Can you recognise a personal data breach under GDPR? Well, you need to be able to, because GDPR introduced obligations on every business, as controllers, to record all personal data breaches and to notify certain ones to the regulators and others to affected individuals.
In the time it takes to have a cup of coffee, we’ll look at exactly what is a personal data breach under GDPR.
We’ll identify the three types of breach, and we’ll look at four Key Facts. And stay with us, as we’ll run through 20 examples from UK and EU regulators to make it real.
And you can watch our free video ‘What is a Breach for GDPR? The 3 Types & 4 Key Facts’, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy. If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.
So let’s see exactly what are personal data breaches under GDPR.
Well, GDPR defines ‘personal data breach’ happily, and it defines it as:
It’s basically the same definition as in the EU e-Privacy Directive and PECR in the UK so we’ve got quite a lot of guidance on what it means. Leaning heavily on Security’s best practices, regulators have boiled it down to three different types of breach.
Now the Article 29 Working Party, the EDPB and the UK ICO all note that breaches can be categorised according to the well known ‘CIA triad‘ from Security.
First: Confidentiality breach – unauthorised or accidental disclosure of, or access to personal data. Basically, someone sees it when they shouldn’t. A common example is accidentally emailing personal data to the wrong person.
Secondly, an Integrity breach – when there’s an unauthorised or accidental alteration of personal data. In other words, someone changes it when they shouldn’t. A common example here is a ransomware attack encrypting all your data.
And Availability breach – there’s an accidental or unauthorised loss of access to, or destruction of, personal data. That data is not available when it’s meant to be. A common example is a server fails and an online solution isn’t available for a period of time.
Now the Article 29 Working Party helpfully confirmed that when personal data is unavailable due to planned system maintenance being carried out, that’s not a breach, because it’s not due to a breach of security.
So we can identify four key points straightaway.
Let’s say you email payroll details to the wrong person – happens more than you think! You’ve got backups and other copies – it’s not an availability breach. The copies have valid data, so it’s not an integrity breach. It’s ‘only’ one type of breach – it’s a confidentiality breach.
Okay, now let’s say you accidentally lose an unencrypted laptop, with no password protection, and it’s got the only copy of your subscription email marketing list. It’s a confidentiality breach because anyone who turns on that laptop can see the data. And it’s an availability breach because you’ve got no backup to use when you need it.
Thirdly, if there’s a ransomware attack, the attackers had access to the data in order to encrypt it and only they can decrypt it. So it’s likely to be a combination of all three: a confidentiality breach because they can see the data, if they haven’t already. An integrity breach because the data has definitely been changed. And an availability breach because you might not have a backup you can use when you want to.
Okay, the second key point.
A breach is a breach is a breach. Whether you accidentally email personal data to the wrong person, or deliberately email that data to the wrong person. You might accidentally spill coffee on a server that goes bang or there’s a power surge that makes it go bang or gets in a white set. A breach is a breach.
And the third thing.
You could summarise a personal data breach as any incident that affects the confidentiality, integrity or availability of personal data. Don’t fall into the trap of thinking it’s only when a hacker breaks into your system.
And a ‘super-key’ point!
A breach is a breach, whether or not there’s any harm. Note that that definition of personal data breach doesn’t mention risk at all. Under GDPR, risk comes into how you react to a breach and whether you need to notify it or not.
But a breach is a breach: you have to record it, you have to investigate it, do a risk assessment to decide what your notification obligations are, you have to learn from it even if, at the end of the day, you decide there’s no risk or harm to any individual.
Right! Well, we’ve seen some examples, but we know you love examples as much as we do, so here are 10 from the UK ICO and 10 from the 2018 Guidance from the Article 29 Working Party the pre-GDPR body replaced by the EDPB, who have endorsed these Guidelines.
Now, these breaches are a mix of confidentiality. integrity, and/or availability breaches. Some are just one, some are two, some are all three. And, again, links to all this are in the notes.
So, those 10 from the UK ICO:
So you can see those have gone from the general to the specific.
And then 10 more examples from those EU regulators:
So there we are! We’ve established exactly what a personal data breach is under GDPR and we’ve identified the three types – the ‘CIA triad’ – we’ve also identified four Key Facts, and we’ve seen 20 examples from regulators!
Please do look at our other Privacy Kitchen videos, including great tips on how to prepare for a breach and taking you through how to react to a breach.
Do arrange a demo and see how the awesome breach solution in our award-winning SaaS makes recording, investigating, managing, notifying and reporting on personal data breaches easy.
Please do use #privacykitchen to tell us the topics and questions you want covered.
Stay well in the meantime and I’ll see you in Privacy Kitchen soon!
The difference between a controller and a processor under GDPR should be an easy topic, but it can even get Privacy professionals tied up in knots. Don’t worry if it’s…