Data breach is a common word since the GDPR came into effect almost two years ago. It is important to have basic knowledge regarding personal data breaches and routines to be able to handle a potential data breach. Unfortunately, much of the information circulating is incorrect. In this blogpost, we therefor describe what a personal data breach is and some important aspects to bear in mind if a data breach were to occur in your organisation.

Published April 27th 2020
Updated November 30th 2023


What is a data breach?

A data breach is, simplified, all unplanned processing of personal data. The definition in the GDPR explains that a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

It can be a personal data breach when:

  • An employee sends an e-mail to the wrong person.
  • A computer containing personal data is stolen.
  • A patient´s medical records are not available in the hospitals´ systems when the patient has a scheduled appointment.

There are three different types of data breaches:

  1. Availability breach = an availability breach means an unauthorised or accidental loss of access to personal data or that the personal data has been destroyed. In other words, the personal data is not available when it has to be or should be.
  2. Confidentiality breach = a confidentiality breach means unauthorised or accidental disclosure of or access to personal data.
  3. Integrity breach = an integrity breach means that personal data has been altered by accident or by someone without authorisation.

It is important to remember that it does not matter whether the data breach is intentional or not, it is still a data breach.


What should you do if a personal data breach occurs?

There is not only one answer to what you should do if a personal data breach occurs. It depends on the nature of the personal data breach. However, there are some key points to bear in mind:

1. Report the data breach to the competent supervisory authority

If a data breach occurs, you might have to report the data breach to the correct supervisory authority within 72 hours. Initially, you have to do an assessment if the data breach is the type of data breach that has to be reported. A data breach has to be reported if it is likely that the data breach will result in a risk for the data subject or subjects.

If the competent supervisory authority is Integritetsskyddsmyndigheten (in Sweden), you can report a data breach here.

2. Report the data breach to the data subject

Some data breaches must also be reported to the afflicted data subjects. The obligation to inform the data subjects is at hand if the personal data breach might lead to a high risk for the data subject’s rights and freedoms. If this is the case, the information has to be delivered without undue delay.

To determine if there is a high risk, there are mainly two relevant factors:

1. How serious potential consequences might be and
2. How likely it is that these consequences occur.

Remember that it is always important that you work to minimize the potential risks.

When you contact the afflicted data subjects, it is important that you are clear with what has happened. You should also inform the data subjects which consequences that are likely to occur and what measures you have taken or planned to take. Furthermore, you should leave contact information to someone in your organization in case the data subject has questions.

If the result of your assessment is that the data breach needs to be notified to the data subjects, the data breach also has to be reported to the supervisory authority. This is because the requirement for you to be obligated to report to the data subject is higher than the requirement for you to be obligated to report to the supervisory authority. Because of this, all data breaches that you have reported to the data subject, you have also reported to the supervisory authority, but all data breaches that you have reported to the supervisory authority have not been reported to the data subject.

3. Document the data breach

If a personal data breach occurs, it should always be documented internally. This means that whether or not you report the data breach, the data breach must be documented for your own interests. Here, you have the opportunity to document your decision to report or to not report the data breach and to motivate this decision.

In GDPR Hero, there is an opportunity to document personal data breaches. You are welcome to book a demo where we can show you how this is done!


What can a personal data breach result in?

A personal data breach can result in an administrative fine for the organization or the organizations involved. The size of the administrative fine depends on how serious the data breach is and what measures you have taken to minimize the potential consequences.

An administrative fine might also result in an initiation of an audit by the supervisory authority. The audit will then result in a decision, based on the individual situation. You can read more about audits in Swedish here.

It is important that you remember that there are two sides to consider regarding the consequences of a data breach. Except for the potential consequences for the organization, a data breach might lead to consequences for the data subject whose personal data is involved in the data breach. A personal data breach can lead to physical or material damage for the individual. For example, possible consequences for the data subjects are identity theft, damaged reputation or economical loss.

You can read more about personal data breaches in Swedish here.


Keep calm – we can help you!

If a personal data breach were to occur in your organization, we would be happy to help you to make sure that you fulfil your legal obligations. Please, contact us at or 046 273 17 17.

You can already now book a demo of GDPR Hero to receive information about how you can be prepared if a data breach occurs. You can book a demo here.


Josefin Karlström


The content presented in this blog contains general information and is not to be considered as legal advice.