Can you recognise a personal data breach under GDPR?  Well, you need to be able to, because GDPR introduced obligations on every business, as controllers, to record all personal data breaches and to notify certain ones to the regulators and others to affected individuals.

In the time it takes to have a cup of coffee, we’ll look at exactly what is a personal data breach under GDPR.

We’ll identify the three types of breach, and we’ll look at four Key Facts.  And stay with us, as we’ll run through 20 examples from UK and EU regulators to make it real.

And you can watch our free video ‘What is a Breach for GDPR?  The 3 Types & 4 Key Facts’, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy.  If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.

So let’s see exactly what are personal data breaches under GDPR.

What is a personal data breach for GDPR?

Well, GDPR defines ‘personal data breach’ happily, and it defines it as:

‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data that’s transmitted, stored or otherwise processed.’

It’s basically the same definition as in the EU e-Privacy Directive and PECR in the UK so we’ve got quite a lot of guidance on what it means.  Leaning heavily on Security’s best practices, regulators have boiled it down to three different types of breach.

Now the Article 29 Working Party, the EDPB and the UK ICO all note that breaches can be categorised according to the well known ‘CIA triad‘ from Security.

Confidentiality

First: Confidentiality breach – unauthorised or accidental disclosure of, or access to personal data.  Basically, someone sees it when they shouldn’t.  A common example is accidentally emailing personal data to the wrong person.

Integrity

Secondly, an Integrity breach – when there’s an unauthorised or accidental alteration of personal data.  In other words, someone changes it when they shouldn’t.  A common example here is a ransomware attack encrypting all your data.

Availability

And Availability breach – there’s an accidental or unauthorised loss of access to, or destruction of, personal data.  That data is not available when it’s meant to be.  A common example is a server fails and an online solution isn’t available for a period of time.

Security breach needed

Now the Article 29 Working Party helpfully confirmed that when personal data is unavailable due to planned system maintenance being carried out, that’s not a breach, because it’s not due to a breach of security.

Four Key Facts

So we can identify four key points straightaway.

#1  A breach can be 1, 2 or all 3 types

Let’s say you email payroll details to the wrong person – happens more than you think!  You’ve got backups and other copies – it’s not an availability breach.  The copies have valid data, so it’s not an integrity breach.  It’s ‘only’ one type of breach – it’s a confidentiality breach.

Okay, now let’s say you accidentally lose an unencrypted laptop, with no password protection, and it’s got the only copy of your subscription email marketing list.  It’s a confidentiality breach because anyone who turns on that laptop can see the data.  And it’s an availability breach because you’ve got no backup to use when you need it.

Thirdly, if there’s a ransomware attack, the attackers had access to the data in order to encrypt it and only they can decrypt it.  So it’s likely to be a combination of all three: a confidentiality breach because they can see the data, if they haven’t already.  An integrity breach because the data has definitely been changed.  And an availability breach because you might not have a backup you can use when you want to.

Okay, the second key point.

#2  A breach can be accidental or deliberate

A breach is a breach is a breach.  Whether you accidentally email personal data to the wrong person, or deliberately email that data to the wrong person.  You might accidentally spill coffee on a server that goes bang or there’s a power surge that makes it go bang or gets in a white set.  A breach is a breach.

And the third thing.

#3  It’s a very broad definition

You could summarise a personal data breach as any incident that affects the confidentiality, integrity or availability of personal data.  Don’t fall into the trap of thinking it’s only when a hacker breaks into your system.

And a ‘super-key’ point!

#4  Risk isn’t in the definition

A breach is a breach, whether or not there’s any harm.  Note that that definition of personal data breach doesn’t mention risk at all.  Under GDPR, risk comes into how you react to a breach and whether you need to notify it or not.

But a breach is a breach: you have to record it, you have to investigate it, do a risk assessment to decide what your notification obligations are, you have to learn from it even if, at the end of the day, you decide there’s no risk or harm to any individual.

20 Examples!

Right! Well, we’ve seen some examples, but we know you love examples as much as we do, so here are 10 from the UK ICO and 10 from the 2018 Guidance from the Article 29 Working Party the pre-GDPR body replaced by the EDPB, who have endorsed these Guidelines.

Now, these breaches are a mix of confidentiality. integrity, and/or availability breaches. Some are just one, some are two, some are all three. And, again, links to all this are in the notes.

10 from the UK ICO

So, those 10 from the UK ICO:

1. access by an unauthorised third party,
2. sending personal data to an incorrect recipient,
3. computing devices containing personal data being lost or stolen,
4. alteration of personal data without permission,
5. loss of availability of personal data,
6. the theft of a customer database,
7. the loss or inappropriate alteration of a staff telephone list,
8. an attack on an IT firm’s network resulting in personal data about its clients being unlawfully accessed,
9. accidental disclosure of patient records, and
10. accidental deletion of a university’s alumni contact details.

So you can see those have gone from the general to the specific.

And 10 from A29 / EDPB

And then 10 more examples from those EU regulators:

1. a device containing a copy of a controller’s customer database has been lost or stolen,
2. the only copy of a set of personal data has been encrypted by ransomware,
3. the only copy of a set of personal data has been encrypted by the controller using a key that’s no longer in their possession,
4. data’s being deleted either accidentally or by an unauthorised person,
5. experiencing a power failure or denial of service attack rendering personal data unavailable,
6. loss of a USB key with unencrypted personal data,
7. a brief power outage lasting several minutes at a controller’s call centre meaning customers are unable to call the controller and access their records,
8. medical records in a hospital unavailable for a period of hours due to a cyber attack,
9. personal data on a large number of students mistakenly sent to the wrong mailing list, and a very common one:
10. a direct marketing email is sent to all recipients in the ‘To’ field or the ‘cc’ field, so everyone can see everyone’s email addresses.

So there we are!  We’ve established exactly what a personal data breach is under GDPR and we’ve identified the three types – the ‘CIA triad’ – we’ve also identified four Key Facts, and we’ve seen 20 examples from regulators!

Please do look at our other Privacy Kitchen videos, including great tips on how to prepare for a breach and taking you through how to react to a breach.

Do arrange a demo and see how the awesome breach solution in our award-winning SaaS makes recording, investigating, managing, notifying and reporting on personal data breaches easy.

Please do use #privacykitchen to tell us the topics and questions you want covered.

Stay well in the meantime and I’ll see you in Privacy Kitchen soon!