To deal with a personal data breach, the controller must first be able to recognise a breach.

A security breach to the GDPR is a breach leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Only the events leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of or access to personal data are covered by the GDPR’s definition of a personal data breach.

For example, a personal data breach may occur when the controller’s software is not sufficiently secured to allow outsiders to access personal data (e.g. hacking).

However, it may also be the controller’s handling of the personal data itself that may cause a breach, for example, if the controller unauthorisedly discloses or modifies the personal data. 

Another example, the controller may also unlawfully or, as a result of an unanticipated event (e.g. fire or flood), not have access to the personal data or ends up destroying the personal data.

Examples of personal data breaches:

1. Persons other than the authorised controller(s) have (unauthorised) access to personal data. This can be both persons outside or within the controller’s organisation.
2. The controller’s employees accidentally modify or delete personal data.
3. Unauthorised persons may gain access to personal data – e.g. national identification number, credit card details, etc.
4. Employees may unknowingly or knowingly pass on personal data of one citizen/customer to another citizen/customer – or even to several other persons concerned.
5. The lack of encryption of the controller’s website, e.g. a customer login, could result in one or more unauthorised persons gaining direct access to the customer’s data.

When a breach is not handled in an appropriate and timely manner, it may cause physical, material or immaterial harm to persons e.g. 

• a loss of control over their data or restriction of their rights,
• discrimination, 
• identity theft or fraud, 
• financial loss, 
• unauthorised removal of pseudonymisation, 
• damage to reputation, 
• loss of confidentiality of information covered by professional secrecy.

Generally, one must report all personal data breaches to the Data Protection Authority. No notification is required if it is unlikely that the personal data breach risks the rights or freedoms of natural persons.

A risk to the rights and freedoms of natural persons includes:

• Discrimination.
• Identity theft or fraud.
• Financial loss.
• Damage to reputation.
• Loss of confidentiality of data confidentiality or any other significant economic or social disadvantage to the data subject.

The controller must assess the likelihood of the breach posing a risk to the rights of the individuals concerned immediately after becoming aware of the breach. 

One should always take the following factors into account in the assessment of the risk to the rights and freedoms of data subjects resulting from a personal data breach:

• The type of security breach, including whether there has been a loss of data, a breach of confidentiality or a breach of integrity;
• The nature and extent of the data;
• The risk that data subjects can be identified;
• Consequences the breach may have on data subjects;
• Whether the breach involves specific data subjects (e.g. if children or vulnerable persons);
• the number of natural persons affected;

The controller shall document all personal data breaches, including the facts of the personal data breach, its effects and the remedial measures taken.

In this context, it is irrelevant whether the controller is obliged to notify the breach to the Data Protection Authority. 

This documentation obligation aims to enable the Data Protection Authority to check whether the obligation to notify certain breaches has been complied with. 

The documentation must contain information about the breach,

including the facts of the breach, its effects and the remedial 

measures. The requirements for documentation can also be as follows.

• Date and time of the breach
• What happened during the breach?
• What is the cause of the breach?
• Which (types of) personal data are affected by the breach?
• What are the consequences of the breach for the persons concerned?
• What remedial measures have been taken?
• Have you notified the Data Protection Authority?