What is a data breach?
Under the General Data Protection Regulation (GDPR), a data breach is defined as a security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
In simpler terms, it means any breach of security that leads to personal data being compromised.
Key elements of a data breach under the GDPR include:
- Accidental or unlawful: A data breach can happen accidentally (for example, through a technical error or human mistake) or unlawfully, when data is accessed or shared without authorisation.
- Destruction, loss, or alteration: This covers situations where personal data is destroyed, lost, or changed in a way that affects its confidentiality, integrity, or availability.
- Unauthorised disclosure: When personal data is shared or exposed to individuals or organisations who should not have access to it — for instance, by sending information to the wrong person or publishing it accidentally.
- Unauthorised access: When someone gains access to personal data without proper authorisation, such as through hacking, phishing, or stolen credentials.
It’s important to note that not every security incident involving personal data automatically qualifies as a data breach under the GDPR.
The severity of each incident can vary, and the regulation sets specific requirements for reporting and managing breaches depending on their impact.