Definition · Plain-language
Data breach
A personal data breach is a security incident that leads to the accidental or unlawful loss, alteration, or unauthorised disclosure of, or access to, personal data.
The step most authors miss
Doing CRediT right? Don’t stop at the statement.
A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.
Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.
More than just a leak
A data breach is broader than a malicious hack or data leak. GDPR defines it as any security breach leading to the destruction, loss, alteration, or unauthorised disclosure of or access to personal data. That means accidentally deleting the only copy of a dataset, losing an unencrypted laptop, or sending records to the wrong recipient all qualify. The definition spans three dimensions — confidentiality, integrity and availability — so an incident that makes data inaccessible can be a breach even if nothing is disclosed.
Notification concepts
GDPR introduces breach-notification duties. A controller must notify the supervisory authority of a notifiable breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to individuals. Where a breach is likely to result in a high risk, affected individuals must also be informed. Processors must alert the controller without undue delay. These are widely cited concepts; the precise thresholds and exemptions are matters of legal interpretation, not addressed here.
Breaches and research data
Research teams holding personal or sensitive data need to recognise that a wide range of incidents can constitute a breach. Good data management — encryption, access controls, backups and clear handling procedures — reduces both the likelihood and the impact of breaches. Anonymisation and de-identification also help, because incidents involving genuinely anonymised data do not engage personal-data breach obligations, since the data no longer identifies individuals.
Key facts
At a glance
- Definition: security breach leading to loss, alteration or unauthorised disclosure of personal data
- Source: GDPR Article 4(12); notification Articles 33–34
- Dimensions: confidentiality, integrity, availability
- Includes: accidental loss and internal errors, not only attacks
- Authority notice: without undue delay, where feasible within 72 hours
- High-risk breaches: affected individuals also informed
Common misconceptions
What people often get wrong
Often heard: A data breach only means a deliberate hack or cyberattack.
Actually: A breach includes any security incident causing loss, alteration or unauthorised disclosure of personal data — including accidental deletion, lost devices or misdirected emails, not just attacks.
Often heard: Every data breach must always be reported within 72 hours.
Actually: Notification applies to breaches likely to risk individuals’ rights, without undue delay and where feasible within 72 hours. Breaches unlikely to result in risk may not be notifiable; thresholds are a legal matter.
Often heard: If no data was stolen or disclosed, there is no breach.
Actually: Breaches also cover integrity and availability — for example, data being altered or made permanently inaccessible — so an incident with no disclosure can still be a personal data breach.
Going deeper
