Personal data breach: types, examples and GDPR obligations

·

The administration manager's phone rings at eight in the morning. The email provider reports that unauthorised access to the company account has been detected overnight. At that moment, even before anyone in the organisation has made a single decision, the clock under Article 33 of Regulation (EU) 2016/679 (GDPR) has already started ticking. They have 72 hours to notify the Spanish Data Protection Agency (AEPD) if the incident poses a risk to the rights and freedoms of the individuals affected.

This article explains what a personal data breach is, how to classify its severity, what specific obligations the GDPR — and Organic Law 3/2018 on Personal Data Protection and the Guarantee of Digital Rights (LOPDGDD) — impose, and what an SME must do in the first few hours to avoid compounding its legal exposure.

What is a personal data breach?

Article 4(12) of the GDPR defines it as «a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed».

The definition is deliberately broad. It does not require an external attack or publication of the data. Three situations are equally breaches:

What all three categories share is that they affect personal data: any information that allows a natural person to be identified. Employee records, customer lists, medical histories, email addresses or telephone numbers are personal data. A server configuration file with no names or identifiers is not.

Types of data breaches: real examples in SMEs

Breaches are not just a problem for large corporations. The AEPD publishes annual statistics showing that more than half of notifications received come from small and medium-sized businesses. These are the most common types in Spain's business fabric:

Incident type Concrete example Breach category Typical risk level
Ransomware / malicious encryption An employee opens a fraudulent attachment; malware encrypts all files on the shared server, including the client database Availability (+ confidentiality if exfiltration occurs) High or very high
Device theft or loss A salesperson loses an unencrypted laptop containing client contracts in PDF format and a contact list Confidentiality Medium–high (depends on disk encryption)
Misdirected email An accountancy firm sends one employee's payslip to another by confusing addresses Confidentiality Low (if recipient destroys it) or medium
Unauthorised access by former employee A dismissed worker retains active credentials and downloads the CRM before leaving Confidentiality High
Web or e-commerce vulnerability An outdated WordPress plugin allows SQL injection; order data with names, addresses and phone numbers is exposed Confidentiality High
Accidental data deletion A clinic accidentally deletes the last year of appointment records with no recent backup Availability Medium (if no identifiable harm to specific individuals)

When is there an obligation to notify the AEPD?

Not every breach requires notification. Article 33 of the GDPR establishes the obligation when the breach «is likely to result in a risk to the rights and freedoms of natural persons». The regulation also provides an exception: if the violation «is unlikely to result in a risk», notification is not mandatory — but it must still be documented internally in the Security Breach Register that every data controller is required to maintain.

In practice, the AEPD and the European Data Protection Board (EDPB) have published guidelines for assessing risk, considering factors such as:

The 72-hour deadline runs from the moment the controller becomes aware of the incident, not from when it occurred. If the investigation is not complete by then, the GDPR permits a phased notification: an initial communication with available data, supplemented later when full information is available. What the regulation does not allow is waiting until everything is clear before notifying.

When must affected individuals be notified?

Article 34 of the GDPR adds a second obligation when a breach «is likely to result in a high risk to the rights and freedoms of natural persons»: communicating it directly to each affected person «without undue delay». This communication must use clear, plain language and include at least:

The controller may avoid individual communication only if adequate technical measures make the data unintelligible (for example, robust encryption with an uncompromised key), if subsequent measures have been taken that are sufficient to neutralise the risk, or if individual notification would involve disproportionate effort — in which case a public communication must be made instead.

Action protocol in the first 72 hours

The difference between an SME that manages a breach well and one that compounds its legal exposure is almost always decided in the first few hours:

  1. Immediate containment: isolate affected systems, revoke compromised credentials, block identified access vectors. Do not indiscriminately power off servers if doing so would destroy forensic evidence.
  2. Preliminary scope assessment: determine which data were affected, how many individuals and since when. This assessment need not be definitive, but it must be sufficient to decide whether to notify.
  3. Activate the internal breach protocol: if the organisation has a DPO, involve them immediately. If not, the data controller assumes coordination.
  4. Document everything from minute one: time of detection, who detected the incident, measures taken, conversations with technical providers. This documentation is the evidence of due diligence before the AEPD.
  5. Decide whether to notify the AEPD: if there is risk to data subjects — which is the case in most incidents unless data are encrypted or the incident is trivial — notify through the AEPD's electronic registry before 72 hours have elapsed from awareness of the incident.
  6. Assess whether communication to affected individuals is required and, if so, draft and send the message with the information required by Article 34 GDPR.

Sanctions framework: what the AEPD can impose

Article 83 of the GDPR sets out the sanctions framework without fixing mandatory amounts: the supervisory authority has discretion to calibrate the sanction according to gravity, intent, number of individuals affected, categories of data involved and measures taken to remedy the harm. The maximum ceiling is 20 million euros or 4% of total worldwide annual turnover of the preceding financial year (whichever is higher). The AEPD has imposed significant penalties on both large companies and SMEs for poor breach management, including late notification or failure to notify when required.

How to prevent data breaches: technical and organisational measures

Article 32 of the GDPR requires data controllers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. There is no closed catalogue: appropriateness depends on the state of the art, the cost of implementation and the nature of the data processed. For a Spanish SME, reasonable minimum measures include:

The role of the DPO in breach management

Articles 37 to 39 of the GDPR regulate the Data Protection Officer (DPO): designation is mandatory for certain organisations (public authorities, entities carrying out large-scale processing of special category data or large-scale systematic monitoring). Where a DPO exists, they are the natural interlocutor with the AEPD in the event of a breach and responsible for coordinating the internal protocol.

For SMEs without a legal obligation to designate a DPO but that process sensitive data — clinics, educational centres, professional firms, companies with extensive CRM databases — engaging an external DPO provides the same coverage at manageable cost, typically including breach management as part of the service.

If your company does not yet have a breach management protocol or a clearly designated data protection lead, now is the time to address your GDPR compliance on data breach management. Summum Consultora supports SMEs in Castilla y León and the Canary Islands with protocol design, Security Breach Register drafting and real-incident response.

Frequently asked questions

What happens if I discover a breach several days after it occurred?

The 72-hour deadline starts from the moment the controller becomes aware of the incident, not from when it happened. If the breach is detected late, the clock starts at detection. In your notification to the AEPD, you must state both the probable date of the incident and the date of discovery; a large discrepancy may attract scrutiny if it appears disproportionate.

Does an internal breach — without external access — also need to be reported?

Yes. If an employee accesses data about other employees or clients without authorisation, that is a confidentiality breach subject to the same obligations as an external intrusion. Whether the access is internal or external does not determine the obligation; the risk to data subjects does.

Is there a register where all breaches — even those not notified — must be recorded?

Yes. Article 33(5) of the GDPR requires data controllers to document all personal data breaches, including those that do not meet the risk threshold requiring notification to the supervisory authority. This Security Breach Register must be available to the AEPD on request.