When is a GDPR breach not a data breach?

Is there a difference between a “data breach” and a “GDPR breach”? The phrases are often used interchangeably, but it’s struck our Director Clare Paterson that sometimes people actually mean two different things and it’s leading to confusion. So here she explains the difference between a “data breach” and a “GDPR breach” to try and prevent any more crossed lines.

Imagine you’re in a meeting at work – a meeting being held and recorded over video conference – and when you get to the agenda item “Staff updates” the boss announces that she is leaving the company and will miss you all very much, especially you (naturally!) because of the way you are great at arranging birthday treats for the team despite your phobia of cakes.

Is that a data breach of some sort? Surely it must be? This is where I put on my “it depends” hat and get pedantic, because it depends on the context and the facts around the comment.

If your colleagues have no idea you suffer from fear of cakes and you had only told your boss in confidence as your line manager, it would certainly be what I’ll refer to as a “data breach”. In other words, she has leaked information about you, and shared it with people who didn’t already know it.

On the other hand, if your colleagues know that you are cake-phobic, because you’ve told them yourself, and you’re happy for them to know that about you, it’s not a “data breach” in the same sense as the first instance, because this is not new information to your team. (Anyone else hearing Phoebe Buffet from Friends saying unconvincingly “this is completely new information to me”? No, just me?)

Is it a “GDPR breach” though? Does it break the rules of the GDPR? And it is very likely a breach of the first principle of fair, lawful and transparent processing, as it’s unlikely the boss has identified a legal basis for sharing this information in this way – in a minuted, recorded, official meeting – much less communicated that to you prior to the meeting.

Another example would be when a company has kept archive boxes for far too long, way past the point of having any justifiable reason to retain the data inside them, but the boxes and their contents have been kept secure and not accessed by anyone. In that situation, there’s been no “data breach” as in a leak of data, but there has been a breaking of the rules; a “GDPR breach”

Recently I have been involved in two cases where a company has been accused of committing a “data breach” where they haven’t leaked any data, but there was a question mark over whether they had broken the rules of the GDPR by processing data without a legal basis, for example. In one of the cases, the organisation did hold up its hands and say “yep, we shouldn’t really have processed your data in that way, we’re sorry about that.”

Why is it important to differentiate between a “data breach” and a “GDPR breach”? It’s not just because I’m a stickler for details, I promise! In this case, the organisation was accused of not only committing a “data breach”, but also of failing to report the breach to the ICO and the data subject in question. They were able to deny that they had committed a data breach because the details they shared were already known by the other person, so this cleared them of failing to report too. They did confess to the other type of “GDPR beach” but that doesn’t come with the same reporting requirements (although I am sometimes asked if it does.)

Unfortunately, before we ironed out the difference between a data breach and a GDPR breach for this client, they had told the person in question they had not committed a GDPR breach, when they had in fact meant a data breach. So they had to do a little bit of explaining along with their apology.

It’s also worth noting that, while the GDPR allows for monetary penalties to be imposed for breaching or breaking the GDPR rules and not just for security breaches, in practice the risk of being fined in the UK for anything other than a “data breach” is low. The UK’s data protection supervisory body, the ICO, has not currently taken that to heart in the way some European countries have. In fact, the majority of recent penalties from the ICO have not been for GDPR breaches at all, but for breaching PECR (the Privacy Electronic Communications Regulations) where companies have sent unsolicited direct marketing to individuals by electronic means, without consent.

For more details on how the PECR rules apply to your emails and SMS texts, please see our recent post on using your email database lawfully. Do bear in mind that messages do not have to be selling goods or services to be classed as “marketing” under the PECR rules.

Of course, this doesn’t mean that if you have a “GDPR breach” you don’t need to take any action – it’s still crucial to investigate and put things right as soon as possible. If you suffer a GDPR breach, including a “data breach”, we can help; please visit https://cpdataprotection.com/consultancy/ where you can book a free 15-minute call to ask a quick question or to discuss how we can help you further, or you can book and pay for an hour or half hour of consultancy even if you’re not an existing client.

Clare Paterson has over 20 years of experience in quality assurance and risk management, including around nine years specialising in data protection and she launched CP Data Protection to offer values-led businesses accessible, clear and practical advice and training on data protection issues.

Click here to sign up to the CPDP mailing list and receive a data protection health check template.