Attacks
Data breach
What is a data breach?
A data breach is an incident in which data reaches people who have no right to it, whether through an attack, a misconfiguration or a simple mistake. Where personal data is involved, the GDPR calls it a personal data breach.
The everyday triggers are mundane. A cloud folder is shared with everyone by accident, an email with customer records goes to the wrong recipient, a laptop without disk encryption disappears, mailbox credentials are stolen, a server sits on the internet without a password, or data flows out at a service provider. In legal terms the loss of data counts as well, for instance when ransomware encrypts the only copies beyond recovery, because the GDPR covers destruction and loss of personal data alongside unauthorised disclosure.
A breach carries concrete duties. Under Article 33 of the GDPR, a personal data breach must be reported to the supervisory authority, in Austria the Datenschutzbehörde, without undue delay and where feasible within 72 hours of becoming aware of it. The report is unnecessary where the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where a high risk is likely, Article 34 requires that the individuals affected are informed as well. Independently of all this, Article 33(5) requires every breach to be documented internally.
The 72 hour period starts at the moment the breach becomes known to you. Within that time you have to judge which data is affected, roughly how many people are involved and what consequences they face. These questions are hard to settle under pressure, which is why they belong on paper while things are calm: who establishes whether personal data is involved, who decides on the report, who writes it and who provides legal advice. This reporting chain belongs in your emergency plan.
A breach is recognised through traces that somebody has to be looking at. Login logs show access at odd hours, unknown forwarding rules appear in a mailbox, customers report suspicious messages after contacting your company, or credentials from your domain surface in published collections. Without logging, neither the extent nor the period can be reconstructed afterwards, which complicates the report and makes the risk assessment impossible.
Prevention here means closing the routes by which data can escape. Laptops and storage media are encrypted, permissions are limited to what is needed, cloud shares are reviewed regularly, accounts receive a second factor and logging is switched on. These are the technical and organisational measures required by Article 32 of the GDPR. The IT Check reviews these points and records in the findings where data could leave your business unnoticed.
Reviewing data leakage routes and logging in the IT Check GDPR duties at a glance
All terms in the knowledge base
Note: This entry reflects the state of knowledge to the best of our understanding and serves as general orientation. It is not legal advice. What counts is always the version currently in force at the responsible body, for example dsb.gv.at, nis.gv.at or enisa.europa.eu.
From the term to practice
Where does your business actually stand?
The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.