An "availability breach" under GDPR refers to a security incident that disrupts access to personal data, making it temporarily or permanently unavailable. This falls within the broader definition of a "personal data breach" in Article 4(12) of the GDPR, which covers any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Core Definition

Availability breaches specifically target the CIA triad (Confidentiality, Integrity, Availability) principle in GDPR Article 5(1)(f), where organizations must process data securely to ensure ongoing access. Unlike confidentiality breaches (e.g., hacks exposing data), these focus on inaccessibility —think ransomware locking files or server crashes wiping access. Data controllers and processors bear responsibility, with processors obligated to notify controllers immediately.

Common triggers include:

  • Cyberattacks like DDoS or ransomware encrypting files.
  • Hardware/software failures , such as server outages or bugs.
  • Human error , like accidental deletions.
  • External events , e.g., natural disasters hitting data centers.

Legal Obligations

GDPR mandates risk-based reporting :

  1. Notify supervisory authority within 72 hours if the breach "is likely to result in a risk" to individuals' rights (Article 33).
  1. Inform affected data subjects "without undue delay" if high risk (Article 34), e.g., if inaccessibility prevents critical services.
  1. Document everything internally, even non-notifiable incidents (Article 33(5)).

Fines can reach €10 million or 2% of global turnover for violations like failing to secure availability (Article 83(4)). Recent examples, like the 2024 CrowdStrike outage, sparked debates on whether pure unavailability qualifies without data loss—some regulators treat it broadly as a breach.

Scenario| Availability Breach?| Notification Likely?
---|---|---
Ransomware encrypts customer database| Yes—data inaccessible| High risk; yes 1
Temporary DDoS downtime (no data loss)| Debatable; regulators often say yes| Depends on risk duration/impact 8
Server crash with backups available| Possible, if prolonged| Low risk if quick recovery 1
Accidental file deletion| Yes—permanent loss| Assess individual impact 1

Prevention Strategies

Proactive steps mirror Article 32 requirements for resilient processing:

  • Implement redundant backups and failover systems.
  • Conduct regular risk assessments and penetration testing.
  • Train staff on incident response.
  • Use contracts with third parties ensuring GDPR-aligned availability SLAs.

Real-world debate : Forums like LinkedIn highlight splits—some argue GDPR's text doesn't explicitly list "unavailability" alone as a breach (unlike destruction/loss), favoring narrow reads to avoid over-notifying glitches. Yet, authorities push broad interpretations for safety, urging documentation always.

TL;DR at Bottom

Availability breaches disrupt personal data access via incidents like cyberattacks or failures, triggering GDPR's notify-if-risky rules and fines. Prioritize resilience to comply—check Article 4(12) for the full legal anchor.

Information gathered from public forums or data available on the internet and portrayed here.