A security incident becomes a GDPR breach when it destruction, loss, alteration, unauthorised disclosure of, or access to personal data of personal data.

Why this matters

Not all security incidents are GDPR breaches, but IT teams must know when escalation is required.

Typical escalation decision points

• Was personal data involved?
• Was it accessed, altered, leaked, or has it become unavailable?
• Is there a risk of harm to individuals?
  
  

The role of IT

• Identify and contain affected systems and data
• Provide accurate timelines
• Support risk assessment
  
  

Evidence of good practice

• Clear incident categorisation
• Prompt escalation to the DPO