US Trends

what is a confidentiality breach in the context of gdpr

A confidentiality breach under the GDPR is a type of personal data breach where personal data is disclosed or accessed without authorisation, or accidentally made available to someone who should not see it, compromising its secrecy.

Core GDPR definition

  • GDPR defines a “personal data breach” as a security breach that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  • A confidentiality breach is one slice of that broader concept, specifically covering unauthorised or accidental disclosure or access.

What makes it a confidentiality breach?

  • It occurs when personal data is seen, received or accessed by people or systems that are not authorised, even if nothing is deleted or changed.
  • Typical examples include emails with personal data sent to the wrong recipient, files shared on an open drive, or staff viewing records without a legitimate need.

How it fits into GDPR’s three breach types

GDPR practice commonly breaks personal data breaches into three categories:

  • Confidentiality breach: Unauthorised or accidental disclosure of or access to personal data.
  • Integrity breach: Unauthorised or accidental alteration of personal data (for example, corruption or tampering).
  • Availability breach: Unauthorised or accidental loss of access to or destruction of personal data (for example, system outage or ransomware encryption).

All three are still “personal data breaches” under GDPR; the confidentiality breach is just the one focused on keeping data secret from unauthorised parties.

Practical GDPR examples

  • Sending a spreadsheet with customer names and contact details to the wrong mailing list.
  • A staff member checking a patient, customer, or employee record without a legitimate business reason.
  • Misconfigured cloud storage (e.g., an open link) exposing personal data to the internet.

Each of these involves personal data, a security failure, and access or disclosure beyond what is authorised, so they qualify as confidentiality breaches in the context of GDPR.

Information gathered from public forums or data available on the internet and portrayed here.