An "availability breach" in the context of the GDPR refers to any event that causes personal data to become temporarily or permanently inaccessible. This can happen due to accidental or malicious actions such as system breakdowns, cyberattacks (e.g., ransomware encrypting data), hardware failures (e.g., server crashes), software bugs, human errors (e.g., accidental deletion), or natural disasters affecting data centers. It involves an unauthorized or accidental loss of access to, or destruction of, personal data, which compromises its availability for use when needed. Under GDPR, availability breaches are recognized as a category of personal data breaches alongside confidentiality and integrity breaches. Such breaches must be managed with prompt security protocols, and if the breach poses a risk to the rights and freedoms of individuals, it must be reported to supervisory authorities within 72 hours and potentially to affected individuals. Organizations face significant legal and financial consequences if they fail to ensure data availability as mandated by GDPR articles, including Article 5(1)(f) on integrity and confidentiality, Article 32 on security of processing, and Articles 33 and 34 on breach notification and communication. In summary, an availability breach under GDPR means the improper inability to access personal data due to incidents like cyberattacks, system failures, or other disruptions, requiring organizations to implement rigorous security measures and compliance protocols to prevent and mitigate such breaches.
