What is a GDPR breach?

What is a GDPR breach

Organisations collect personal data to provide services, improve user experiences and meet legal or business requirements. According to law, they should do their absolute best to keep that data safe. When customer data is lost, accessed without authorisation or shared by mistake, the consequences can be serious – including legal action, reputational harm and regulatory fines. It can also do irreparable harm to customer trust.

A data breach arises when personal or sensitive information is accessed, disclosed, altered or destroyed without authorisation.

Personal data may take many forms: names coupled with contact details, identification numbers and financial information, health records, or online identifiers such as IP addresses and cookies. When this information is compromised, individuals’ privacy is violated and organisations face financial penalties, reputational harm and operational disruption.

Data breaches can be broadly categorised by their cause:

  • Malicious attacks include hacking incidents, ransomware infections, malware exploits and phishing campaigns designed to trick people into revealing credentials.
  • Accidental disclosures happen when data is sent to the wrong recipient by email or post, when paper files are misplaced or when database permissions are misconfigured.
  • Insider threats – whether deliberate or negligent, insider threats occur when employees or contractors misuse access rights. They might intentionally leak data or accidentally expose it through careless handling.

Data breaches also differ according to the sensitivity of the data exposed. The exposure of highly sensitive personal data, such as medical histories or financial account details, can lead to identity theft and financial fraud. It can also cause psychological distress for the data subjects (the person to whom the data belongs). The severity of the breach’s impact on affected individuals determines whether the organisation needs to make a regulatory notification. It also dictates how high fines may be.

In the UK, organisations must consider both the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 when considering how they handle breaches. Under these regulations, any breach likely to risk individuals’ rights and freedoms must be reported promptly to the Information Commissioner’s Office (ICO).

In certain circumstances, the organisation should report the breach to the people affected.

Organisations must always document incidents thoroughly, demonstrating accountability and a commitment to continuous improvement – even when a breach is contained quickly and affects few people.

What is GDPR?

The General Data Protection Regulation took effect on 25 May 2018, replacing the Data Protection Directive 95/46/EC.

As an EU regulation, it applies directly across all member states. Even after Brexit, it continues to influence UK data protection law through the Data Protection Act 2018 and the UK GDPR framework.

Its twin objectives are to strengthen individuals’ rights over their personal data and create a unified regulatory environment for organisations operating within the European Economic Area (EEA).

At its heart, GDPR embodies the following key principles:

  • Lawfulness, fairness and transparency – organisations must process personal data in a lawful way, be transparent about their activities and ensure data subjects understand how and why their data is used.
  • Purpose limitation – data should be collected for specific, explicit and legitimate purposes and not processed in a way that’s incompatible with those purposes.
  • Data minimisation – organisations should only collect and retain the minimum amount of data required to achieve objectives.
  • Accuracy – systems and processes must ensure that personal data is kept up to date and that inaccurate data is corrected or erased.
  • Storage limitation – personal data should be held for no longer than necessary, and retention policies should be defined and enforced.
  • Integrity and confidentiality (security) – organisations must implement appropriate technical and organisational measures, such as encryption, access controls and regular security testing. The aim is to safeguard data against unauthorised or unlawful processing, accidental loss or damage.
  • Accountability – data controllers are responsible for demonstrating compliance with GDPR through documentation, data protection impact assessments (DPIAs) and evidence of staff training.

GDPR has significantly enhanced individuals’ rights when it comes to their data:

  • The right of access (Article 15)
  • The right to erasure or “right to be forgotten” (Article 17)
  • The right to data portability (Article 20).

For organisations, GDPR’s most visible feature has been its penalty regime: authorities can impose fines of up to €20 million or 4% of global annual turnover – whichever is higher – for infringements such as failing to obtain valid consent, neglecting data-security requirements or failing to report breaches quickly.

GDPR also encourages a risk-based approach to security and privacy. For example, organisations must conduct a DPIA before embarking on high-risk processing activities – such as large-scale profiling or processing of special category data.

Appointing a data protection officer (DPO) is mandatory for public authorities and organisations that must regularly and systematically monitor data subjects on a large scale or process special categories of data.

What is GDPR

Examples of GDPR breaches

The following enforcement actions illustrate the diverse ways in which organisations have fallen foul of GDPR’s robust security and reporting requirements. Each case underscores lessons in technological resilience, supply-chain management and why rapid, transparent communication is so important.

British Airways: compromised customer data via malicious script

If you’re wondering how a large-scale breach unfolds and how organisations can mitigate damage, looking at the 2018 British Airways data breach can be a useful step. This case highlights the dangers of supply-chain vulnerabilities and inadequate monitoring of third-party code.

Attack vector and timeline

On 21 June 2018, attackers gained access to British Airways’ systems via compromised credentials belonging to a staff member at a third-party service provider, which lacked multi-factor authentication.

The attackers injected a modified version of a third-party JavaScript library (commonly used for website analytics or chat services) into British Airways’ online check-in and booking pages. The script transmitted customers’ personal and payment information – including full card numbers, expiry dates and CVV codes – to a remote server outside BA’s network.

Over the following two weeks, attackers intercepted an estimated 429,612 payment card transactions.

Detection and response

BA’s security teams recognised unusual traffic flows on 5 September, when spikes in outbound connections prompted a forensic review.

BA only identified the breach after two months when alerted by a third party. Why? There was insufficient real-time monitoring and a lack of integration between web application firewalls and security information and event management (SIEM) systems. 

Once identified, BA swiftly disabled the compromised script, notified law enforcement and engaged cyber-security experts to secure its supply chain.

Regulatory engagement and penalty

British Airways notified the ICO of the breach on 6 September, within the 72-hour deadline. The ICO proposed a considerable £183 million fine in July 2019, citing BA’s negligence in preventing the attack and mitigating the effects. It also commented that BA may never have identified the breach itself had the third party not alerted them.

After BA’s representations, including a demonstration of extensive improvements to security and acknowledgement of pandemic pressures on the aviation sector, the final penalty was reduced to £20 million in October 2020.

Lessons learned

Organisations can take the following learnings away from BA’s data breach:

  • Supply-chain vigilance – organisations must maintain strict change-control and integrity checks on all third-party components. Code-signing and automated integrity verification can detect unauthorised modifications.
  • Integrated monitoring – real-time detection tools should be configured to alert organisations to anomalous outbound data flows, especially from payment-processing pages.
  • Comprehensive remediation – business-wide reviews (including revalidation of vendor-management processes) are essential to prevent breaches from happening again.

Other noteworthy cases

Marriott International: four-year intrusion in reservation database

Between 2014 and 2018, hackers exploited a flaw in Starwood Hotels’ guest reservation system. Marriott had acquired Starwood in 2016, and the attackers remained undetected until September 2018, continuing to access guest data. The attackers harvested data on over 300 million guests worldwide, including names, birthdates, passport numbers and encrypted payment card details.

Marriott reported the breach in November 2018, but regulators found that both Starwood and Marriott had failed to implement sufficient security measures or to detect the intrusion for years. The ICO levied an £18.4 million fine – down from a proposed £99 million – citing Marriott’s cooperation and extensive remediation as mitigating factors.

This demonstrates why harmonising security and post-merger integration testing are critical for organisations undergoing complex mergers or acquisitions.

H&M: excessive employee surveillance

In October 2020, the Hamburg Data Protection Authority fined retail giant H&M €35.3 million after discovering that its service centre in Nuremberg had collected intimate details about employees’ private lives. The data ranged from family medical conditions to religious affiliations and was made accessible to 50 managers.

Investigations revealed that H&M had no legal basis for such intrusive data processing and failed to limit access to those who indisputably needed it.

H&M agreed to compensate all current employees at the service centre, as well as anyone employed there for at least one month since May 2018, when the GDPR came into effect. The regulator described H&M’s decision to “follow the suggestion to pay the employees a considerable compensation” as an unprecedented demonstration of corporate responsibility in the aftermath of a data protection breach.

WhatsApp Ireland: transparency failures

In September 2021, the Irish Data Protection Commission announced a €225 million fine against WhatsApp Ireland for non-transparent communication regarding data sharing between WhatsApp and other Facebook Group companies.

Although WhatsApp’s privacy notices mentioned the sharing of user data, the Commission found that these disclosures lacked clarity and didn’t distinguish between the data collected from WhatsApp users and other Facebook platforms. GDPR demands that privacy information is concise, transparent and easily accessible, free of legal jargon. Companies must, therefore, invest in user-friendly, precise privacy communications.

Steps to take when a breach occurs

Organisations with a robust incident response plan can contain damage and satisfy GDPR’s accountability requirements. They can also keep customers and stakeholders feeling confident in the business.

Although every incident is unique, the following steps provide a structured approach.

1. Containment and initial assessment

Halting data exfiltration and securing any affected systems should be the first priority. This may involve isolating compromised servers, revoking access credentials, disabling malicious processes or applying emergency patches. Simultaneously, an initial assessment should determine:

  • The nature of the breach (unauthorised access, accidental loss, etc.)
  • The categories of data affected and how much of it
  • Number of data subjects potentially impacted
  • How long the exposure lasted for

Document all findings in an incident management system. Detailed logs of network traffic, system events and user activities are essential for forensic analysis.

2. Formal investigation

Once immediate threats are contained, conduct a thorough forensic investigation – ideally using independent cyber-security specialists.

The objectives of this formal investigation should include:

  • Tracing the attack vector
  • Mapping lateral movement within the network
  • Identifying root causes

The investigation should also evaluate whether encryption or tokenisation measures limited data exposure, as encrypted data may be exempt from notification obligations provided that keys were not compromised.

3. Notifying the supervisory authority

Under GDPR Article 33, organisations must notify the lead supervisory authority (the ICO in the UK) within 72 hours of becoming aware of a notifiable breach.

The notification must include:

  1. A description of the nature of the breach – including categories of personal data and the approximate number of data subjects affected
  2. Likely consequences – potential risks to individuals
  3. Measures taken or proposed – actions to address and mitigate the breach

If the organisation cannot provide all details within 72 hours, it must supply information in phases, explaining why certain data is pending.

4. Alerting the people affected

When a breach poses a high risk to individuals – for example, where sensitive data is involved or financial harm might occur – organisations must inform data subjects without delay (Article 34). Communications should be clear and concise, using non-technical language. They must describe:

  • The nature of the breach
  • Likely consequences for the individual
  • Steps taken to contain and mitigate the breach
  • Recommended actions for the individual (such as changing passwords)
  • Contact details for further inquiries

Where direct communication would be disproportionate or impossible (for example, perhaps there are missing contact details), the organisation can issue a public notice in clear and plain language.

5. Remediation and recovery

Long-term remediation may include:

  • Revoking and reissuing credentials
  • Patching vulnerable software and firmware
  • Enhancing encryption and multi-factor authentication
  • Reviewing and strengthening vendor-management procedures
  • Updating network segmentation and access control policies

Training and awareness programmes should be refreshed to address any procedural weaknesses that the breach revealed.

6. Documentation and post-incident review

GDPR’s accountability principle requires organisations to comprehensively document the breach, its impacts and the organisation’s response – even if they did not need to notify the ICO. A formal post-incident review should evaluate:

  • Effectiveness of detection and response
  • Clarity of communication channels
  • Adequacy of technical controls
  • Updates needed to processes, policies and training

Findings must inform future incident response exercises and facilitate continuous improvement.

Steps to take when a breach occurs

How to report a data breach

Transparent, accurate reporting is vital to regulatory compliance. The following best practices ensure that notifications satisfy GDPR requirements.

Reporting to the ICO

In the UK, all notifiable breaches must be reported to the ICO via its online portal or dedicated secure email. Key elements of an ICO notification include:

  • Time of breach discovery and, if known, the time of the breach itself
  • Description of the organisation (including, where applicable, its data protection officer/lead)
  • Nature and scale of the breach, detailing the categories of data intercepted and the number of individuals affected
  • Likely consequences, i.e., how the breach could harm data subjects
  • Mitigation measures implemented or planned

Although GDPR permits phased reporting, organisations should strive to submit as complete a record as possible within the 72-hour window. Failure to meet this deadline and supply the required information can itself warrant enforcement action and fines.

Notifying data subjects

When the impacts of a breach are severe (for example, special category data has been exposed or customers are at risk of identity theft), organisations must notify affected individuals “without undue delay”.

Organisations can wait to tell affected customers until after the ICO notification, but delaying for too long will likely heighten reputational damage.

Effective notification letters or emails should:

  1. Be concise and written in plain English.
  2. Explain the nature of the breach and data involved.
  3. Outline possible risks (e.g., financial fraud or identity theft).
  4. Provide concrete recommendations (e.g., password resets, credit monitoring, fraud alerts with banks).
  5. Offer support channels, such as a dedicated helpline or email address.

For large-scale incidents, a combination of direct messages and public announcements (such as website banners and press releases) may be the best option.

Cross-border and coordinated notifications

Under the GDPR’s one-stop-shop mechanism, multinational organisations typically notify a single lead supervisory authority – the authority of the country where they are primarily established. The lead authority then coordinates with other data-protection authorities to deliver a consistent enforcement response. This process requires clear internal governance and timely cooperation with the lead DPO or data protection board.

Public disclosures and stakeholder engagement

Major breaches attract media attention and may affect customers, investors and partners. Proactive public statements – prepared in consultation with legal and communications teams – can shape the narrative and demonstrate accountability.

Press releases should echo the substance of regulatory notifications, focusing on facts, remediation efforts and commitments to prevent recurrence.

It’s best to be honest and open with customers and stakeholders. Perceived secrecy can erode trust in the long term.

How to report a data breach

Conclusion

Preventing and dealing with a data breach is one of the most pressing challenges for modern organisations – especially as technology evolves and attackers become more sophisticated with their techniques.

As a society, we place a lot of value on privacy and personal data protection, and this is reflected in the GDPR’s stringent security obligations and reporting requirements. High-profile enforcement actions against companies like British Airways and H&M demonstrate that no organisation – regardless of size or sector – can afford complacency.

By understanding what constitutes a breach, adhering rigorously to GDPR principles and maintaining robust incident response capabilities, organisations can reduce the likelihood and impact of breaches and reinforce trust with customers, shareholders, employees and regulators.

A structured approach in response to a breach that encompasses rapid containment, transparent notification, thorough remediation and continuous learning ensures legal compliance. It also positions organisations to become stronger and more resilient in an era defined by data-driven opportunity and risk.

business cpd courses

Looking for Business courses?

Complete your next CPD course with us in just a few hours.

Learn more

About the author

Photo of author

Mark Dunn

Mark is a writer and former teacher currently living in South Wales. Since finishing teaching, he consults on policy for various multi-academy trusts, corporate clients and local councils. Outside of work he is a real history buff and loves a pint of craft ale.

Similar posts

Grounding Techniques for Anxiety

Grounding Techniques for Anxiety

FGM Warning Signs and Risks

FGM Warning Signs and Risks

Neurodiversity in the workplace

Neurodiversity in the workplace

Anger Management Techniques

Anger Management Techniques

© CPD Online College Ltd 2026