Further Reading: What is a breach?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

If a breach poses a risk to an individual’s rights and freedoms, the Controller must notify the ICO without undue delay, and at the latest within 72 hours after having become aware of the breach. A data processor must notify every data breach to the data controller without delay

Individuals must be informed of a personal data breach when a breach poses a high risk to the rights and freedoms of individuals, except where there are effective technical and organisational protection measures in already in place or subsequently taken by the Controller ensuring the high risk does not materialise


EDPB Guidelines on Personal data breach notification under Regulation 2016/679 Article 4(12) and Articles 33 and 34 and Recitals (85) to (88) of the GDPR

Article 4(7) and (8), Articles 24, 26, 28 and 29 and Recitals (74), (79) and (81) of the GDPR

Article 27 and 3(2) and Recitals (22) – (25) and (80)