Live National Cyber Helpline · 0300 123 2040
Assured Cyber Protection Cyber & insurance briefing

Compliance, Standards and Contracts

Types of GDPR Data Breach: Confidentiality, Integrity and Availability

By the Assured Cyber Protection team · Updated 2026 · Reviewed

If you have been asked what is a confidentiality breach in the context of GDPR, the answer is one of three recognised breach types. Under the UK GDPR a personal data breach is any security incident that affects the confidentiality, integrity or availability of personal data, and a confidentiality breach is specifically the type where personal data is disclosed to, or accessed by, someone who was not authorised to see it. Understanding which of the three categories an incident falls into is the first thing the Information Commissioner’s Office expects you to work out, because it shapes how you assess the risk and whether you have to report it.

These three types come from what security professionals call the CIA triad: confidentiality, integrity and availability. They are the three properties that keep information trustworthy, and a breach is simply the loss of any one of them. A single incident can hit more than one at once, which is why a ransomware attack, for example, is usually both an availability and a confidentiality breach.

What the UK GDPR actually defines as a breach

The legal definition is broad on purpose. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The cause does not matter: it can be deliberate, like a hacker exfiltrating a customer database, or entirely accidental, like an email sent to the wrong recipient. What matters is the effect on the data, and that effect always falls into one or more of the three types below.

Confidentiality breach

A confidentiality breach happens when personal data is disclosed to, or accessed by, someone who was not authorised to see it. This is the type most people picture when they hear “data breach”, and it is the most common in practice.

Everyday examples include emailing a spreadsheet of customer details to the wrong address, sending a letter to the wrong postal address, a lost or stolen unencrypted laptop or USB stick, a misconfigured database left open to the internet, or an employee snooping on records they had no business reason to view. It also covers deliberate attacks such as hacking, phishing that harvests login details, and malware that steals data. The defining feature is always the same: personal data ended up in front of eyes that should not have seen it.

Integrity breach

An integrity breach is the loss of accuracy or completeness. It happens when personal data is altered without authorisation, whether that change is deliberate or accidental. The data still exists and may still be accessible, but it can no longer be trusted to be correct.

Examples include an attacker tampering with records, a faulty migration that corrupts fields across a database, someone overwriting the wrong customer’s file, or malware that silently changes stored values. Integrity breaches are easy to overlook because nothing is obviously missing or leaked, yet the consequences can be serious. If a patient’s medication record or a payroll file is quietly altered, decisions get made on wrong information.

Availability breach

An availability breach is the loss of access to personal data, or the loss of the data itself, when that loss has a real effect on the people the data is about. The classic modern example is ransomware, which encrypts your files so you can no longer reach them. It also covers accidental deletion with no backup, hardware failure that destroys the only copy, or a systems outage that locks you out of records you need.

A short outage that you recover from quickly with backups may not amount to a notifiable breach on its own, but a permanent loss, or a loss that stops you delivering a service people depend on, clearly does. The test is whether the temporary or permanent loss of access has a detrimental effect on individuals.

Which type triggers a report to the ICO?

The type of breach does not automatically decide whether you report. What decides it is risk. You must assess whether the breach is likely to result in a risk to the rights and freedoms of individuals, thinking about consequences like identity theft, financial loss, discrimination or distress. If a risk is likely, you must notify the ICO without undue delay and within 72 hours of becoming aware of it. That clock runs from the moment you discover the breach, not from when it happened, and it does not pause for weekends or nights.

Not every incident meets that bar. Losing an internal list of desk phone extensions, or recovering a misdirected email before anyone opens it, is unlikely to need reporting. But you must still record every breach internally, whether or not you report it, so you can show the ICO your reasoning if asked. Article 33(4) also lets you report in phases if you do not have every detail within 72 hours, so a lack of full information is never a reason to miss the deadline.

For the practical mechanics of that report, see our guide to data breach reporting and the ICO 72-hour rule, and for the financial exposure, GDPR breach compensation covers what individuals can claim. If you want to reduce the chance of any of these types happening in the first place, a cyber security risk assessment is where to start.

Frequently asked questions

What is a confidentiality breach in the context of GDPR? A confidentiality breach is a type of personal data breach where personal data is disclosed to, or accessed by, someone who was not authorised to see it. Examples include emailing data to the wrong person, a lost unencrypted device, or a hacker accessing a customer database. It is the most common of the three GDPR breach types.

What is an integrity breach in the context of GDPR? An integrity breach is the unauthorised or accidental alteration of personal data, so the data is no longer accurate or complete. The information still exists but can no longer be trusted, for example when records are tampered with, corrupted during a migration, or overwritten in error.

What is an availability breach in the context of GDPR? An availability breach is the loss of access to personal data, or the loss of the data itself, in a way that affects the people it relates to. Ransomware encrypting your files, accidental deletion with no backup, and hardware failure that destroys the only copy are all availability breaches.

Can one incident be more than one type of breach? Yes. Many incidents affect more than one property of the data at once. A ransomware attack that both locks you out of files and steals a copy of them is an availability breach and a confidentiality breach at the same time, and you assess the risk across all the effects it has.

Do I have to report every type of data breach to the ICO? No. You only have to notify the ICO if the breach is likely to result in a risk to individuals’ rights and freedoms, and then within 72 hours of becoming aware of it. You must, however, keep an internal record of every breach regardless of whether it is reportable.

The Threat Brief

A calm, plain-English security update. Once a week.

New scams, breach lessons, and cyber insurance changes that affect UK businesses, explained without the jargon. No alarmism, no vendor spin.

Unsubscribe anytime. We never share your address.