A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. 

The above definition however does not take into account the impact of the breach, which must be considered if the breach is to be reported to the supervisory authority.

• A breach which is believed could result in a risk to the data subject, must be reported to the supervisory authority within 72 hours of becoming aware, therefore prompt reporting of incidents is essential.
• A breach which is believed could result in a high risk to the data subject must also be reported to the data subject.

The most important aspect for any colleague to understand is to report any incident which meets the definition above in order that an incident investigator can assess the breach and determine if it should be reported and how it should be treated.