What is a personal data breach?

Many companies don’t take data privacy protection seriously until a data breach occurs.
A data breach is the worst nightmare that can happen to a company.
If you’ve ever faced a data breach, you will understand the difficulties that you might face without a robust protection.

ICO thoroughly explains what a personal data breach is and how you should deal with it.
According to the ICO a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
This includes breaches that are the result of both accidental and deliberate causes.
It also means that a breach is more than just losing personal data.

There are three types of breaches that a company might face:

• Confidentiality breach – when a private information is disclosed to a third party without the consent from the owner, for example emailing personal data to a wrong person.
• Integrity breach – an unauthorized or accidental alteration of personal data, for example if a ransomware attack encrypting all data on companies’ system.
• Availability breach – an accidental or unauthorized loss of access to, or destruction of personal data, even if temporary, for example if a server fails and the company doesn’t have access to its data.

ICO provide examples of data breaches which can be found on their website such as:

• Access by unauthorized third party
• Sending personal data to an incorrect recipient
• Computing devices containing personal data being lost or stolen
• Alteration of personal data without permission
• Loss of availability of personal data
• Theft of a customer database, whose data may be used to commit identity fraud
• Loss or inappropriate alteration of a staff telephone list
• An attack on a companies’ network that results in personal data about its clients being unlawfully accessed
• A hospital suffers a breach that results in accidental disclosure of patient records
• An accidental deletion of contact details
  
  The GDPR introduces an obligation for every company to report certain personal data breaches to their competent supervisory authority.
  For example, the Supervisory Authority in the UK is the ICO.
  The report must be made within 72 hours of becoming aware of the breach.
  If the breach is likely to result in a high risk and it’s affecting individual’s rights and freedoms, the company must inform those individuals without undue delay.
  Failing to notify the competent Supervisory Authority of a breach when required, can result in heavy fines.
  
  Feel free to book a slot so we can have a chat on more data privacy protection related topics.