Unknown reasons
The three types of personal data breach
A data breach can come in different forms and can be accidentally or by someone’s purpose, e.g. a data hacking attack. A data breach can be explained as a security incident concerning personal data. A security incident not concerning personal data is, thus, not a data breach, according to the GDPR. If you suspect a data breach, the first step is to decide if it, de facto, has occurred once. As a starting point, the data controller can look at the different types of data breaches to decide if and which type of data breach has occurred. The Article 29-group has, in its guidelines, identified the following categories of data breaches:
- “Confidentiality breach” is an unauthorised or accidental disclosure of, or access to, personal data.
- “Integrity breach” is an unauthorised or accidental alteration of personal data.
- “Availability breach” is an accidental or unauthorised loss of access to or destruction of personal data.
Once you have decided that a data breach has likely happened, you should investigate its scope through a risk assessment. In case of a personal data incident that is likely to lead to a high risk to the rights and freedoms of natural persons, the data controller has certain obligations. Failure to fulfil those obligations is a reason for sanctions.
Step 1 – How to determine if the incident at hand is a personal data breach
Not all IT incidents are personal data breaches. Nevertheless, it’s wise to monitor a wide range of incidents that may or may not affect an individual’s personal integrity.
The first step is to ascertain if the incident involves any personal data. Have the personal data been affected? Then, you need to assess the consequences for the concerned individuals.
Risk focuses on the potential negative consequences for the concerned individuals. Recital 85 of the GDPR explains that: “A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as the loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymization, damage to reputation, loss of the confidentiality of personal data protected by professional secrecy or any other significant economic och social disadvantage.”
Examples of incidents that are not personal data breaches:
- A teacher loses a portable USB memory during a train journey. The USB contains personal information about students, grades, and contact information. The USB memory was encrypted. The portable device was lost, but the personal data is intact due to appropriate technical controls. This incident shall be reported to the school’s management but would likely not be further notified.
- A company sends incorrect customer contact lists to an event partner. The company inform the event company immediately, and they delete the information securely. Both companies are in a business relationship and have confidentiality undertakings. The personal data was intact, and there was no loss of confidentiality. This incident is unlikely to result in a risk to the rights and freedoms of individuals and need not be reported further.
Step 2 – Does this data breach need to be reported to the supervisory authority?
If a personal data breach poses some risk to the individual, you might have to report it.
Your next assessment determines whether the data breach needs to be reported to the supervisory authority and whether the data subjects need to be informed of the incident. The following factors can be taken into account in the assessment:
- Type of incident
- The nature, sensitivity and volume of the personal data
- Identifiable personal data
- The severity of the consequences for individuals
- (e.g. the physical, material or non-material damage to natural persons such as the loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymization, damage to reputation, loss of the confidentiality recital 85 GDPR)
- The special characteristics of the individual
- The special characteristics of the controller
- Number of individuals affected
The above-mentioned factors can be used as a measure to decide if there is a high risk for data subjects. For example, if sensitive data (health data, ethnicity, sexuality) is concerned, it points to a more severe risk.
Examples of data breaches that do not require notification to the supervisory authority:
When it is unlikely that the breach will lead to risks, reporting to the supervisory authority is not necessary. However, you must document your decision not to report the incident for future reference.
- Loss or inappropriate alterations of a staff contact list
- Incorrect disclosure of participant list to a conference facility. The list contained the names and addresses of 15 persons. There is no valid confidentiality undertaking between the organisations. The sender reached out to the recipient, who deleted the information. No sensitive personal data was disclosed, the number of affected individuals was low, and the data was limited.
- Power outage makes the call centre unavailable for customers for several minutes. During the outage time, customers can not access their records.
- USB containing personal data is lost. The personal data is encrypted.
- A small company encountered a ransomware attack. All personal data were encrypted, and the encryption key was not compromised. An investigation shows data was only encrypted and not exfiltrated. The personal data related to a dozen individuals and the daily business had no consequences. The data was restored from a backup a few hours after the incident occurred.
Step 3 – When to notify the concerned individuals of a personal data breach
In cases where it is likely that the breach will lead to high risks, you must notify the data subjects. You shall contact the individuals directly and without undue delay.
The high-risk requirement is higher set to notify the individuals than notifying the supervisory authority.
Examples of data breaches that must be reported to the individuals:
The EDPB has in its Guidelines 09/2022 highlighted when individuals must be notified about a data breach. One example described is the situation of a controller operating an online marketplace with customers in multiple Member States. The marketplace suffers a cyber-attack. Personal data, including usernames, passwords and purchase history, are published online by the attacker. This should be reported to the lead supervisory authority if it involves cross-border processing. As it could lead to high risks, the individuals shall also be notified in this example.
To illustrate a high risk, we’ll look at a case by the British supervisory authority “ICO” against the travel company British Airways. In this case, ICO issued a fine of £20 million for a data breach in 2018. It affected about 400,000 of the company’s customers and was initiated by a hacking attack. The hackers stole data, including login, payment card and travel booking details, and name and address information. In the following investigation, it was concluded that sufficient security measures were not in place.
According to ICO, British Airways was processing a significant amount of personal data insecurely. Also, many data subjects were concerned, and the personal data involved credit card numbers, which can be sensitive. The ICO’s opinion was that losing credit card information would cause concern and risks to data subjects and is not to be trivialised. This case illustrates an example where the supervisory authority and data subjects shall be notified.
Information to concerned individuals
In certain cases, as well as notifying the supervisory authority, the controller must communicate a breach to the affected individuals. This must be done “where it is likely that the breach will lead to high risks, you must notify the data subjects.”
The data subjects should be notified without undue delay so they can take precautions and mitigate any risk they might face. The main objective of notification to individuals is to provide specific information about steps they should take to protect themselves concerning the data breach. The notification shall include the information listed in the bullets above.
It might feel like an obstacle if the controller has no contact details for the data subject. It could also be a disproportionate effort to notify all data subjects concerned. In such a case, public communication or similar measures could be used. In this way, the data subjects are informed in an equally effective manner.
The 72 hour-rule under the GDPR
Reporting in time
Companies and organisations must report the data breach to the supervisory authority concerned within 72 hours of becoming aware of the data breach. This may raise the question of when a controller can be considered to have become “aware” of a breach. With “aware”, the EDPB states in its guidelines that it refers to “when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised”. And the meaning of that? We will break it down for you.
When the 72 hours starts
First, the definition of “aware” depends on which kind of breach it concerns. If you drop a USB key containing personal data, becoming “aware” is when the data controller realises the USB key is lost. Even though it may be uncertain if someone has gained access to the information on the USB key, the data controller shall act as if that is the case.
Another case is where the data controller gets notified by a third party that they have accidentally received data. In such cases, when the controller has been presented with clear evidence of a confidentiality breach, there can be no doubt that the data controller is “aware” of the breach. If the data controller itself detects that there has been a possible intrusion into its network and the personal data in the system has been compromised, it also means that the data controller is “aware” of a data breach.
A last example is where the data controller is “aware of a data beach”. The situation is where a data hacker contacts the controller, asking for a ransom (or similar). When the data controller checks the system to confirm an attack has happened, the data controller is “aware” of the data breach.
Becoming aware means that the data controller can confirm a data breach has occurred. When the data controller suspects a data breach, the data controller needs to investigate or confirm this is the case. That time does not count into the 72-hour notification period since the data controller is not yet “aware”.
How to report the data breach to the supervisory authority
To which supervisory authority shall you notify?
As stated in art. 33 of the GDPR, the controller should notify the supervisory authority competent by Article 55 of the GDPR. Article 55 of the GDPR states:
“Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.”
In our global landscape, it is common for organisations to exist cross-border with sub-divisions in different countries. In that case, it may not be that clear which supervisory authority to report to. Nevertheless, Article 56 of the GDPR states what to do in these cross-border situations:
“Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.”
In case of a cross-border data breach, the controller must thus report to the lead supervisory authority. Therefore, the controller may also need to assess which supervisory authority is the lead supervisory authority that it will need to notify.
What the notification to the supervisory authority must include
When reporting to a supervisory authority, the following should be included:
- A description of the nature of the personal data breach;
- If possible, the number of data subjects concerned and the approximate number of
- personal data records concerned;
- the contact details of the Data Protection Officer or other relevant people;
- the likely consequences of the personal data breach;
- what mitigative actions has the controller taken or proposed to contain and resolve the personal data breach;
- have the affected data subjects been notified, or why not?; and
- If appropriate, measures to mitigate the possible adverse effects of the data breach.
The GDPR allows for notifications in phases, and the first notification must happen within 72 hours.
In case of cross-border data breaches, the controller should also indicate whether the breach involves establishments located in other Member States. The controller should include information about which Member States data subjects are likely affected by the breach.
Remember to safeguard the confidentiality of the content of the report
In countries where there is freedom of information at public authorities (Sweden and the UK, for example), you must specifically require and motivate that your notification shall remain confidential.
In Sweden, documents sent to an authority may be public documents according to the Swedish Freedom of the Press Act (1949:105), which are available to the public upon request. The principle of public access to information is a fundamental principle in Sweden. However, public access to information is restricted by secrecy in some cases, which is regulated by the Public Access to Information and Secrecy Act (2009:400). When reporting a data breach, it will become a public document. Therefore, it is important to explain why it should remain confidential and be protected by secrecy. Doing so will help the public authority understand which information you consider confidential. For example, secrecy applies to supervision matters handled by IMY according to 32 ch. 1 § of the Public Access to Information and Secrecy Act (2009:400).
What happens if we fail to notify the supervisory authority?
Failing to notify the supervisory authority or the affected individuals when you should have done so may result in a fine of 10 million euros or up to 2 % of global turnover, whichever is higher, according to Article 83 of the GDPR. The fine can also be combined with other corrective powers under Article 58 of the GDPR. Those measures include:
- Warnings,
- Reprimands,
- Order to comply with a data subject’s request,
- Order to bring processing into compliance,
- Order the controller to communicate a personal data breach,
- A temporary or definitive ban on processing
- Order the rectification or erasure of personal data or restriction of processing
- Withdraw a certification or order the certification body to withdraw a certification
- Order the suspension of data flows to a recipient in a third country or an international organisation.
Non-compliance with the orders listed above may result in even higher fines. In such case, the administrative fine can be up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
How to document the data breach internally
Regardless of whether or not a breach needs to be notified to the supervisory authority, the controller must document all breaches. Documentation on the evaluation and assessment of the data breach needs to be established. If you have concluded that the supervisory authority and individuals do not need to be notified, this assessment should also be included in the documentation. The records of such assessment shall include the cause and details concerning the breach. It shall also include information on what happened and the personal data affected. Furthermore, the remedial action the controller takes should be documented in the records.
The Data Protection Officer may also be involved. The duties of the DPO are stated in Article 39 of the GDPR, which, among other things, includes monitoring compliance with the regulation. In relation to data breaches, it is also the DPO’s duty to inform and advise the controller. The controller may want to obtain the opinion of the DPO, monitor compliance and act as a contact person for the supervisory authority. The DPO should be informed without delay about a data breach and be involved throughout the breach management and notification process.
Organisations having a Data Breach Policy should ensure that such policies are complied with. For example, such a policy may state that IT or other important persons should be involved. It can also include a process for notification and internal responsibility for steps in the process.
Is a data breach a criminal offence?
In some of the EU member states, a data breach may also impose personal liability or can be a criminal offence. In the UK, it is stated in national legislation (The Data Protection Act, s170) that it’s a criminal offence to:
- Knowingly or recklessly obtain, disclose or procure personal data without the consent of the data controller.
- Sell the data on which an offence has been committed.
- Recklessly retain personal data without the consent of the data controller, even if it was obtained lawfully.
A Director may be held liable according to UK law for a data breach. If an offence has been committed by an organisation, it can be proved that the director has given consent or connivance. Also, if the director, manager, secretary or other officer has been negligent, they can also be guilty (according to The Data Protection Act, s196).
Another example is Germany, where a data breach also can constitute a criminal offence. According to national legislation (FDPA 2017) it is a crime to:
- Transfer personal data that are not publicly accessible to many people to a third party or otherwise make them accessible commercially.
- Fraudulently procure or process non-publicly accessible personal data without authorisation in return for payment or to enrich oneself or someone else or harm someone.
What about your contractual obligations towards your customers?
Early in the stage of an incident, keep in mind any additional obligations that you have towards partners, customers, end-users and your own personnel. Review the important contracts and policies to assess if you have specific time-bound obligations, such as notifying a particular customer within 24 hours of the occurrence of an incident.
If you are a supplier to your customers and you hold their data on their behalf, you are a data processor and have many particular obligations of passing through any information about the incident to the customer. Be sure to review your data processing agreements to see if you have any particular obligations and contact persons whom you must involve in your crisis management.
Anything else to take into account?
You may have additional obligations under other laws to report data breaches, for example:
- A communications service provider must, within 24 hours, notify the supervisory authority of a breach under the Privacy and Electronic Communications Regulations (PECR). Follow the PECR-specific notification procedure.
- A public authority or an operator of an essential service or digital service must report incidents under the NIS Directive. If the incident is also a personal data breach under the GDPR, you must follow the GDPR and NIS process.
The relevant GDPR guidelines (Guidelines on Personal data breach notification under Regulation 2016/679, WP250 rev.01) endorsed by the EDPB are still relevant and may provide additional guidance. (vi border ha en kort summering av denna vägledning i särskilt artikel).
Notable personal data breach case law
The French supervisory authority CNIL fined the company FREE because it failed to document a personal data breach. The documentation established did not list all the measures taken to remedy the incident at hand. Furthermore, CNIL decided that FREE also had failed to respect the right of access of individuals, to respect the right to erasure of individuals and to ensure the security of personal data. All in all, FREE was fined EUR 300,000.