A personal data breach under the GDPR is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. In the case of a data breach occurring that is likely to result in a risk to the rights and freedoms of individuals, there is a duty to notify the ICO of the breach within 72 hours of the organisation becoming aware of it. Where a data breach is likely to result in a high risk to the rights and freedoms of individuals, data controllers are also required to notify the individuals concerned.
Full guidance on data breaches, how and when to report them, and the University's policies and procedures can be found on this page.
Also see the ICO’s webpage on breach notifications, and Articles 33 and 34 of the GDPR
