A confidentiality breach within GDPR context is a specific type of personal data breach where personal data is accessed or disclosed without authorization, or is disclosed to an unintended party, compromising the confidentiality of the data. It is one dimension of a broader GDPR breach that also includes breaches of integrity (alteration of data) and availability (loss or inaccessibility of data).
Key points to understand
- Definition: GDPR defines a personal data breach as a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. A confidentiality breach is the aspect where data is accessed or disclosed without proper authorization.
- Examples of confidentiality breaches:
- Sending a file or email containing personal data to the wrong recipient.
- A misconfigured system that exposes personal data to unauthorized users.
- Unencrypted data transmitted over an insecure channel that is intercepted.
- Sharing a document that includes personal data with individuals who are not entitled to access it.
- Obligations for organizations:
- Assess risk to individuals’ rights and freedoms when a breach occurs.
- Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware, especially if the breach is likely to result in a risk to individuals’ rights and freedoms. If risk is not high, notification may be less urgent but still appropriate. In some jurisdictions, notification to data subjects may also be required depending on the risk assessment.
* Document breach details and the measures taken or planned to mitigate the breach, even if the breach is not subject to notification.
- Contextual nuances:
- The breach does not need to involve data leaving the EU or external compromise to qualify as a GDPR personal data breach; internal misreviews or misconfigurations can still trigger confidentiality breaches under GDPR.
* GDPR recognizes confidentiality, integrity, and availability as three overlapping dimensions of data protection; a breach can involve more than one dimension (e.g., data being disclosed (confidentiality) and subsequently altered (integrity)).
If you’d like, I can tailor this to your jurisdiction, provide a quick checklist for identifying a confidentiality breach in your organization, or outline steps for a breach notification plan aligned with GDPR timelines.
