In Plain English
A data breach happens when information ends up somewhere it should not be. This could be a hacker stealing customer records, an employee emailing data to the wrong person, or losing a laptop containing sensitive files.
Not every security incident is a data breach. A breach specifically involves personal data being compromised - accessed by someone unauthorised, sent somewhere it should not go, or lost entirely.
Types of Breach
- Confidentiality breach - Unauthorised access or disclosure
- Integrity breach - Unauthorised alteration of data
- Availability breach - Loss of access to data (including ransomware)
72-Hour Rule
Under GDPR, you must notify the ICO within 72 hours of becoming aware of a breach likely to result in risk to individuals. High-risk breaches also require notifying affected individuals directly. The clock starts when you know, not when you finish investigating.
When to Report
Report to ICO if the breach is likely to result in risk to peoples rights and freedoms. Consider the sensitivity of data, volume affected, and potential harm. Not every breach needs reporting - a lost encrypted laptop may not, but stolen unencrypted customer data certainly does.
Preventing Breaches
- Encrypt sensitive data - At rest and in transit
- Control access - Limit who can see what
- Train staff - Most breaches involve human error
- Monitor systems - Detect unusual activity early
- Have a plan - Know what to do when a breach occurs