A personal data breach under the General Data Protection Regulation (GDPR) is ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.

Data controllers are therefore required to have in place appropriate security measures to prevent both internal and external unauthorised access to personal data that is under their control.

Organisations are required to report personal data breaches to the Data Protection Commission (DPC), or their relevant supervisory authority, where the breach presents a risk to the affected individuals. Organisations must do this without undue delay and definitely within 72 hours of becoming aware of the breach. In addition, where a breach is likely to result in a high risk to the affected individuals, organisations must also inform those individuals without undue delay.

If data controllers determine there is no risk to natural persons following a personal data breach, they must still keep an internal record of the details of the breach, the means for deciding that there was no risk, who decided there was no risk, and the risk rating that was recorded.

For more information, read our practical guide to personal data breach notifications under the GDPR.

You can also download the European Data Protection Board’s (EDPB) Guidelines 01/2021 on Examples Regarding Data Breach Notification (PDF, 325kb).