How-to guide: How to reduce the risk of a GDPR data breach (EU)

Updated as of: 02 March 2025

Related contract templates:

Compliance Audit Questionnaire (GDPR)

Introduction

This guide will assist in-house counsel, private practice lawyers and risk and compliance teams with the steps their organisation should take to reduce the risk of a data breach involving personal data.

The steps include:

  1. Overview – legal framework
  2. What is a personal data breach?
  3. What obligations do organisations have?
  4. What are the risks for affected data subjects?
  5. What are the risks for organisations?
  6. What are the key areas to consider regarding prevention?
  7. What are the key areas to consider in relation to planning?

Virtually all organisations will face a data breach at some point. How prepared you are will make all the difference to the scale of the impact on your business and on the individuals whose data is affected.

See also How-to guide: How to deal with a GDPR data breach for guidance on the next stages of responding to a data breach.

Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’, ‘personal data breach’ and ‘processing’, are further explained in How-to guide: Understanding key data protection definitions.

This guide can be used in conjunction with How-to guides: How to ensure compliance with the GDPR and How to deal with a GDPR data breach and Checklist: GDPR compliance self-assessment audit.

Section 1 – Overview: legal framework

The guide covers the requirements under:

This guide does not address UK specific data protection law requirements. However, it should be noted that that the UK retained the EU GDPR in domestic law after Brexit (commonly referred to as the ‘UK GDPR’) with necessary changes to accommodate domestic areas of UK law. Therefore, insofar as the supervisory authority of the UK (the Information Commissioner’s Office (ICO)) has published guidelines specific to the EU GDPR (prior to Brexit) and the UK GDPR (after Brexit) or a UK body has issued guidance and standards with respect to the security of data, such guidelines and standards can assist when providing a helpful overview of the subject matter of this guide.

Section 2 – What is a personal data breach?

Article 4(12), EU GDPR defines a ‘personal data breach’ as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Put simply, a personal data breach must involve a security breach that leads to personal data being compromised.

Data breaches not involving personal data fall outside the EU GDPR regime.

Personal data breaches cover more than just deliberate hacking and malicious attacks on organisations’ systems. They can also be accidental, and the causes can be internal, external or the result of systems failures.

The data security guidance of Ireland’s supervisory authority, the Data Protection Commission (DPC) talks about personal data breaches as security incidents affecting:

  • the confidentiality of personal data, for example, the data has been accessed by or disclosed to an unauthorised person;
  • the integrity of personal data, for example, the data has been altered or corrupted either deliberately or by mistake; or
  • the availability of personal data, for example, access to data has been affected, such as through a ransomware attack or if the only copy of the data is lost or erased.

Section 3 – What obligations do organisations have?

Different obligations apply depending on whether an organisation is:

  • a controller (which alone or jointly with others, determines the purposes and means of the processing of personal data); or
  • a processor (which processes personal data on behalf of the controller).

Both controllers and processors must implement security measures to protect personal data (article 32, EU GDPR).

Controllers are responsible for:

  • complying with the ‘integrity and confidentiality’ principle (article 5(1), EU GDPR);
  • reporting data breaches to relevant supervisory authorities – this must be done without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach (article 33(1), EU GDPR);
  • communicating with affected individuals about data breaches (article 34, EU GDPR); and
  • keeping records of personal data breaches (article 33(5), EU GDPR).

Processors are responsible for:

  • notifying the controller of data breaches without undue delay after becoming aware of the breach (article 33(2), EU GDPR); and
  • assisting the controller with reporting the data breach to the relevant regulators, communicating with affected individuals and taking appropriate security measures (article 28(3)(f), EU GDPR).

Not all personal breaches must be reported to regulators or notified to data subjects. See How-to guide: How to deal with a data breach for further guidance.

Depending on the industry sector in which your organisation operates, it may have additional breach notification obligations.

Section 4 – What are the key risks for affected data subjects?

In serious cases, the risks to the individuals whose data has been compromised could include identity fraud, embarrassment, discrimination, or even physical or emotional harm. The nature and severity of these risks will have a bearing on the organisation’s breach response and on any enforcement action.

Section 5 – What are the key risks for organisations?

For the organisation, the key risks include:

  • regulatory risks, such as:
    • administrative fines (see Table 1 below) and other enforcement actions; and
    • time and resources spent responding to investigations;
  • legal risks, such as:
    • compensation claims or class actions from affected individuals;
    • contractual risks;
    • breaches of confidentiality; and
    • theft of intellectual property;
  • reputational risks, including:
    • loss of goodwill; and
    • damage to brand and customer and shareholder confidence;
  • financial risks, such as:
    • loss of revenue or business;
    • costs of remediating systems and processes – for example helplines, free credit checks to check for fraud;
    • drop in share price;
    • costs of specialist legal, forensic and public relations services;
    • ransomware demands; and
    • payment of insurance excesses and increased premiums;
  • business disruption, including:
    • loss of access to data while it is being restored or databases rebuilt; and
    • diverting staff from other projects to respond to the breach.

The maximum fines for infringements of the EU GDPR are summarised below:

Table 1

InfringementMaximum fineController / Processor liability
Failure to implement appropriate technical and organisational security measuresThe higher of €10 million, or 2% of global annual turnover in the preceding financial yearController and processor
Failure to notify regulators of personal data breachesThe higher of €10 million, or 2% of global annual turnover in the preceding financial yearController
Failure to comply with the ‘integrity and confidentiality’ principle (requirement to process the personal data in a secure manner)The higher of €20 million, or 4% of worldwide global turnover in the preceding financial yearController
Processors failing to meet notification and assistance obligations to the controllerThe higher of €10 million, or 2% of global annual turnover in the preceding financial yearProcessor

Section 6 – What are the key areas to consider regarding prevention?

To reduce the risk of data breaches, you should focus your compliance efforts on the following key areas:

  • security;
  • privacy-centric policies, processes and procedures;
  • regular testing;
  • due diligence;
  • staff training and awareness; and
  • data breach response planning.

Each is explained in more detail below.

6.1 What security measures are you expected to take?

Strong security measures are essential to ensuring that personal data stays protected.

Article 5(1)(f), EU GDPR contains the ‘integrity and confidentiality’ principle, which requires that personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

This provision applies only to controllers.

Further, article 32, EU GDPR provides that: taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

This applies to both controllers and processors and means that organisations need to apply a risk-based assessment to the security measures they use to protect personal data.

The EU GDPR is not prescriptive about the precise security measures you need to have in place, but article 32 says that such measures shall include, as appropriate:

  • pseudonymisation (ie, removing or replacing or removing directly identifiable information in a data set) and encryption (ie, using a key to encode data so that only key holders can read it);
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to quickly restore availability and access to personal data in the event of a physical or technical incident – this means having effective back-up capabilities; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

‘Technical measures’ encompass both physical and IT security. Physical controls must be implemented to secure premises and devices, and to handle IT disposals and business continuity. Your cybersecurity programme should address the main areas of:

  • device security;
  • system security;
  • data security; and
  • online security.

For example, ensure you have strong firewalls, malware and anti-virus protections; robust systems access controls; up-to-date software and operating systems on all devices; and that updates and patches are promptly installed.

The European Union Agency for Cybersecurity (ENISA) (the EU’s agency dedicated to achieving a high common level of cybersecurity across Europe) has released technical guidelines for the implementation of minimum-security measures for digital service providers. In addition, notwithstanding that the UK is no longer part of the EU, frameworks like the UK National Security Centre’s ‘Cyber Essentials’ outline basic technical controls continue to be influential with respect to the identification and implementation of appropriate minimum-security controls. However, more complex organisations or organisations with higher data risk will need to do more than just apply minimum measures.

Certification to industry standards such as the ISO27000 series (in particular ISO27001 and ISO27002) is an effective and methodological way of checking off your organisation’s security against recognised security and privacy standards. These standards do not align exactly with the EU GDPR, so you must ensure that any compliance gaps are filled. To help with this, the open-source Microsoft Data Protection Mapping Project maps the ISO standards against the GDPR and other global data protection laws; eg, Australia, California, Canada, Brazil, Hong Kong, Singapore, South Korea, and Turkey, as well as incorporating China’s data protection laws. 

Some of the highest data protection fines have involved data breaches that could have been prevented if the organisation had implemented some relatively basic security protections.

Example

Prior to its departure from the EU, the UK’s ICO fined British Airways £20 million in response to a cyberattack where the company was found to have inadequate security measures.

Also prior to its departure from the EU, the UK’s ICO fined Marriott Hotels £18.4 million for security failings related to a cyberattack on the systems of a hotel group that it acquired.

‘Organisational measures’ are focused on your organisation’s data protection governance measures, such as information security policies, procedures and risk assessments.

6.2 What policies, processes and procedures do you need to have in place?

If there has been a personal data breach, a key item that the data protection regulators will ask to see is details of the organisation’s policies, processes and procedures.

These items are important for meeting the ‘accountability’ principle under article 5(2), EU GDPR, which makes controllers responsible for, and requires them to be able to demonstrate, compliance with the data protection principles in article 5(1). Controllers also must implement appropriate data protection policies ‘where proportionate to the data processing activities’ (article 24, EU GDPR). (See also How-to guide: How to ensure compliance with the GDPR.)

A list of the key policies and procedures that impact security (and may have specific requirements under the EU GDPR) include:

  • information security policy (article 32, EU GDPR);
  • data handling or data protection policy (article 24, EU GDPR);
  • bring your own device (BYOD) policy;
  • remote-working policy;
  • data breach response plan (articles 33 and 34, EU GDPR);
  • data breach log or register (article 33, EU GDPR);
  • data retention policy and schedule (articles 5, 13, 17 and 30, EU GDPR); and
  • data protection impact assessments (DPIAs) for high-risk processing activities (article 35, EU GDPR).

The EU GDPR also requires the principles of ‘data protection by design’ and ‘data protection by default’ to be used when designing systems and processes (article 25, EU GDPR). This includes building in security from the start and ensuring that your systems allow for rapid detection and containment of breaches.

6.3 How do you test the effectiveness of your systems and processes?

Your obligations do not stop once a new security measure has been applied or a new policy put in place. You also need to regularly monitor and test that these actually work.

Test the security of your IT systems regularly and in response to specific threats. For example:

  • stage simulated data breaches;
  • test staff on their ability to detect a phishing scam; and
  • perform regular penetration testing (at least annually), enlisting the expertise of third-party specialists if appropriate.

Apart from being good information security practice, if your company provides a service or solution that touches personal data, your testing programme is likely to come up in client due diligence. In addition, if you sign up to an industry standard, penetrating testing may be required as part of maintaining your certification in any event.

Further, review relevant key policies and procedures after an incident to build in anything you have learned that will help you deal with a similar situation better in future, and schedule general reviews of policy and procedure reviews at least annually.

6.4 What role does due diligence have?

Controllers must carry out due diligence on any processors that they engage to process personal data, with a particular focus on security.

Article 28(1), EU GDPR provides that where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of GDPR and ensure the protection of the rights of the data subject.

Contractual obligations alone are not enough; pre-contract due diligence and monitoring of processor performance is also necessary. The Accountability Framework released by the UK’s supervisory authority (the ICO) recommends the following ways of addressing due diligence in your supply chain:

  • building due diligence checks into the procurement process proportionate to the risk of the processing before contracting with a processor; and
  • ensuring the due diligence process includes:
    • data security checks, such as site visits, system testing and audits, and
    • checks to confirm a potential processor will protect data subjects’ rights.

In addition, processors have their own independent obligations to implement appropriate technical and organisational security measures under article 32, EU GDPR.

Due diligence is also important when acquiring information-related assets such as IT systems and databases in a corporate transaction. Wherever possible, technical IT due diligence should be performed to try to identify any security vulnerabilities. The buyer inherits the responsibility and liability for data protection compliance along with the personal data or processing equipment it acquires. The ICO’s Marriott fine (see above) is a relevant example.

For further information, see Checklist: Processor due diligence (data protection and cybersecurity).

6.5 How important is staff training and awareness?

If there has been a personal data breach, the data protection regulators will usually ask to see details of the organisation’s staff training on data protection. You should therefore carry out regular data protection training with all staff, as well as more tailored training for staff with more involvement in handling personal data, as relevant to their roles.

Retain records of all staff training in support of your ‘accountability’ obligations.

Section 7 – What are the key areas to consider in relation to planning?

7.1 Developing your data breach response plan

Develop a data breach response plan for your organisation suitable for its processes and organisational structure. Items to cover include:

  • your data breach response team;
  • how and where key information about the breach will be recorded; and
  • your process for dealing with the breach through the key phases of:
    • identification;
    • preliminary assessment;
    • containment and recovery;
    • detailed assessment;
    • notifying the relevant supervisory authorities;
    • notifying affected individuals;
    • response, including security measures already in place and others subsequently implemented in response to the breach; and
    • debrief or action plan, including further measures to prevent a recurrence, identifying any staff training needs or if further DPIAs may be needed.

7.2 Managing your data breach response plan

Implement good document management practices in relation to the data breach response plan, including ensuring that:

  • an overall document owner is assigned to the plan;
  • there is an audit trail of all updates to the plan;
  • key data breach response team members can quickly and easily access the plan; and
  • access controls are added to the plan restricting access to members of the data breach response team, and only authorised team members have rights to edit and share the document.

7.3 Testing your data breach response plan

Schedule regular testing of your data breach response plan. Simulated breach scenarios are useful to pick up any potential issues before you are faced with a live security incident. Afterwards, update the plan (and, if relevant, any aspects of your data protection compliance) to incorporate anything you have learned during testing.

7.4 Reviewing your data breach response plan

Diarise periodic reviews of the plan to keep this current, particularly to account for:

  • changes in threats to the security of personal data;
  • changes in internal processes and procedures;
  • changes in systems and technology;
  • organisational changes;
  • changes to the data breach response team; and
  • any other relevant changes.

7.5 Invoking your data breach response plan

If there is a data breach, you need to be ready to invoke your data breach response plan.

See How-to guide: How to deal with a data breach for further guidance about the next stages.

Additional resources

EDPS Personal Data Breach Guidelines
einsa (EU Agency for Cyber Security)
Digital Operations Resilience Act (DORA)
EU Cyber Security Act

Related Lexology Pro content

How-to guides:

Understanding key data protection definitions 
How to comply with data processing principles under the GDPR
How to ensure compliance with the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the European Economic Area 
How to deal with a GDPR data breach 
How to deal with a supervisory authority dawn raid 

Checklists:

GDPR compliance self-assessment audit 
Assessing whether an organisation is a controller or processor under the GDPR 
Lawful processing of personal data under the GDPR 
Obtaining and managing consent under the GDPR 
Processor due diligence (data protection and cybersecurity) 
Making an international transfer of personal data under the GDPR 
Data subject access rights under the GDPR 
What to include in your organisation’s privacy notice 
When and how to appoint a data protection officer 
Complying with cookie requirements under the ePrivacy Directive and the GDPR 

Reliance on information posted:

While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.

Filed under

Topics

Laws