Data Breach

A data breach is a security incident that leads to unauthorised access to, loss of or alteration of personal data. The GDPR requires you to notify the Danish Data Protection Agency within 72 hours, and in certain cases also inform the affected individuals.

Back to Dictionary

What is a data breach?

A data breach (also called a personal data breach) is defined in GDPR Article 4(12). It covers any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

It is important to understand that a data breach is not only about hacking. An employee who sends an email containing personal data to the wrong recipient is also a data breach. The same applies to the loss of a USB drive with customer data or the unintentional deletion of data without backup.

As a data controller, you have a duty to detect, assess and handle data breaches. Your data processors must, pursuant to the data processing agreement, notify you without undue delay if they discover a breach.

Types of data breach

The GDPR and the European Data Protection Board (EDPB) distinguish between three types of data breach:

Confidentiality breach: Unauthorised or unintentional disclosure of, or access to, personal data. Example: a hacker gains access to a customer database.
Integrity breach: Unintentional or unauthorised alteration of personal data. Example: a system error changes customer records.
Availability breach: Unintentional or unauthorised loss of access to personal data. Example: a ransomware attack encrypts the database and you cannot access data.

A single breach can fall into several categories simultaneously. A ransomware attack may, for example, result in both loss of access (availability) and a risk that the attacker has copied data (confidentiality).

Notification to the Data Protection Agency

GDPR Article 33 requires you to notify the Danish Data Protection Agency within 72 hours of becoming aware of the breach. The deadline applies unless the breach is unlikely to result in a risk to data subjects' rights and freedoms.

The notification must at a minimum contain:

A description of the breach, including the categories and approximate number of affected data subjects
Contact details of your DPO or other contact person
A description of the likely consequences
The measures you have taken or propose to take

If the breach is likely to result in a high risk to data subjects, you must also inform them directly (Article 34). This applies, for example, if sensitive data has been leaked to the public.

Even breaches that need not be notified must be documented internally. The Data Protection Agency may ask to see your internal log of data breaches during inspections.

Handling and prevention

A good contingency plan for data breaches contains clear procedures for who does what, and when. The plan should cover:

Detection: Ensure logging and monitoring that make it possible to detect breaches quickly.
Containment: Stop the breach and limit the damage. Lock compromised accounts and isolate affected systems.
Assessment: Determine the scope, the type of data and the number of affected data subjects.
Notification: Notify the Data Protection Agency and inform data subjects where necessary.
Post-incident review: Evaluate the incident, update measures and document in your record of processing activities.

Prevention is about solid processing security. Encryption, access control and regular staff training significantly reduce the risk. Privacy by design ensures that security is built in from the start.

Frequently Asked Questions about Data Breach

What is a data breach under the GDPR?

A data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It covers all types of security incidents involving personal data, whether caused by hacking, human error or technical failure.

When must you notify the Data Protection Agency of a data breach?

You must notify the Data Protection Agency within 72 hours, unless the breach is unlikely to result in a risk to data subjects' rights and freedoms. The deadline runs from the moment you become aware of the breach.

Must data subjects always be informed of a data breach?

No, only when the breach is likely to result in a high risk to data subjects' rights. If data is encrypted and the key is not compromised, you typically need not inform the affected individuals.

What happens if you fail to report a data breach?

Failure to report can lead to fines of up to EUR 10 million or 2% of global annual turnover. It can also damage trust among customers and partners and lead to orders from the Data Protection Agency.