The European Data Protection Board (“EDPB”) considers that breaches can be categorised according to the following
three well-known information security principles:
- “Confidentiality breach” – where there is an unauthorised or accidental disclosure of, or access to, personal
data. - “Integrity breach” – where there is an unauthorised or accidental alteration of personal data.
- “Availability breach” – where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
The EDPB further notes that “a breach can potentially have a range of significant adverse effects on individuals, which can result in physical, material, or non-material damage. The GDPR explains that this can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymization, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals. One of the most important obligation of the data controller is to evaluate these risks to the rights and freedoms of data subjects and to implement appropriate technical and organizational measures to address them