Our data breach response lawyers assist clients with various types and severities of data breaches, some of which have occurred on a cross-jurisdictional basis and some of which have been caused by the organisation’s service providers. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. For the data protection rules to apply, the breach must relate to personal data as opposed to purely commercial data, which does not relate to individuals.
The data breach must be caused by a breach of security and does not include all “non-compliant processing” (e.g. a company might be breaching the data protection rules by processing data without a privacy notice, but this does not mean it has had a ‘personal data breach’). This links to the requirement that your organisation has appropriate technical and organisational measures in place to protect personal data. The breach can be caused by an accident (such as sending an e-mail to the wrong recipient) or a deliberate act which is unlawful (e.g. allowing another organisation to access your CRM system without informing the relevant individuals).