Introduction
This article explains how to react if you experience a personal data breach under the EU General Data Protection Regulation (GDPR). The European Data Protection Board’s Guidelines 9/2022 on Personal Data Breach Notification provide further clarification on these legislative requirements.[1]It provides a clear step-by-step GDPR data breach response strategy in line with EU law
Before diving in, let’s briefly define what a “personal data breach” is. According to Article 4(12) of the GDPR, it is[2]: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”In simple terms, this means that a personal data breach occurs when personal information is mishandled or exposed due to a security issue. For example, if data is lost, deleted, altered, shared with the wrong person, or accessed without authorization.
When it comes to defining a data breach under EU law, There is type of breaches, GDPR recognizes that not all date breaches are the same, they generally fall into 3 main categories, each associated with a certain kind of breach.
- Confidentially breaches, this happens when personal information is accessed or shared without permission, sending private information to the incorrect person, or allowing a hacked to access database are two examples.
- Integrity breach occurs when personal information is changed without consent whether on purpose or accidentally. For example, software altering data that has been stored or making unauthorized changes to client.
- Availability breach: involves personal data being lost or rendered inaccessible. Ransomware attacks, server malfunctions, or the loss of an unencrypted backup disk could be the cause of this.
Any industry is at risk of data breaches. Cyberattacks, could reveal consumers’ payment information in the retail industry, and they could send medical records to the incorrect person. Payroll files held without appropriate access controls put SMEs at risk of exposure, and inadequate portal security in education can expose student data. Even the financial industry is susceptible to phishing assaults, which can result in the fraudulent misuse of customer data. These instances demonstrate how important it is for all organizations to have robust GDPR-compliant response and prevention strategies.
How to Respond to a Data Breach Under EU Law step by step
- Understand the Legal Requirements :Unless there is a reasonable doubt that the rights and freedoms of individuals will be compromised, you are required under Article 33[3] to notify the appropriate supervisory authority of a breach within 72 hours of becoming aware of it. According to Article 34, if there is a high danger of a breach, you must also notify the impacted parties as soon as possible. Guidelines 9/2022 provide examples from the actual world to assist interpret these duties.[4]
- Determine and Address the Breach: Take quick action to prevent the breach from getting worse. This can entail isolating impacted servers, deleting access credentials, or shutting down infected systems.
- Assess the Scope and Impact: Examine the events that took place, the personal information that was compromised, the number of people impacted, and the possible repercussions for their liberties. Your notification decisions will be guided by this evaluation.
- Decide on Notification Obligations Notify the supervisory authority within 72 hours if the breach poses any risk to individuals.If the danger is high, promptly inform others who may be impacted, outlining what transpired, any potential repercussions, and the precautions they can take.
- Document the Incident GDPR mandates that all breaches, including those that go unreported, be documented. Maintain thorough records of the breach’s nature, the evaluation procedure, the choices made, and the actions performed. This displays responsibility and adherence.
- Take Corrective Actions Resolve the breach’s root cause and put improvements in place to keep it from happening again. Improved staff training, updated security policies, improved access restrictions, and greater encryption are a few examples of this.
- Provide the Required Notification Details
Organizations are required to give a concise and well-organized description of the occurrence when reporting a data breach to the supervisory body. This entails outlining the type of breach, determining the groups and approximate number of people and documents impacted, and providing the Data Protection Officer’s (DPO) or another accountable party’s contact information. Along with the actions taken or anticipated to limit the breach and lessen its impacts, the notification should include describe the possible repercussions for individuals affected. The GDPR allows for phased reporting, which enables organizations to promptly submit the initial notification and supply the missing information later if some elements are not immediately available.
Organizations can make sure they fulfill their legal responsibilities, minimize harm to persons, and lower their risk of financial penalties or reputational damage by doing these actions in the correct order and in accordance with the GDPR and the EDPB’s Guidelines 9/2022.[5]
[1] European Data Protection Board, Guidelines 9/2022 on Personal Data Breach Notification under GDPR (adopted 14 December 2022, version 2.0, 28 March 2023) https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf accessed 18 August 2025.
[2] 1 European Data Protection Board, Guidelines 9/2022 on Personal Data Breach Notification under GDPR (adopted 14 December 2022, version 2.0, 28 March 2023) https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf accessed 18 August 2025.
[3] 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, art 33.
[4] 2 ibid, art 34.
[5] European Data Protection Board, Guidelines 9/2022 on Personal Data Breach Notification under GDPR (adopted 14 December 2022, version 2.0, 28 March 2023) https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf accessed 18 August 2025.