A data breach is a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data that is transmitted, stored or otherwise processed. The current administrative and virtual environment for data processing may at times be vulnerable for intentional and accidental breaches. As such, the GDPR covers a wide range of measures to protect the privacy and personal data of natural persons in the EEA, whilst maintaining the principles of the TFEU.
The processing of personal data should be lawful and fair. Personal data should be processed on the basis of consent of the data subject concerned or some other legitimate basis. Processing should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. Mandatory transparency makes processing of personal data easy to access and easy to understand. Violation of privacy rules and a data breach must be treated with utmost care. When a data breach occurs, the controller or processor must keep a record of this data breach. The record must include all facts relating to the breach, its effects and the subsequent remedial actions taken.
Data controllers and processors are responsible for the personal data under their possession. A data breach may come at an unexpected time. For those involved a breach starts with awareness. This can originate from for example an unauthorized disclosure, network intrusion or the loss of data on electronic devices. Once a breach is discovered it must be investigated and reported. Reporting is done to the designated data subject and the domestic supervisory authority.
The GDPR Regulation allows supervisory authorities to penalize data controllers for data breaches with fines up to 20 million Euro or 4% of the global turnover, whichever is higher. Even though a monetary penalty is unfortunate and may be frightening, not every breach is punishable with a fine. Data breaches may trigger further abuse and identify fraud and thus scare data subjects. Compliance with the GDPR Regulation therefore goes beyond the interaction with the supervisory authorities.