A data breach is a security incident that may result in the unauthorised access, alteration or loss of personal data. Data breaches can affect information processed digitally or in paper format.
Data breaches may happen accidentally, as in the case of an employee or system error, or intentionally, as in the case of a hacker attack. Examples of a data breach might include:
- Sending an email with personal data to the wrong person
- Weak or stolen passwords
- Malware, phishing email scam or other phishing attacks
- Loss or theft of computer or USB drives
- An employee who steels a contact list for personal interests
There are several measures you can take to prevent data breaches. Some examples of preventive measures are:
- Update access details regularly
- Provide data protection training for employees
- Implement an offboarding process for providers after the termination
- Encrypt information sent via email
- Use software with access restrictions to share personal data instead of email
GDPR establishes the obligation to report within a maximum of 72 hours after knowledge of the data breach to the competent supervisory authority. If the data breach poses a high risk to the rights and freedoms of the affected persons, they should be informed.
The consequences may depend on the impact of the data breach, the sensitivity of the data and the number of people affected. Besides financial consequences due to fines and compensation for damages, one may also face time-related consequences as well as reputation damage.