SkarpChapter 8 of 13
Security, Breach Notification and Sectoral Overlays
Follow the lifecycle of a security incident from detection to notification and remediation, while weaving in how frameworks like NIS/NIS 2 and sector‑specific rules intersect with GDPR obligations.
Step 1 – Security of Processing under GDPR: The Big Picture
GDPR Security: Core Duty
GDPR Articles 5(1)(f) and 32 require controllers and processors to ensure the confidentiality, integrity, availability and resilience of personal data processing, using a risk-based approach.
Risk and Accountability
Security measures must match the risk to individuals' rights and freedoms. Security is part of accountability: organisations must be able to demonstrate that they chose and applied appropriate safeguards.
Technical Measures
Examples of technical measures: pseudonymisation and encryption, secure system design, backup and recovery capabilities, and regular security testing and evaluation.
Organisational Measures
Organisational measures include policies, staff training, incident response processes, vendor management, and clear assignment of roles and escalation paths.
Context Matters
The right level of security depends on the nature and scope of processing, risks to individuals, and the state of the art. Security is a continuous cycle: assess, implement, test, improve.
Step 2 – Examples of Appropriate Technical and Organisational Measures
Example: Small Online Retailer
A small retailer processes contact and order data. Suitable measures: HTTPS, role-based access, encryption, patching, staff phishing training, and a simple incident response playbook.
Example: Hospital
A hospital processes highly sensitive health data. It needs MFA for clinicians, strict access controls, network segmentation, strong encryption, regular testing, and robust continuity plans.
Example: Cloud HR Processor
A cloud HR provider acts as a processor. It should run an ISMS, secure data centres, have a clear breach response process, and detailed data processing agreements with clients.
Linking Risk to Measures
As sensitivity, volume and impact increase, security measures must become more robust. For exam answers, always tie your suggested measures to the specific risks to individuals.
Step 3 – What is a Personal Data Breach and How Do You Assess Risk?
Definition of Personal Data Breach
A personal data breach is any security breach that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Three Breach Types
Think confidentiality (unauthorised access or disclosure), integrity (unauthorised alteration), and availability (loss or destruction). Any of these can be a personal data breach.
Risk to Rights and Freedoms
Risk assessment focuses on individuals' rights and freedoms, not just company loss. Consider data sensitivity, volume, identifiability, and likely consequences like identity theft or discrimination.
Risk Levels
In practice, organisations use levels: negligible, low, and high risk. High risk usually means data subjects must be informed, unless a GDPR exception applies.
Step 4 – Thought Exercise: Is This a Personal Data Breach and How Risky Is It?
Work through these scenarios. For each, decide:
- Is there a personal data breach under GDPR?
- What is the likely risk level for individuals (negligible/low/high)?
Write down your answers, then compare with the model reasoning below.
Scenario A
A payroll officer emails a monthly salary spreadsheet (names, bank details, salaries) to the wrong internal team within the same company. The recipients quickly report the mistake and delete the email. Access logs confirm no forwarding.
Pause and answer, then read:
- Personal data breach? Yes: unauthorised internal disclosure.
- Risk? Likely low to medium. Data are sensitive (financial), but contained within the same employer and quickly mitigated.
Scenario B
A hospital's appointment system is hit by ransomware. For 24 hours, clinicians cannot access patient records, but backups are restored, and there is no evidence of exfiltration.
Pause and answer, then read:
- Personal data breach? Yes: availability (and possibly integrity) of health data was lost.
- Risk? Potentially high, especially if delayed care could harm patients. Health data plus service disruption matter.
Scenario C
A lost company laptop contains customer data but is protected with strong full-disk encryption and a strong password. The encryption keys are not stored on the device.
Pause and answer, then read:
- Personal data breach? Formally yes: a device with personal data was lost.
- Risk? Often assessed as negligible or very low because strong encryption effectively protects the data. This can influence notification decisions.
When answering CIPP/E-style questions, always:
- Identify the breach type (confidentiality, integrity, availability).
- Discuss the presence or absence of effective encryption.
- Justify your risk rating with concrete factors.
Step 5 – Breach Notification to Supervisory Authorities
When to Notify the Authority
Notify the supervisory authority if a personal data breach is likely to result in a risk to individuals' rights and freedoms. If risk is negligible, you do not notify but you must still document.
72-Hour Rule
Controllers must notify "without undue delay" and, where feasible, within 72 hours of becoming aware. Late notifications must explain the reasons for delay. Processors must alert controllers promptly.
Notification Content
Article 33(3) requires: description of the breach and numbers affected, contact details, likely consequences, and measures taken or proposed to address and mitigate the breach.
Phased Notifications
If all details are not available within 72 hours, controllers may submit information in phases, as long as they act without undue further delay and keep the authority updated.
Step 6 – Quiz: Authority Notification
Test your understanding of breach notification to supervisory authorities.
A controller becomes aware of a breach that is likely to result in a risk to individuals' rights and freedoms. They are still investigating details. What is the best GDPR-compliant action?
- Wait until the investigation is complete, then notify with full details, even if it takes more than 72 hours.
- Notify the supervisory authority without undue delay and within 72 hours with the information currently available, then provide additional details later.
- Ask the processor to notify the supervisory authority directly and take no further action.
- Notify only the data subjects within 72 hours; there is no need to notify the authority.
Show Answer
Answer: B) Notify the supervisory authority without undue delay and within 72 hours with the information currently available, then provide additional details later.
Article 33 requires controllers to notify the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware. If all information is not yet available, the controller should notify with what they know and then provide further information in phases. Waiting beyond 72 hours without notification is non-compliant unless risk is unlikely.
Step 7 – Communication to Data Subjects and Sectoral/NIS Overlays
Informing Data Subjects
If a breach is likely to result in a high risk to individuals, the controller must inform affected data subjects without undue delay, using clear language and explaining the breach, consequences, and mitigation.
When You May Not Need to Inform
Exceptions apply if strong protection (like robust encryption) makes data unintelligible, if later measures remove the high risk, or if individual contact is disproportionate and a public notice is used instead.
NIS 2 Replaces NIS
The original NIS Directive has been superseded by NIS 2 (Directive 2022/2555), which Member States had to transpose by October 2024. It covers essential and important entities across many sectors.
NIS 2 vs GDPR Focus
NIS 2 targets cybersecurity and service continuity; GDPR targets personal data and rights. One incident can trigger both NIS 2 incident reports and GDPR breach notifications, with different timelines.
Practical Integration
Organisations often use a unified incident response process that checks GDPR, NIS 2 and sectoral rules (like telecoms or payments) so that all notification duties are met consistently.
Step 8 – Quiz: GDPR vs NIS 2
Distinguish GDPR breach duties from NIS 2 security incident duties.
A cyberattack disrupts an online banking service (an NIS 2 "essential entity") and also exposes customers' personal data. Which statement is most accurate?
- Only NIS 2 applies because banking is an essential service; GDPR no longer applies.
- Only GDPR applies because personal data were exposed; NIS 2 is irrelevant.
- Both GDPR and NIS 2 can apply: the bank may need to notify its NIS 2 authority/CSIRT and also the data protection authority and possibly data subjects.
- Neither GDPR nor NIS 2 apply because the incident was caused by a criminal hacker.
Show Answer
Answer: C) Both GDPR and NIS 2 can apply: the bank may need to notify its NIS 2 authority/CSIRT and also the data protection authority and possibly data subjects.
NIS 2 focuses on cybersecurity and service continuity for essential and important entities; GDPR focuses on personal data and individuals' rights. A single incident can trigger obligations under both frameworks. The fact that a criminal caused the attack does not remove these duties.
Step 9 – Record-Keeping, Documentation and Lessons Learned
Breach Register Duty
Article 33(5) requires controllers to document every personal data breach: facts, effects and remedial action. This is needed even when no notification is made.
What to Record
A good breach record notes when and how the breach was found, data and systems involved, root cause, risk assessment, notification decisions, remediation steps, and follow-up actions.
Learning from Incidents
Use post-incident reviews to improve risk assessments, DPIAs, security design, training, and vendor management. Security and privacy should improve with each incident.
Sector-Specific Records
Sectors like finance, health and telecoms may impose extra incident reporting and record-keeping duties. Always consider both GDPR and sectoral rules in your analysis.
Step 10 – Flashcards: Key Terms and Timelines
Use these flashcards to review core concepts from this module.
- Personal data breach (GDPR Article 4(12))
- A security breach leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
- Three types of breach
- Confidentiality (unauthorised access/disclosure), integrity (unauthorised alteration), availability (loss or destruction).
- 72-hour rule
- Controllers must notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of a breach that is likely to result in a risk.
- High risk vs risk
- Risk to rights and freedoms triggers authority notification. High risk triggers communication to data subjects, unless a GDPR exception applies.
- Article 32 GDPR
- Requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
- NIS 2 Directive (EU) 2022/2555
- Updated EU cybersecurity law for essential and important entities, replacing the original NIS Directive. Focuses on network and information systems and incident reporting.
- Breach register
- Internal record of all personal data breaches, including facts, effects and remedial actions, kept by the controller under Article 33(5).
- Processor's breach duty
- A processor must notify the controller without undue delay after becoming aware of a personal data breach so the controller can assess and notify if required.
Key Terms
- High risk
- A level of risk to individuals' rights and freedoms that triggers the duty to communicate a personal data breach to affected data subjects under Article 34 GDPR.
- Article 32 GDPR
- The provision that requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
- Breach register
- The controller's internal record of personal data breaches, including facts, effects and remedial action, used to demonstrate compliance and support supervision.
- NIS 2 Directive
- Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, which updated and replaced the original NIS Directive.
- Incident response
- The organised approach to detecting, managing and recovering from security incidents, often integrating obligations under GDPR, NIS 2 and sector-specific laws.
- Personal data breach
- A security breach that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data (GDPR Article 4(12)).
- Supervisory authority
- An independent public authority established by an EU/EEA Member State responsible for monitoring the application of data protection law, e.g. a Data Protection Authority.
- Risk to rights and freedoms
- The potential negative impact a breach or processing activity can have on individuals, such as identity theft, discrimination, financial loss, or reputational damage.
- Essential and important entities
- Categories of organisations covered by NIS 2 in sectors like energy, transport, banking, health, digital infrastructure and online services, subject to cybersecurity and incident reporting duties.
- Confidentiality, integrity, availability
- The three core security properties: keeping data secret from unauthorised parties, ensuring it is accurate and unaltered, and ensuring it is accessible when needed.