What is a personal data breach under the GDPR?

A personal data breach is a security incident that compromises personal data, and we help you assess whether an incident meets the GDPR definition and what obligations follow.

When should we notify the Data Protection Agency of a breach?

We guide you in assessing risk, deciding whether notification to the Data Protection Agency is required, and preparing complete and timely breach reports within the 72-hour deadline.

How can Morling Consulting support during a personal data breach?

We provide end-to-end GDPR incident support, from initial triage and risk assessment to documentation, notifications, communication with data subjects and long-term preventive measures.

Personal data breach

What is a personal data breach?

A personal data breach is a security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This ranges from large-scale cyberattacks to a misdirected email. Typical personal data breach examples include:

Lost USB sticks or stolen laptops.
System intrusions and cyberattacks.
Emails containing personal data sent to the wrong recipient.
Unauthorised access to personal data.

The impact varies from minor mistakes with limited consequences to serious security failures that may lead to identity theft, financial loss or reputational harm. Importantly, an incident does not need to be intentional to qualify as a personal data breach. Unintentional acts that compromise personal data also fall within this category and form part of the types of personal data breach organisations must anticipate.

Personal data breach definition (GDPR): under the GDPR, “a security incident that leads to accidental or unlawful destruction, loss or alteration, or to unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed” constitutes a personal data breach. In practice, this covers accidental events where personal data is compromised, whether due to technical or organisational factors or simple human error. This aligns with the personal data breach definition GDPR applies across the EU.

Illustration of a lawyer completing a checklist to manage a personal data breach, documenting incidents, GDPR notifications and corrective security measures.

Checklist: responding to the types of personal data breach

When a personal data breach is discovered, act immediately to minimise harm and contain spread. Use this practical checklist without delay:

Isolate the incident: cut access to affected systems or data to prevent further exposure.
Assess scope: identify which personal data have been affected and to what extent.
Document immediately: record what happened, including time, type of incident and categories of data subjects impacted.
Inform internally: alert relevant functions, for example the Data Protection Officer, IT and senior management.
Take remedial action: implement urgent measures such as password resets, system patches or other technical controls.
Risk-assess: make an initial assessment to decide whether to notify the Data Protection Agency and, where required, the data subjects.
Consult advisers: if in doubt, engage GDPR specialists for correct handling and reporting.

Swift, structured handling reduces harm and mitigates legal and financial exposure for the data subjects and the organisation.

ASSESS THE INCIDENT

Notification of a personal data breach (GDPR)

Act quickly and methodically. First identify and isolate the incident to prevent further harm—for example by disabling affected systems or blocking unauthorised access.

Next, evaluate scope and risk. Which personal data are affected? How many individuals? What risks arise for the data subjects? This assessment determines the next steps and engages your personal data breach GDPR duties.

Where the breach is likely to result in a risk to the rights and freedoms of data subjects, the Data Protection Agency must be notified within 72 hours of discovery. In certain cases, affected individuals must also be informed.

In parallel with notification, implement measures to minimise harm and prevent recurrence—this may include security upgrades, revised procedures and additional staff training. Morling Consulting provides GDPR incident support to help you assess risk, prepare notifications and design corrective actions.

Illustration of a shield, warning signs and a report symbolising documentation and investigation of a personal data breach under GDPR requirements.

How should a personal data breach be documented?

All personal data breaches—whether notifiable or not—must be documented internally. The record should describe the nature of the incident, the consequences and the remedial measures taken. Learning from the event is essential to strengthen preparedness. Documentation is a core part of incident response and the Data Protection Agency may request access during supervision.

For many organisations, managing a breach is challenging. A GDPR lawyer from Morling Consulting can advise on GDPR, support end-to-end handling—from initial assessment to remediation—and advise on potential legal implications, including exposure to personal data breach compensation risk.

How are personal data breaches prevented?

The most effective way to prevent a personal data breach is to maintain robust security controls, regularly update and review data processing procedures, and train staff on information security and privacy. These measures aim to reduce the likelihood and impact across the types of personal data breach most commonly seen.

Organisations should also maintain a clear personal data breach routine so they are prepared if an incident occurs. The routine should define roles and responsibilities, communication pathways and step-by-step actions. It should refer to an internal incident log template and to the Data Protection Agency’s forms, noting that notifications are submitted via the authority’s e-service where applicable. Regular exercises help ensure everyone knows what to do. If you lack a breach routine, develop one—even for smaller organisations.

Having a Data Protection Officer, or a designated privacy lead, is valuable. This role monitors compliance, serves as the contact point for the Data Protection Agency and coordinates incident response.

Most organisations will encounter a breach at some point. By strengthening your ability to identify a personal data breach, maintaining clear handling routines and working preventively, you can reduce risk and protect both the organisation and the individuals whose data you process.

With specialist GDPR expertise, Morling Consulting is well positioned to support organisations across Europe from prevention to response. Get in touch to discuss how we can help—whether you need rapid GDPR incident support or a structured improvement programme.

A personal data breach is a security event that adversely affects personal data—accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Human error still counts as an incident under the GDPR, consistent with the personal data breach definition GDPR applies.

Common types include:

Emails sent to the wrong recipient containing personal data.
Loss or theft of laptops, USB drives or other storage media.
IT system intrusions or phishing attacks.
Incorrect access settings exposing data to unauthorised parties.

These are recurring personal data breach examples across industries and illustrate several types of personal data breach that require prompt containment and documentation.

Notify the Data Protection Agency unless it is unlikely the breach risks the rights and freedoms of data subjects. Submit the notification within 72 hours of discovery. In some cases, affected individuals must also be informed. Morling Consulting provides GDPR incident support for scoping, notification and follow-up.

Implement technical safeguards such as firewalls, encryption and strong authentication.
Ensure regular staff training in data protection and information security.
Establish internal routines for detecting, reporting and managing incidents.
Review and update data protection measures regularly.
Appoint a Data Protection Officer or a responsible privacy lead.

Yes. Record the nature of the incident, its actual or potential consequences, and the measures taken to remedy and prevent recurrence. The Data Protection Agency may request these records.

The controller—the legal or natural person that determines the purposes and means of processing—bears ultimate responsibility for assessing, documenting and, where required, notifying the Data Protection Agency. Processors (for example external IT providers) must inform the controller of incidents without undue delay.

Data Protection Officer (where appointed): advisory role and contact point for the Data Protection Agency.
IT lead: identifies, isolates and analyses the incident.
Management or legal: decision-making and any notifications to the Data Protection Agency.
Communications lead: manages internal and external communications, including information to data subjects.

Clear roles and routines increase the likelihood of acting swiftly and correctly. With only 72 hours from discovery, ensure all relevant roles are engaged from the outset. Where needed, seek GDPR incident support promptly.

We provide legal assessment of severity and risk, help with documentation (including risk assessments and action plans), support with notifications to the Data Protection Agency, advice on communications to data subjects, and training and reviews to prevent recurrence. We can also assess exposure related to personal data breach compensation and guide you through any personal data breach claim considerations.

Contact

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields