TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. Data Protection Breach: What It Is and How to Respond
Legal Compliance

Data Protection Breach: What It Is and How to Respond

Learn what a data protection breach is, your legal obligations when one occurs, and how to prevent and respond to data breach incidents.

TermsBox Team|April 3, 202613 min read

A data protection breach is one of the most consequential events a business can face. When personal data is exposed, lost, or accessed without authorization, the organization responsible must act quickly to meet legal obligations, limit harm, and preserve trust.

This guide explains what a data protection breach is, the legal framework that governs breach notification, how to build an effective response plan, and the preventive measures that reduce your exposure. This content is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your circumstances.

What Is a Data Protection Breach?

A data protection breach, as defined in Article 4(12) of the GDPR, is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." The definition is broad and captures far more than hacking incidents.

Three categories of breach are recognized by the European Data Protection Board (EDPB) in its Guidelines 01/2021 on examples regarding data breach notification:

  • Confidentiality breach: Unauthorized or accidental disclosure of, or access to, personal data. Example: an employee emails a spreadsheet of customer records to the wrong recipient.
  • Integrity breach: Unauthorized or accidental alteration of personal data. Example: a database error corrupts medical records, making them unreliable.
  • Availability breach: Accidental or unauthorized loss of access to, or destruction of, personal data. Example: ransomware encrypts a server containing client information and no backup exists.

A single incident can fall into more than one category. A ransomware attack, for instance, typically involves both a confidentiality breach (the attacker accessed the data) and an availability breach (the data is now encrypted and inaccessible).

Understanding what constitutes a breach of data protection is the first step toward compliance, because the classification determines your notification obligations.

Legal Framework for Data Breach Protection

Multiple laws around the world impose breach notification obligations. The specific requirements depend on where your users are located and which regulations apply to your processing activities.

GDPR (European Union and EEA)

The GDPR establishes the most widely known breach notification regime:

  • Article 33: Controllers must notify their supervisory authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.
  • Article 34: If the breach is likely to result in a high risk to individuals, the controller must also notify those individuals without undue delay.
  • Article 83(4): Failure to comply with notification obligations carries fines of up to 10 million EUR or 2% of global annual turnover.

Controllers are "aware" of a breach once they have a reasonable degree of certainty that a security incident has occurred that compromises personal data. The 72-hour clock starts at that point, not when the breach actually occurred.

UK GDPR and Data Protection Act 2018

The UK retains equivalent requirements following Brexit. The Information Commissioner's Office (ICO) enforces breach notification under the UK GDPR, with a maximum fine of 17.5 million GBP or 4% of global annual turnover for serious violations.

U.S. State Breach Notification Laws

The United States has no single federal data breach notification law. Instead, all 50 states, the District of Columbia, and U.S. territories have enacted their own statutes. Key variations include:

  • California (Cal. Civ. Code 1798.82): Notification required to affected residents "in the most expedient time possible and without unreasonable delay."
  • New York (SHIELD Act): Requires notification to the state Attorney General, the Department of State, and the Division of State Police, as well as affected residents.
  • Texas (HB 4): As of September 2023, notification must occur within 60 days of breach discovery.

These state laws apply based on where the affected individuals reside, not where your business is located.

Australia Privacy Act 1988

Under the Notifiable Data Breaches (NDB) scheme established by Part IIIC of the Privacy Act 1988, organizations covered by the Australian Privacy Principles must notify the OAIC and affected individuals of eligible data breaches likely to result in serious harm.

The 72-Hour GDPR Notification Obligation

The 72-hour window under Article 33 is one of the most demanding requirements in data breach protection, and it is the area where organizations most frequently fall short.

What the notification must contain

Article 33(3) specifies that the notification to the supervisory authority must include:

  1. The nature of the personal data breach, including the categories and approximate number of data subjects and records affected
  2. The name and contact details of the Data Protection Officer or other contact point
  3. The likely consequences of the breach
  4. The measures taken or proposed to address the breach and mitigate its effects

If you cannot provide all information at once, Article 33(4) permits phased notification. You may submit the initial report within 72 hours and supplement it as further details become available.

When the clock starts

The EDPB has clarified that a controller is considered "aware" of a breach at the point when it has a reasonable degree of certainty. A brief initial investigation to confirm whether a breach has occurred does not delay the start of the 72-hour period indefinitely. Once confirmation is reached, the clock begins.

If a processor discovers a breach, Article 33(2) requires them to notify the controller "without undue delay." The controller's 72-hour period then begins when the controller itself becomes aware.

Documenting all breaches

Article 33(5) requires controllers to document all personal data breaches, regardless of whether they trigger a notification obligation. This breach register must include the facts surrounding the breach, its effects, and the remedial action taken. Supervisory authorities use this register during audits.

How to Build a Data Protection Breach Response Plan

A response plan transforms a chaotic incident into a structured process. Organizations that prepare in advance respond faster, reduce regulatory exposure, and limit the damage to affected individuals.

Phase 1: Containment

The immediate priority is stopping the breach from expanding:

  • Isolate affected systems (disconnect from network, revoke compromised credentials)
  • Preserve evidence (do not wipe or rebuild systems until forensic data is captured)
  • Engage your incident response team and, if needed, external forensic specialists
  • Notify your Data Protection Officer

Phase 2: Assessment

Determine the scope and severity of the breach:

  • What categories of personal data were affected (names, emails, financial data, health data, identification numbers)?
  • How many data subjects are likely affected?
  • What was the cause (external attack, insider action, system error, lost device)?
  • Is the data encrypted, pseudonymized, or in plaintext?
  • Has the data been recovered, or is it still exposed?

The answers to these questions determine whether notification to the supervisory authority and to individuals is required.

Phase 3: Notification

If the breach meets the threshold for notification:

  • Notify the supervisory authority within 72 hours using the prescribed form (most DPAs provide an online reporting tool)
  • If high risk to individuals, notify those individuals directly using clear, plain language
  • Include recommended protective actions (change passwords, monitor accounts, freeze credit)
  • If you operate across multiple EU member states, notify the lead supervisory authority first

Phase 4: Remediation and review

After the immediate response:

  • Implement technical fixes to prevent recurrence
  • Update security policies and procedures based on lessons learned
  • Conduct a post-incident review and document findings
  • Update your breach register under Article 33(5)
  • Consider whether your privacy policy needs updating to reflect any changes in security practices

Common Causes of Data Protection Breaches

Understanding how breaches occur helps you allocate resources to the most effective preventive measures. The ICO's annual reports and EDPB enforcement decisions consistently highlight the same categories.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Human error

Human error remains the single largest cause of data protection breaches. Common examples include:

  • Sending emails or files to the wrong recipient
  • Misconfiguring cloud storage (leaving S3 buckets or databases publicly accessible)
  • Losing physical devices (laptops, USB drives, paper records)
  • Falling for phishing attacks that surrender credentials

Cyberattacks

Deliberate attacks account for a significant portion of reported breaches:

  • Ransomware: Encrypts data and demands payment. Even if no data is exfiltrated, the availability breach triggers notification obligations.
  • Phishing: Targets employees to harvest credentials that provide access to internal systems.
  • SQL injection and application vulnerabilities: Exploits weaknesses in web applications to extract database contents.
  • Credential stuffing: Uses leaked username and password combinations from other breaches to access accounts.

Third-party and supply chain incidents

Your data breach protection is only as strong as your weakest processor. Incidents at third-party vendors, hosting providers, or SaaS platforms can compromise the personal data you entrusted to them. Article 28 of the GDPR requires that processing agreements include obligations for processors to notify controllers of breaches without undue delay.

Preventive Measures for Data Breach Protection

Prevention is far less costly than remediation. The measures below address the most common breach vectors and are considered baseline expectations by supervisory authorities.

Technical controls

  • Encryption: Encrypt personal data at rest and in transit. Article 32 of the GDPR specifically names encryption as an appropriate technical measure. Encryption also reduces notification obligations under Article 34, since encrypted data exposed in a breach may not pose a high risk.
  • Access controls: Implement the principle of least privilege. Users should have access only to the data required for their role.
  • Multi-factor authentication: Require MFA for all accounts that access personal data, especially administrator and remote access accounts.
  • Patch management: Apply security updates promptly. Known vulnerabilities are among the most exploited attack vectors.
  • Backup and recovery: Maintain regular, tested backups stored separately from production systems. This mitigates availability breaches from ransomware.

Organizational controls

  • Staff training: Regular data protection training reduces human error. Focus on phishing recognition, secure data handling, and incident reporting procedures.
  • Data minimization: Collect and retain only the personal data you actually need for your stated purposes. Less data means a smaller breach impact. Article 5(1)(c) of the GDPR makes this a legal requirement.
  • Vendor management: Audit your processors' security practices. Ensure Data Processing Agreements under Article 28 are in place and that processors maintain adequate security.
  • Breach response drills: Test your response plan regularly. Tabletop exercises expose gaps in procedures before a real incident occurs.

Website-specific protections

For website operators, specific measures reduce the risk of breaches affecting user data:

  • Use a compliance scanner to identify tracking technologies and data collection points on your site
  • Implement a cookie consent management platform (CMP) to ensure you are not collecting data without proper consent
  • Keep your privacy policy accurate and current, reflecting all data processing activities
  • Conduct regular security assessments of web applications, plugins, and third-party scripts

Tools like TermsBox can help by scanning your website for compliance gaps, managing cookie consent, and keeping your legal documents aligned with your actual data practices.

Real Enforcement Examples

Supervisory authorities across Europe have issued significant fines for failures related to data protection breaches. These cases illustrate how regulators assess violations.

British Airways (2020)

The ICO fined British Airways 20 million GBP after attackers compromised the personal and financial data of approximately 429,612 customers and staff. The ICO found that BA had failed to implement adequate security measures, including multi-factor authentication, and had not detected the breach promptly. The fine was reduced from an initial notice of 183 million GBP due to economic impact considerations and BA's cooperation.

Marriott International (2020)

The ICO fined Marriott 18.4 million GBP for a breach that exposed up to 339 million guest records globally. The breach originated in Starwood's systems before Marriott's acquisition but persisted for years because Marriott failed to conduct adequate due diligence and did not implement sufficient monitoring after the merger.

Meta (2022)

The Irish Data Protection Commission fined Meta 265 million EUR after a data scraping incident exposed the personal data of over 533 million Facebook users. The DPC found violations of Articles 25(1) and 25(2) of the GDPR, relating to data protection by design and by default.

Clearview AI (2022)

Multiple European DPAs issued fines against Clearview AI, including 20 million EUR from the Italian Garante and 20 million EUR from the Greek DPA, for scraping facial images from the internet without a legal basis and failing to comply with data subject access requests.

These cases demonstrate that regulators focus not just on whether a breach occurred, but on whether the organization had appropriate preventive measures in place and responded adequately.

Data Protection Breach Obligations by Role

Your obligations during a data protection breach depend on whether you are a data controller or a data processor under the GDPR.

Controller obligations

Controllers bear the primary responsibility:

  • Decide whether the breach requires notification to the supervisory authority (Article 33)
  • Decide whether the breach requires notification to affected individuals (Article 34)
  • Document the breach in the internal breach register (Article 33(5))
  • Implement remedial measures
  • Cooperate with supervisory authorities during investigations

Processor obligations

Processors have a narrower but critical role:

  • Notify the controller without undue delay after becoming aware of a breach (Article 33(2))
  • Assist the controller in meeting its notification obligations
  • Provide all information necessary for the controller to assess the breach
  • Implement measures to address the breach and mitigate its adverse effects

The Data Processing Agreement under Article 28 should specify the exact procedures for breach notification between processor and controller, including communication channels, contact points, and expected response times.

Frequently Asked Questions

What is a data protection breach?

A data protection breach is a security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. This definition comes from Article 4(12) of the GDPR and covers any event where the confidentiality, integrity, or availability of personal data is compromised, regardless of whether the cause is a cyberattack, human error, or system failure.

How quickly must you report a data protection breach?

Under Article 33 of the GDPR, data controllers must notify their supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. If the breach poses a high risk to affected individuals, Article 34 requires that they also be notified without undue delay.

What are the penalties for failing to report a data protection breach?

Failure to notify a supervisory authority of a qualifying data protection breach can result in administrative fines of up to 10 million EUR or 2% of global annual turnover under Article 83(4) of the GDPR. In the UK, the ICO can impose fines of up to 17.5 million GBP or 4% of global turnover under the UK GDPR. Additional penalties may apply under national implementations of the EU directive.

Does every data protection breach need to be reported to individuals?

No. Only breaches that are likely to result in a high risk to the rights and freedoms of the affected individuals must be communicated to them under Article 34 of the GDPR. If the controller has applied appropriate protective measures such as encryption that render the data unintelligible, or has taken subsequent measures that ensure the high risk is no longer likely to materialize, individual notification is not required.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is a Data Protection Breach?
  • Legal Framework for Data Breach Protection
  • GDPR (European Union and EEA)
  • UK GDPR and Data Protection Act 2018
  • U.S. State Breach Notification Laws
  • Australia Privacy Act 1988
  • The 72-Hour GDPR Notification Obligation
  • What the notification must contain
  • When the clock starts
  • Documenting all breaches
  • How to Build a Data Protection Breach Response Plan
  • Phase 1: Containment
  • Phase 2: Assessment
  • Phase 3: Notification
  • Phase 4: Remediation and review
  • Common Causes of Data Protection Breaches
  • Human error
  • Cyberattacks
  • Third-party and supply chain incidents
  • Preventive Measures for Data Breach Protection
  • Technical controls
  • Organizational controls
  • Website-specific protections
  • Real Enforcement Examples
  • British Airways (2020)
  • Marriott International (2020)
  • Meta (2022)
  • Clearview AI (2022)
  • Data Protection Breach Obligations by Role
  • Controller obligations
  • Processor obligations
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.