How many times do you think the term ‘data breach’ appears in the legal text of the GDPR? You will be surprised to hear that this term does not occur at all in the GDPR. To understand why this is the case, we must first take a closer look at what a data breach actually is.

A data breach involves a violation of the principle contained in Article 5.1f (integrity and confidentiality):

‘Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’

Based on this principle, we see that a data breach is not only about losing a USB stick with personal data on it, for example, but that the unintentional destruction or damage and loss of data also constitute a violation of the principle (referred to colloquially as a ‘data breach’). Actually, you can say that a data breach implies two things:

  • Unlawful and unauthorised access (violation of confidentiality)
  • Destruction, loss, or damage of data (violation of integrity)

As is apparent from the above text, keeping personal data for too long is not considered to be a data breach but an unlawful processing of those personal data. Therefore, if a researcher works with a highly outdated dataset, this dataset is also not considered compliant with the GDPR. If such data breaches occur, it means that the data are not sufficiently secure. Of course, there is a limit to this – what if a professional hackers club with hundreds of members gains access to your dataset? In that case, Principle 5.2 is relevant:

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Accountability, as we discussed earlier, means that researchers (with assistance from privacy officers) must be able to demonstrate that they have taken all the proportionate technical and organisational measures to protect the data as well as possible. If the researcher cannot demonstrate this, they risk a fine.


 

Fines

The fines for not providing proper protection for personal data can be divided into two categories (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN#page=82 ):

1.      Article 83.4: ‘fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year’.

2.      Article 83.5: ‘fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year’.

The amount of the fine depends partly on the extent to which the Article 5 principles have been violated. The greater the number of violations and the more serious they are, the higher the fine will be. But violating the principles can have further consequences than merely a fine. For example, the data subjects may decide to withdraw from the research. There may also be a large-scale request from data subjects to gain access to their data. And imagine a hacker gaining access to a researcher’s dataset as a result of which it is revealed that the researcher has been storing certain data for thirty years. In that case, the researcher will have a lot of explaining to do as to why that data still exists after all this time.

In conclusion, it is very important for a researcher to understand that every data breach must be reported to the privacy officer or directly to the DPO. A researcher cannot and should not ever make their own decision about the severity of a data breach; they are only obliged to report the data breach as soon as possible.