NOVO-K Article


What is a GDPR Breach? Paul Bates, PrimeConduct

By Paul Bates, PrimeConduct

A breach is not just about someone hacking your computer systems. In fact if you have your Cyber Essentials in place then this is the least likely type of breach.

The GDPR and UK Data Protection Act 2018 (DPA) define what constitutes a Breach and when you would need to report it.

Types of Breach?

The most common type of breach is simply not being compliant with the legislation. Privacy Policies referring to the outdated 1998 Act and charging for Subject Access Requests are classic indicators that the organisation does not have all the parts of the puzzle.

Significant changes were implemented with the UK DPA 2018, not just changes to Privacy Policy requirements.

A breach is defined in the GDPR Article 4(12) :- “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;”

A breach is an incident that breaches Security, Confidentiality, Legislation or Regulation.


Here are some examples of a Breach:

  • Security Confidentiality – accidental or intentional leaking of data, usernames and passwords to unauthorized persons either internal or external to the company.
  • Data Integrity – accidental or intentional disruption or inaccuracies with data held.
  • Availability – accidental or intentional disruption to system availability or access to data.
  • Policy – accidental or intentional breach of company policies, procedures and standards.
  • Legislation / Regulation – accidental or intentional breach of legislation and / or regulation.
  • Operational – day to day access to systems and data required to fulfil role. Physical security controls such as door locks, key safes and key cards.

The Human element is the biggest risk factor for organisations, which is why training is essential. The cost to the organisation in terms of fines and reputational damage are significant. The organisation is always accountable regardless of who made the mistake.

As a Data Controller you are also liable for the transgressions of your suppliers.  Contractual arrangements, processes and due diligence review of your suppliers (Processors) is critical in mitigating the risks to your organisation.


PrimeConduct belong to the IAPP. Their goal is to achieve compliance with the latest Data Privacy and GDPR regulation so that rather than just being a threat, compliance is an opportunity to streamline processes and enhance the information our clients have currently stored.

This guest blog was written by Paul Bates, who has a great deal of experience in Data Privacy and Compliance. He co-founded PrimeConduct in 2017, utilising his expert skills in the field of security, data management and programme implementation.

If you want to know more about Breach processes see their Newsletter here.