GDPR: what should I do in case of a data breach?

A ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Breaches can be categorised into the following three categories: 

  • Confidentiality breach - where there is an unauthorised or accidental disclosure of, or access to, personal data.
  • Integrity breach - where there is an unauthorised or accidental alteration of personal data.
  • Availability breach - where there is an accidental or unauthorised loss of access to, or destruction of, personal data. 


Possible incidents that can lead to a data breach are:

  • access to personal data by an unauthorised third party;
  • an intentional or unintentional action that affects the security of personal data;
  • sending personal data to an incorrect recipient;
  • lost or stolen computer equipment (like a USB-stick) with personal data;
  • changing personal data without consent.


The GDPR obliges organisations to report serious data breaches to the Belgian Data Protection Authority and the Flemish Supervisory Commission for the Processing of Personal Datawithin 72 hours after the data breach has come to lightif the data breach poses a risk to the rights and freedoms (such as the privacy) of the persons involved.

Data subjects must also be notified if the breach is likely to pose a high risk to their rights and freedoms.

Any notification to the relevant data protection authority and the data subject(s) will be made by the University of Ghent.Ghent University researchers must therefore report a (suspected) data breach as soon as possible to the DICT Helpdesk via DICT HelpMe.

More tips

Translated tip

Last modified March 6, 2024, 9:30 a.m.