Data Breach Guide: What Is a GDPR Breach?

In the last 12 months, 32% of businesses and 24% of charities have been victim to a cyber security breach. This alarming statistic highlights how regularly a breach can happen to any organisation, so preparation is vital. 

In November 2023, a UK council accidentally leaked over 2,000 staff and councillors disclosed information. They now face a six-figure fine for this mistake. Discover what constitutes a data breach and how you can manage one here. 

What Is a Data Breach? 

A personal data breach is an accidental or unlawful loss, destruction, modification, unauthorised disclosure or access to personal data. It can lead to severe consequences, including legal action, financial loss and reputational damage.

During the first half of 2023, 6 million data records were exposed worldwide due to misconduct or malicious intent. With all this data compromised, individuals can be at risk of identity theft, fraud, financial loss, damage to reputation and more. 

What Counts as a Breach of GDPR? 

A GDPR breach can result from accidental or intentional causes. For many organisations, they’ll unknowingly commit one without reporting. To avoid this, we’ve outlined example GDPR breaches below:

  • Disclosing private data online, such as home addresses, national insurance numbers and contact details.
  • Emailing sensitive files to the wrong recipient, including financial or medical records.
  • Losing devices with unredacted files, potentially exposing sensitive information. 
  • Falling for phishing attacks and disclosing login credentials on fake websites. 
  • Altering an individual’s data without permission.

How Quickly Should a Data Breach Be Reported? 

According to part 3, chapter 4 of the Data Protection Act 2018, data controllers must promptly report a data breach to the ICO within 72 hours of awareness if it’s likely to affect individuals’ rights and freedoms. 

Below are the following reasons for reporting:

  • Reputational damage;
  • Discrimination;
  • Financial loss;
  • Loss of data confidentiality; or, 
  • Other economic or social harm. 

It’s crucial to treat every breach seriously, as unaddressed ones can further harm individuals.

How to Report a GDPR Breach 

Once you’ve identified the GDPR breach, the clock starts ticking. In your report to the ICO, you must include a description of the breach, the number of individuals impacted and the amount of infringed personal data records. 

You need to include details of your Data Protection Officer (if you employ one), the likely consequences and an outline of the measures you set to take and did not implement at the time. 

What Is the Maximum Fine for a GDPR Breach? 

For severe breaches, the ICO can fine a company up to £17.5 million or 4% of their annual worldwide turnover. In 2020, ICO fined British Airways £20 million for a significant data breach. No matter the size of the breach, never leave it unaddressed. It’s not worth the risk.

What Happens if an Employee Breaches GDPR? 

You must report any breach to the ICO if it damages others. Every organisation should set protocols for instances like this, including grounds for dismissal.  Prevent these breaches with our GDPR training courses covering the essentials of workplace data protection.

Want to learn more about data breaches? Head to parts one and two of the GDPR breach podcast series, reviewing how to manage and avoid potential violations. 

Resolve Data Breaches with Our GDPR Support Desk 

Don’t gamble on GDPR fines. Trust our experts to swiftly handle data breaches. We offer top-tier GDPR Support Desk packages for all issues. Contact us to discover how we can help you resolve a data breach.