Data controllers must document any and all personal data breaches, including the facts relating to the personal data breach, its effects and the remedial action, in order to demonstrate compliance with the data-breach notification regime.
The DPC has issued detailed guidance on the definition of a personal data breach, assessing risk notification and communication requirements, and accountability.
A personal data breach is defined as leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
The term ‘personal data’ means any information concerning or relating to an identified or identifiable individual.
A personal data breach can cover a lot more than just ‘losing’ personal data and can result from accidents (such as sending an email to the wrong recipient), as well as deliberate acts (such as phishing attacks to gain access to customer data).
A personal data breach occurs in incidents where personal data is lost, destroyed, corrupted, or illegitimately disclosed.
In short, a personal data breach is a security incident that negatively impacts the confidentiality, integrity, or availability of personal data; meaning that the controller is unable to guarantee compliance with the principles relating to the processing of personal data, as outlined in Article 5 GDPR.
While all personal data breaches are security incidents, not all security incidents are necessarily personal data breaches, the DPC says in the guidance.
Notification is not necessary where it can be demonstrated that the personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”.
However, even in such cases, controllers must record at least the basic details of the breach, the assessment thereof, its effects, and the steps taken in response.
Where a reportable data breach has occurred, this must take be notified with 72 hours.
Controllers, as part of their internal breach procedures, should have a system in place for recording how and when they become aware of personal data breaches, and how they assessed the potential risk posed by the breach, the DPC advises.