What constitutes a personal data breach?

What constitutes a personal data breach?

 

The definition of a ‘personal data breach’ within the GDPR provides little help to organisations in determining whether or not a breach has occurred. Helpfully, the Guidelines have categorised three types of breach:

  • Confidentiality breach: the disclosure of, or access to, the data by an unauthorised person;
  • Availability breach: the loss of access to, or destruction of, the data; and
  • Integrity breach: an alteration of the data

The Guidelines rely upon practical examples of problems that could occur in a normal working environment. One example of a data breach which would surprise many organisations is an ‘availability breach’ where a customer’s personal data is unavailable for a certain period of time due to a system shut down.