Resources · Guide · Compliance · 1 min read

Data breach GDPR: what it is and what it entails

GDPRNIS2
In short

A data breach, under the GDPR, is a security breach leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data. If it poses a risk to data subjects it must be notified to the competent supervisory authority within 72 hours of becoming aware (art. 33); if the risk is high, the data subjects must be informed too (art. 34). It is an obligation distinct from the NIS2 notification to the CSIRT.

What a data breach is (and is not)

In everyday language a “data breach” is any attack. For the GDPR it is something precise: a security breach leading to destruction, loss, alteration or unauthorised disclosure of, or access to, personal data. A ransomware case that encrypts personal data is a data breach; an attack that does not touch personal data may not be.

Two obligations not to confuse

The notification to the supervisory authority (GDPR) concerns personal data; the notification to the CSIRT (NIS2) concerns service security. A ransomware case with personal data exfiltration typically triggers both. See NIS2 explained.

The time factor and the evidence

72 hours pass quickly. A notification is only as good as the evidence behind it: working out which data was actually exfiltrated requires technical-forensic analysis, not just a legal assessment. That is the side Fortgale covers: data breach notification support.

Comparison

Data breach (DPA) vs NIS2 incident (CSIRT)

Data breach · DPAIncident · CSIRT
LawGDPR art. 33-34NIS2 · national transposition
SubjectPersonal dataService security
Deadline72 hoursEarly warning 24h, notification 72h
To whomSupervisory authority (+ data subjects if high risk)National CSIRT
Field-observed proof · what was exfiltrated

In Operation Storming Tide the Fortgale team reconstructed the chain and stopped the exfiltration: establishing which data left the perimeter is the factual basis of an accurate notification to the supervisory authority.

Read the analysis →
FAQ

Frequently asked.

Is every incident a data breach?

No. It is a data breach only if it involves personal data with a risk to the data subjects. An incident can be notifiable under NIS2/CSIRT without being a GDPR data breach, and vice versa. Often, though, both apply.

Within what time must you notify the authority?

Within 72 hours of becoming aware (art. 33). If the risk to data subjects is high, they must also be informed without undue delay (art. 34). Every breach must be recorded.

Who does what in the notification?

The legal assessment and the notification itself fall to the controller and the DPO. The technical-forensic side (what happened, which data was exfiltrated, evidence) is provided by the security team. See data breach notification support.

What penalties for a mishandled data breach?

Breaches of the obligations can reach EUR 10 million or 2% of global annual turnover. An accurate, timely notification, backed by solid technical evidence, is also a form of protection.

How Fortgale delivers it

From theory to a real operation.

What you read here, Fortgale runs every day with a European SOC 24·7·365: 287 tools and actors profiled, <30 min median containment. Explore the service: Data breach notification support.

Related resources: NIS2 explained · Data breach notification support · Ransomware attack: what to do

Want to go deeper with an analyst?

A technical conversation, not a funnel.

Leave your details: an analyst calls you back within one business day. European SOC, same time zone, proprietary intelligence on the actors active across the EU.

Response time: < 1 business day.