The General Data Protection Regulation (“GDPR”) entered into force on May 25, 2018 (“GDPR Day”). Introducing a new regime for the protection of personal data in the European Union (“EU”), the GDPR imposes new obligations on organizations dealing with personal data.
Under the GDPR, a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.” Personal data breaches include not only the unauthorized access or disclosure of data but also the accidental destruction or alteration of data. While limited breach notification regimes were in place in the EU before the GDPR, how to deal with these types of incidents is among the biggest paradigm shifts to which organizations and supervisory authorities have had to adapt since GDPR Day.