Personal Data Breaches: Understanding the Rise in Incidents and Managing CNIL Notification Requirements

DPO Consulting
This is some text inside of a div block.
5
April 23, 2026

Table of contents

Example H2

A Significant Increase in Data Breaches in France

In recent times, hardly a week goes by without the media reporting that an organization has suffered a cyberattack leading to a data breach. Websites such as https://bonjourlafuite.eu.org/ or ethical hackers like https://x.com/_SaxX_ regularly track these incidents, with the main observation being that their frequency has significantly increased in recent years.

This trend is also reflected in data from the CNIL, which has seen a rise in the number of breach notifications. According to the 2026 Personal Data Breach Barometer published by Forum INCYBER, based on CNIL open data, between September 2024 and September 2025, 8,613 data breaches were reported to the CNIL, compared to 5,919 the previous year (a 45% increase). This represents nearly 24 notifications per day over a full year.

Anticipating Data Breaches: Understanding to Respond Effectively

The purpose of this article is not to analyze the root causes of data breaches or provide expert cybersecurity insights, but rather to offer practical guidance on anticipating common vulnerabilities and to focus on CNIL notification requirements.

GDPR Definition of a Personal Data Breach

To begin with, the GDPR defines a personal data breach in Article 4(12) as:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

The Three Types of Breaches to Be Notified

One aspect that may be surprising during notification is that while the definition includes five types of incidents (destruction, loss, alteration, unauthorized disclosure, and unauthorized access), only three types of breaches must be classified when notifying:

  • Loss of confidentiality
  • Loss of integrity
  • Loss of availability

Destruction and loss both fall under loss of availability. Whether data is deleted or the storage medium is lost, the result is the inability—temporary or permanent—to access the data.

Alteration corresponds to loss of integrity, as any modification compromises data accuracy.

Finally, unauthorized disclosure and unauthorized access correspond to loss of confidentiality. For example, sending data to the wrong recipient or unauthorized access both compromise confidentiality.

What Security Measures Can Prevent Data Breaches?

Implement Robust Backup Strategies

To prevent or mitigate loss of availability, integrity, or confidentiality, several measures can be implemented.

A robust backup strategy is essential. A useful guideline is the 3-2-1(-1-0) rule:

  • 3 copies of data (production data + 2 backups)
  • 2 different storage media (server, external drive, cloud, etc.)
  • 1 off-site backup
  • an additional offline backup disconnected from the network
  • 0 errors during restoration tests (which implies regular testing)

Control Access to Data

Implement access control mechanisms to prevent unauthorized individuals from accessing data. This applies both to digital systems and physical documents containing personal data.

Secure Access and Identity Management

Use strong passwords and prioritize multi-factor authentication (MFA). Refer to ANSSI recommendations developed in collaboration with the CNIL on this topic.

Keep Systems Up to Date

Regularly update security components such as antivirus software, firewalls, and website elements. Vulnerabilities are constantly discovered and patched, and these updates are essential to prevent exploitation.

Encrypt Sensitive Data

Encrypting storage devices and data during transmission reduces the risk of unauthorized access in case of loss or interception.

Raise Employee Awareness: The Key Factor

Finally, and most importantly, raise awareness among employees. Human nature tends toward convenience—people want immediate access to systems and information. However, security measures (passwords, badges, restricted access points, etc.) may slow them down, leading them to bypass these controls (reusing passwords, sharing credentials, propping doors open, etc.).

Security measures and common attack vectors (phishing, CEO fraud, etc.) must therefore be clearly explained, using simple and practical examples.

CNIL Notification: What Are Your Obligations in Case of a Data Breach?

H3: When Should a Breach Be Notified?

Not all breaches must be notified to the CNIL—only those that pose a risk to individuals’ rights and freedoms. However, all breaches must be documented internally in a register.

The CNIL provides a preparatory document outlining the notification steps.

Key Steps in the Notification Process

The first step is choosing the type of notification: initial, complete, or supplementary. It is often advisable to submit an initial notification within the 72-hour deadline, and complete it later with additional details, such as corrective measures implemented.

The second step is identifying the notifying entity. In some cases, a processor may notify on behalf of the controller, depending on contractual arrangements.

The third step focuses on the breach itself:

  • When did it occur?
  • When was it discovered? (and why any delay in notification)
  • What happened?
  • Was it accidental or malicious? Internal or external?
  • What data and how many individuals are concerned?
  • Were any security measures already in place?

Assessing Impact and Informing Individuals

The fourth step involves assessing the impact on affected individuals, including the severity level.

Finally, organizations must determine whether:

  • individuals need to be informed
  • other European supervisory authorities must be notified (in case of cross-border processing)

Conclusion: Towards Harmonized Notification Obligations with NIS2

With the entry into force of the NIS2 Directive, questions remain about whether security incidents will need to be reported to multiple authorities (e.g., ANSSI, CNIL, and ARS for the healthcare sector).

The European Data Protection Board (EDPB), in its review of the Omnibus project, has called for harmonization of notification deadlines and the creation of a single reporting entry point to meet multiple regulatory obligations simultaneously.

DPO Consulting can support you in assessing risk levels, managing data breach notifications, and implementing appropriate cybersecurity measures through its dedicated Cyber practice.

Read this next

See all

DPIA: EDPB launches a European template to harmonize GDPR impact assessments

The European Data Protection Board (EDPB) has adopted a European Data Protection Impact Assessment (DPIA) template, currently open for public consultation until June 9, 2026.

Read more

CNIL 2026 Priorities: Key GDPR Compliance Areas Organizations Must Anticipate

Each year, the CNIL defines priority areas representing around 20% of its inspections. For 2026, three major topics have been identified, find out which ones.

Read more

The AI Act Delay: What Businesses Really Need to Know

The European Parliament has proposed pushing back the AI Act's high-risk AI rules to December 2027 and August 2028. What obligations still apply now? How should you prepare?

Read more
Stay up to date on all the latest data privacy and GDPR compliance news.
Your email address will be used to send you our newsletter as well as information concerning the activity and news of DPO Consulting. You can unsubscribe at any time by clicking on the unsubscribe link in the emails. To find out more about your rights, see our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
About us
Our expertise
myDPO
Contact us
contact@dpo-consulting.com
+33 (0)1 55 06 16 86
50, Avenue des Champs-Elysées, 75008, Paris, France
Outsourced DPOInternational DPODPO AssistanceEU RepresentativeUK RepresentativeData privacy training
Clinical Trial ComplianceGDPR Compliance auditPrivacy Impact Assessments (PIA)Digital transformationMulti regulatory complianceUK GDPR, UK DPA, & DUAA
Cybersecurity Compliance
CISO as a serviceCybersecurity maturity assessmentProject support
AI Act Compliance
AI Maturity assessmentAI Act training
DPO Consulting © 2026 All Rights Reserved |
Terms of Use
|
Privacy Policy
|
Cookie Policy
|
Legal Notice
Let’s create an experience as remarkable as your business
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Main pages
CMS Pages
Utility
Templates
hi@byq.studio
@byqstudio
+1 600 600 000