What Is An Integrity Breach In The Context of GDPR?

Data breaches are becoming more common every year, and they are not always caused by hackers stealing information. In fact, the UK’s Information Commissioner’s Office reported 11,680 personal data breach reports in 2023–2024, a 28% increase from the previous year.

While many people think of data breaches as leaks, another serious risk is when data becomes incorrect or altered. This is known as an integrity breach, and under GDPR, it can be just as serious.

So, what does this mean in practice? Let’s break down What Is An Integrity Breach In The Context of GDPR and why it matter

Understanding Data Breaches and Integrity Risks

What is a personal data breach?

A personal data breach is any security issue that leads to the loss of personal data, unauthorised access, or data being altered or destroyed. There are three main types of breaches. Confidentiality breaches happen when data is accessed by unauthorised people. Availability breaches occur when data is lost or cannot be accessed. Integrity breaches involve data being changed incorrectly.

What is an integrity data breach?

So, What Is An Integrity Breach In The Context of GDPR?

It is when personal data is altered in a way that makes it inaccurate, incomplete or unreliable. This can happen accidentally or deliberately. Common causes include human error such as incorrect data entry, software issues or system failures, cyberattacks involving data tampering, and poor system synchronisation that leads to inconsistent records.

GDPR requires organisations to keep personal data accurate and up to date, so any unauthorised change can be considered a breach.

Risk assessing data breaches 

Every breach must be assessed, even if it is not reported. Organisations should consider whether the breach could cause harm to individuals, whether sensitive data such as health records is involved, and whether it could affect someone’s rights or freedoms. The higher the risk, the faster action needs to be taken.

Potential consequences for organisations 

Integrity breaches can have serious consequences. Organisations may face fines for failing to meet GDPR requirements. Operations can be disrupted because incorrect data leads to poor decisions and inefficiencies. Reputational damage can occur, resulting in a loss of trust from customers and stakeholders. In some cases, legal action may be taken if individuals are harmed.

A well-known example is the NHS Test and Trace issue in 2020, where thousands of COVID-19 cases were not reported due to data errors, showing how damaging inaccurate data can be.

Preventing and Managing Data Breaches 

Preparing for a personal breach

Preparation helps reduce both risk and response time. Organisations should have a clear data breach policy in place, ensure staff are trained, define roles and responsibilities, and establish incident response procedures so that action can be taken quickly when needed.

Responding to a personal data breach 

When a breach occurs, the first step is to identify and contain the issue. This should be followed by assessing the risk, recording what happened, and deciding whether reporting is required. Acting quickly is important to limit the impact.

How to prevent integrity breaches 

Preventing integrity breaches requires a combination of processes and awareness. Staff should be trained on the importance of data accuracy, and organisations should have strong data governance in place. Regular data checks and validation help identify errors early, while security audits can highlight weaknesses in systems. Access to data should also be restricted so that only authorised individuals can make changes.

How to manage integrity breaches 

If an integrity breach occurs, organisations should investigate the cause and correct any inaccurate or corrupted data. It is important to assess the impact on individuals and take steps to prevent the issue from happening again. Support from specialists such as ARC Data Protection Service can help organisations strengthen their processes and reduce future risks.

Reporting Requirements and ICO Notification

When to report a breach to the ICO

A breach must be reported to the ICO if it poses a risk to individuals’ rights and freedoms. This includes situations where personal data could lead to harm such as identity theft, financial loss, reputational damage, or loss of confidentiality, especially with sensitive data like health records. If you are unsure, it is safer to carry out a proper risk assessment and document your decision, even if you decide not to report.

Timeframes for reporting (including 72-hour rule)

Breaches must be reported within 72 hours of becoming aware of them. This does not mean when the breach happened, but when your organisation becomes aware that a breach has occurred. If you miss this deadline, you must explain the reason for the delay when submitting your report. Acting quickly is important to reduce risk and show compliance.

What information must be included in a breach report

A breach report should include clear and accurate information to help the ICO understand the situation. This includes what happened and how the breach occurred, the number of individuals affected, and the type of personal data involved. You should also explain the likely consequences for those affected, outline the actions taken or planned to address the issue, and provide contact details for a responsible person such as a Data Protection Officer.

What to do if all information is not yet available

In many cases, you may not have all the details within the first 72 hours. You should still submit the report with the information you have and clearly state that the investigation is ongoing. Additional details can be provided later as they become available. It is better to report early and update than to delay reporting altogether.

How to notify the ICO 

Breaches are reported using the ICO’s official online reporting tools. Data controllers are responsible for submitting the report and ensuring compliance with GDPR. Data processors, on the other hand, must inform the controller as soon as they become aware of a breach. They do not report directly to the ICO unless instructed, but they play a key role in making sure the controller has the information needed to act quickly.

Communicating Breaches and Legal Obligations

When to inform individuals about a breach

Individuals must be informed if a breach is likely to result in a high risk to their rights and freedoms. This is especially important when sensitive data is involved, such as health records, financial information, or identity details. A high-risk breach could lead to harm like identity theft, discrimination, financial loss, or distress. Organisations should assess each situation carefully and, where required, inform individuals without unnecessary delay so they can take steps to protect themselves.

What information must be provided to affected individuals

When informing individuals, communication should be clear, honest and easy to understand. It should explain what happened and when, what type of personal data was affected, and what the potential risks are. Organisations should also outline what actions have been taken to contain the breach and reduce any impact. Importantly, individuals should be told what steps they can take to protect themselves, such as monitoring accounts or changing passwords. Contact details should also be provided so individuals can ask questions or get further support.

GMC guidance on data breaches

For healthcare professionals, the General Medical Council expects a high level of transparency. This means being open and honest when something goes wrong, explaining the situation clearly to patients, and taking responsibility where appropriate. Acting promptly is essential, as delays can increase the impact on patients and reduce trust. Even in cases where GDPR may not strictly require notification, it is often considered good practice to inform patients.

Additional GDPR responsibilities and considerations

Beyond reporting and communication, organisations have wider responsibilities under GDPR. They must keep a record of all data breaches, including those that are not reported to the ICO, along with the decisions made. Regular reviews of policies and procedures are important to identify weaknesses and improve data protection practices. Organisations should also consider whether other legal or regulatory requirements apply, depending on their sector or the type of data involved.

Consequences of failing to report breaches

Failure to report notifiable breaches can lead to serious consequences. Organisations may face fines of up to £8.7 million or 2% of global turnover, depending on the severity of the breach. In addition to financial penalties, there may be regulatory investigations and enforcement action. Just as importantly, failing to handle breaches properly can damage an organisation’s reputation and lead to a loss of trust from customers, patients, or clients.

What Is An Integrity Breach In The Context of GDPR? – Conclusion

In conclusion, an Integrity Breach refers to situations where personal data is altered, corrupted or becomes inaccurate, whether through human error, system issues or malicious activity. These breaches can lead to fines, operational problems, reputational damage and legal consequences if not handled properly. Organisations need to focus on prevention, quick detection, risk assessment and proper reporting to remain compliant and protect individuals.

If you need support reviewing your processes or improving your data protection approach, ARC Data Protection Services can provide expert guidance, training and practical support tailored to your organisation.