Data Protection Breach: What It Is and How to Respond
Learn what a data protection breach is, your legal obligations when one occurs, and how to prevent and respond to data breach incidents.
A data protection breach is one of the most consequential events a business can face. When personal data is exposed, lost, or accessed without authorization, the organization responsible must act quickly to meet legal obligations, limit harm, and preserve trust.
This guide explains what a data protection breach is, the legal framework that governs breach notification, how to build an effective response plan, and the preventive measures that reduce your exposure. This content is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your circumstances.
What Is a Data Protection Breach?
A data protection breach, as defined in Article 4(12) of the GDPR, is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." The definition is broad and captures far more than hacking incidents.
Three categories of breach are recognized by the European Data Protection Board (EDPB) in its Guidelines 01/2021 on examples regarding data breach notification:
- Confidentiality breach: Unauthorized or accidental disclosure of, or access to, personal data. Example: an employee emails a spreadsheet of customer records to the wrong recipient.
- Integrity breach: Unauthorized or accidental alteration of personal data. Example: a database error corrupts medical records, making them unreliable.
- Availability breach: Accidental or unauthorized loss of access to, or destruction of, personal data. Example: ransomware encrypts a server containing client information and no backup exists.
A single incident can fall into more than one category. A ransomware attack, for instance, typically involves both a confidentiality breach (the attacker accessed the data) and an availability breach (the data is now encrypted and inaccessible).
Understanding what constitutes a breach of data protection is the first step toward compliance, because the classification determines your notification obligations.
Legal Framework for Data Breach Protection
Multiple laws around the world impose breach notification obligations. The specific requirements depend on where your users are located and which regulations apply to your processing activities.
GDPR (European Union and EEA)
The GDPR establishes the most widely known breach notification regime:
- Article 33: Controllers must notify their supervisory authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.
- Article 34: If the breach is likely to result in a high risk to individuals, the controller must also notify those individuals without undue delay.
- Article 83(4): Failure to comply with notification obligations carries fines of up to 10 million EUR or 2% of global annual turnover.
Controllers are "aware" of a breach once they have a reasonable degree of certainty that a security incident has occurred that compromises personal data. The 72-hour clock starts at that point, not when the breach actually occurred.
UK GDPR and Data Protection Act 2018
The UK retains equivalent requirements following Brexit. The Information Commissioner's Office (ICO) enforces breach notification under the UK GDPR, with a maximum fine of 17.5 million GBP or 4% of global annual turnover for serious violations.
U.S. State Breach Notification Laws
The United States has no single federal data breach notification law. Instead, all 50 states, the District of Columbia, and U.S. territories have enacted their own statutes. Key variations include:
- California (Cal. Civ. Code 1798.82): Notification required to affected residents "in the most expedient time possible and without unreasonable delay."
- New York (SHIELD Act): Requires notification to the state Attorney General, the Department of State, and the Division of State Police, as well as affected residents.
- Texas (HB 4): As of September 2023, notification must occur within 60 days of breach discovery.
These state laws apply based on where the affected individuals reside, not where your business is located.
Australia Privacy Act 1988
Under the Notifiable Data Breaches (NDB) scheme established by Part IIIC of the Privacy Act 1988, organizations covered by the Australian Privacy Principles must notify the OAIC and affected individuals of eligible data breaches likely to result in serious harm.
The 72-Hour GDPR Notification Obligation
The 72-hour window under Article 33 is one of the most demanding requirements in data breach protection, and it is the area where organizations most frequently fall short.
What the notification must contain
Article 33(3) specifies that the notification to the supervisory authority must include:
- The nature of the personal data breach, including the categories and approximate number of data subjects and records affected
- The name and contact details of the Data Protection Officer or other contact point
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
If you cannot provide all information at once, Article 33(4) permits phased notification. You may submit the initial report within 72 hours and supplement it as further details become available.
When the clock starts
The EDPB has clarified that a controller is considered "aware" of a breach at the point when it has a reasonable degree of certainty. A brief initial investigation to confirm whether a breach has occurred does not delay the start of the 72-hour period indefinitely. Once confirmation is reached, the clock begins.
If a processor discovers a breach, Article 33(2) requires them to notify the controller "without undue delay." The controller's 72-hour period then begins when the controller itself becomes aware.
Documenting all breaches
Article 33(5) requires controllers to document all personal data breaches, regardless of whether they trigger a notification obligation. This breach register must include the facts surrounding the breach, its effects, and the remedial action taken. Supervisory authorities use this register during audits.
How to Build a Data Protection Breach Response Plan
A response plan transforms a chaotic incident into a structured process. Organizations that prepare in advance respond faster, reduce regulatory exposure, and limit the damage to affected individuals.
Phase 1: Containment
The immediate priority is stopping the breach from expanding:
- Isolate affected systems (disconnect from network, revoke compromised credentials)
- Preserve evidence (do not wipe or rebuild systems until forensic data is captured)
- Engage your incident response team and, if needed, external forensic specialists
- Notify your Data Protection Officer
Phase 2: Assessment
Determine the scope and severity of the breach:
- What categories of personal data were affected (names, emails, financial data, health data, identification numbers)?
- How many data subjects are likely affected?
- What was the cause (external attack, insider action, system error, lost device)?
- Is the data encrypted, pseudonymized, or in plaintext?
- Has the data been recovered, or is it still exposed?
The answers to these questions determine whether notification to the supervisory authority and to individuals is required.
Phase 3: Notification
If the breach meets the threshold for notification:
- Notify the supervisory authority within 72 hours using the prescribed form (most DPAs provide an online reporting tool)
- If high risk to individuals, notify those individuals directly using clear, plain language
- Include recommended protective actions (change passwords, monitor accounts, freeze credit)
- If you operate across multiple EU member states, notify the lead supervisory authority first
Phase 4: Remediation and review
After the immediate response:
- Implement technical fixes to prevent recurrence
- Update security policies and procedures based on lessons learned
- Conduct a post-incident review and document findings
- Update your breach register under Article 33(5)
- Consider whether your privacy policy needs updating to reflect any changes in security practices
Common Causes of Data Protection Breaches
Understanding how breaches occur helps you allocate resources to the most effective preventive measures. The ICO's annual reports and EDPB enforcement decisions consistently highlight the same categories.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowHuman error
Human error remains the single largest cause of data protection breaches. Common examples include:
- Sending emails or files to the wrong recipient
- Misconfiguring cloud storage (leaving S3 buckets or databases publicly accessible)
- Losing physical devices (laptops, USB drives, paper records)
- Falling for phishing attacks that surrender credentials
Cyberattacks
Deliberate attacks account for a significant portion of reported breaches:
- Ransomware: Encrypts data and demands payment. Even if no data is exfiltrated, the availability breach triggers notification obligations.
- Phishing: Targets employees to harvest credentials that provide access to internal systems.
- SQL injection and application vulnerabilities: Exploits weaknesses in web applications to extract database contents.
- Credential stuffing: Uses leaked username and password combinations from other breaches to access accounts.
Third-party and supply chain incidents
Your data breach protection is only as strong as your weakest processor. Incidents at third-party vendors, hosting providers, or SaaS platforms can compromise the personal data you entrusted to them. Article 28 of the GDPR requires that processing agreements include obligations for processors to notify controllers of breaches without undue delay.
Preventive Measures for Data Breach Protection
Prevention is far less costly than remediation. The measures below address the most common breach vectors and are considered baseline expectations by supervisory authorities.
Technical controls
- Encryption: Encrypt personal data at rest and in transit. Article 32 of the GDPR specifically names encryption as an appropriate technical measure. Encryption also reduces notification obligations under Article 34, since encrypted data exposed in a breach may not pose a high risk.
- Access controls: Implement the principle of least privilege. Users should have access only to the data required for their role.
- Multi-factor authentication: Require MFA for all accounts that access personal data, especially administrator and remote access accounts.
- Patch management: Apply security updates promptly. Known vulnerabilities are among the most exploited attack vectors.
- Backup and recovery: Maintain regular, tested backups stored separately from production systems. This mitigates availability breaches from ransomware.
Organizational controls
- Staff training: Regular data protection training reduces human error. Focus on phishing recognition, secure data handling, and incident reporting procedures.
- Data minimization: Collect and retain only the personal data you actually need for your stated purposes. Less data means a smaller breach impact. Article 5(1)(c) of the GDPR makes this a legal requirement.
- Vendor management: Audit your processors' security practices. Ensure Data Processing Agreements under Article 28 are in place and that processors maintain adequate security.
- Breach response drills: Test your response plan regularly. Tabletop exercises expose gaps in procedures before a real incident occurs.
Website-specific protections
For website operators, specific measures reduce the risk of breaches affecting user data:
- Use a compliance scanner to identify tracking technologies and data collection points on your site
- Implement a cookie consent management platform (CMP) to ensure you are not collecting data without proper consent
- Keep your privacy policy accurate and current, reflecting all data processing activities
- Conduct regular security assessments of web applications, plugins, and third-party scripts
Tools like TermsBox can help by scanning your website for compliance gaps, managing cookie consent, and keeping your legal documents aligned with your actual data practices.
Real Enforcement Examples
Supervisory authorities across Europe have issued significant fines for failures related to data protection breaches. These cases illustrate how regulators assess violations.
British Airways (2020)
The ICO fined British Airways 20 million GBP after attackers compromised the personal and financial data of approximately 429,612 customers and staff. The ICO found that BA had failed to implement adequate security measures, including multi-factor authentication, and had not detected the breach promptly. The fine was reduced from an initial notice of 183 million GBP due to economic impact considerations and BA's cooperation.
Marriott International (2020)
The ICO fined Marriott 18.4 million GBP for a breach that exposed up to 339 million guest records globally. The breach originated in Starwood's systems before Marriott's acquisition but persisted for years because Marriott failed to conduct adequate due diligence and did not implement sufficient monitoring after the merger.
Meta (2022)
The Irish Data Protection Commission fined Meta 265 million EUR after a data scraping incident exposed the personal data of over 533 million Facebook users. The DPC found violations of Articles 25(1) and 25(2) of the GDPR, relating to data protection by design and by default.
Clearview AI (2022)
Multiple European DPAs issued fines against Clearview AI, including 20 million EUR from the Italian Garante and 20 million EUR from the Greek DPA, for scraping facial images from the internet without a legal basis and failing to comply with data subject access requests.
These cases demonstrate that regulators focus not just on whether a breach occurred, but on whether the organization had appropriate preventive measures in place and responded adequately.
Data Protection Breach Obligations by Role
Your obligations during a data protection breach depend on whether you are a data controller or a data processor under the GDPR.
Controller obligations
Controllers bear the primary responsibility:
- Decide whether the breach requires notification to the supervisory authority (Article 33)
- Decide whether the breach requires notification to affected individuals (Article 34)
- Document the breach in the internal breach register (Article 33(5))
- Implement remedial measures
- Cooperate with supervisory authorities during investigations
Processor obligations
Processors have a narrower but critical role:
- Notify the controller without undue delay after becoming aware of a breach (Article 33(2))
- Assist the controller in meeting its notification obligations
- Provide all information necessary for the controller to assess the breach
- Implement measures to address the breach and mitigate its adverse effects
The Data Processing Agreement under Article 28 should specify the exact procedures for breach notification between processor and controller, including communication channels, contact points, and expected response times.
Frequently Asked Questions
What is a data protection breach?
A data protection breach is a security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. This definition comes from Article 4(12) of the GDPR and covers any event where the confidentiality, integrity, or availability of personal data is compromised, regardless of whether the cause is a cyberattack, human error, or system failure.
How quickly must you report a data protection breach?
Under Article 33 of the GDPR, data controllers must notify their supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. If the breach poses a high risk to affected individuals, Article 34 requires that they also be notified without undue delay.
What are the penalties for failing to report a data protection breach?
Failure to notify a supervisory authority of a qualifying data protection breach can result in administrative fines of up to 10 million EUR or 2% of global annual turnover under Article 83(4) of the GDPR. In the UK, the ICO can impose fines of up to 17.5 million GBP or 4% of global turnover under the UK GDPR. Additional penalties may apply under national implementations of the EU directive.
Does every data protection breach need to be reported to individuals?
No. Only breaches that are likely to result in a high risk to the rights and freedoms of the affected individuals must be communicated to them under Article 34 of the GDPR. If the controller has applied appropriate protective measures such as encryption that render the data unintelligible, or has taken subsequent measures that ensure the high risk is no longer likely to materialize, individual notification is not required.