All those actions in which the security of the data is being altered, causing its destruction, loss or alteration, either accidentally or maliciously.
Security breaches can be intentional, carried out by hackers trying to access private data. They can be accidental, caused by the staff working with the data themselves. They can also be due to failures in the system or software used.
GDPR establishes the obligation to report within a maximum of 72 hours after knowledge of the security breach to the competent control authority. If persons may be affected, and there is a risk that their rights and freedoms may be impaired, it would be necessary to communicate the security breach to those affected.