Data breach

A data breach is a deliberate act in which unauthorised parties obtain access to information or systems.

Explained – what does data breach mean?

A data breach refers to unauthorised access to, or intrusion into, an IT system with the aim of obtaining, altering or stealing information. Unlike a personal data incident, which is a broader concept under the GDPR and may include mistakes or accidents, a data breach is typically a deliberate, external act. It may involve hacking, phishing or malicious code used to take control of an organisation’s systems. Organisations that are affected often need support from a GDPR consultant, and in some cases a data breach lawyer, to assess the consequences where personal data are involved.

When does a data breach become relevant?

A data breach becomes relevant when an organisation is targeted by unauthorised actors seeking access to sensitive information. Unlike personal data incidents, which may also arise through internal mistakes, a data breach stems from external attacks. These events are especially significant if the breach exposes personal data, as this triggers obligations under Articles 33 and 34 of the GDPR, including personal data breach notification. Examples include a hacked database, stolen login credentials or ransomware encrypting critical systems.

Illustration of a data breach incident showing a security alert on a server system, surveillance camera, and IT professional, representing cybersecurity threats, data breach detection, and regulatory compliance response.

Points to consider regarding data breaches

To reduce the risk of data breaches and handle them correctly, organisations should act proactively. The following areas should be in focus.

Introduce security controls such as intrusion detection and continuous log monitoring.
Implement strong authentication, for example two-factor sign-on, for sensitive systems.
Train staff to recognise phishing and social engineering attacks, including ongoing social engineering awareness training.
Conduct penetration tests to identify weaknesses in the IT infrastructure, and consider specialist penetration testing services where appropriate.
Ensure backups are protected and can be restored when needed.
Establish rapid incident response procedures and collaboration with external security experts.

These information security measures are essential to strengthen the organisation’s ability to detect intrusions and limit the impact.

Data breach

Why data breaches matter

Data breaches require particular attention because they are often the result of deliberate attacks capable of causing major harm. In addition to exposing personal data, business-critical information may fall into the wrong hands. This entails not only legal duties under the GDPR, including personal data breach notification where applicable, but also potential disruption to the organisation’s stability.

Working systematically with preventive security measures and readiness for intrusions demonstrates that the organisation takes responsibility for both information security and data protection. This improves the ability to act swiftly if a breach occurs while meeting the legal requirements through clear incident response procedures.

A well-functioning strategy against data breaches builds trust with customers and partners. When an organisation can demonstrate that it protects sensitive information professionally, confidence increases – a decisive factor in a digital and competitive environment that values robust data protection measures.

A data breach is an unauthorised attack against a system, often aiming to steal or manipulate information. A personal data incident is broader and may also include accidents or internal mistakes.

If a data breach exposes personal data and there are risks to individuals’ rights and freedoms, it must be reported to the Data Protection Agency within 72 hours. Breaches that do not concern personal data do not require personal data breach notification under the GDPR.

Data breaches occur through various methods. Common techniques include:

Phishing attacks that trick users into disclosing login credentials
Malicious code installed via unsafe links or attachments
Exploitation of vulnerabilities in software
Theft of passwords or user accounts

Detection often occurs through system monitoring, alerts in logs or reports from users. Organisations should therefore have intrusion detection tools and incident response procedures to react swiftly to anomalous behaviour.

Ultimate responsibility lies with the controller, but the entire organisation must contribute. Management is responsible for strategy, the IT function for technical safeguards, and staff for following security routines in day-to-day work. Advice from a data breach lawyer may be warranted in complex matters.

Data breaches can have extensive consequences because they often entail both legal and economic risks. In addition to administrative fines under the GDPR, harm may include:

Loss of trust from customers and partners
Direct costs for system restoration
Operational downtime and loss of production
Risk of extortion in ransomware attacks

By investing in preventive security work – supported by proportionate information security measures – organisations can significantly reduce these risks.