Personal data breach

A requirement in GDPR is that all personal data breaches needs to be reported and handled by KI. The GDPR project at KI has developed a process for managing personal data breaches. There is ongoing work to adapt the system that will support the process and to assign the key roles that will be managing the personal data breaches at KI.

However, while the system is being adapted, KI still needs to be able to receive and report personal data breaches. Therefore, all KI staff will have to report detected breaches that may include personal data to the IT security team at IT Support for a further analysis.

What is a personal data breach?

The definition of a personal data breach is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Examples of personal data breaches

Below are some examples of personal incidents:

  • Personal data has been sent to an unauthorized recipient.
  • Printouts containing personal data ends up with the wrong person.
  • A request of a public document containing personal data is disclosed, without being recorded as a request of a public document.
  • A former project member still has access/permissions to stored personal data through the projects file share.
  • A computer, external hard drive, USB or similar storage device that contains personal data has been lost or stolen.
  • Someone has changed personal data without permission.
  • Personal data is not available to authorized employees who needs them for their work, which potentially could affect the data subjects.
  • A data breach involving personal data has been detected which could have compromised the confidentiality, integrity or availability of the data.