In the General Data Protection Regulation (GDPR), a ‘personal data breach’ is defined as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.
You might think of a personal data breach as a situation in which a hacker knowingly and willingly obtains all kinds of secret information on people, or in which someone’s identity is stolen. Yet, a personal data breach is not just about hacks and phishing. Personal data breaches can also take place on a much smaller scale. Just sending an email to the wrong person within the organisation can be a personal data breach. Or someone accidentally accessing someone’s data without the authorisation to do so. Even if risks might not be very large, these kinds of security incidents must be reported and registered internally. This is a legal obligation and shows we are serious about personal data protection.