What Is an Availability Breach Under UK GDPR?

If your business loses access to customer, staff or supplier data, even temporarily, you may be dealing with an availability breach under UK GDPR. Many founders assume a data breach only happens when information is stolen or leaked. Others make the opposite mistake and report every outage without checking whether personal data was actually affected. A third common issue is treating an IT problem as purely operational, without asking whether the outage stopped people from accessing personal data when they needed it.

That matters because a ransomware lockout, corrupted database, failed cloud migration or accidental deletion can all raise UK GDPR questions, even if no one outside your business ever sees the data. The legal issue is not just confidentiality. It is also whether personal data remains available and usable.

This guide explains what an availability breach GDPR issue looks like in practice, when it can trigger notification duties, what the Information Commissioner's Office (ICO) expects, and the practical steps UK startups and SMEs should take before an incident happens and when one lands on your desk.

Overview

An availability breach happens when personal data is lost, destroyed, encrypted, corrupted or otherwise inaccessible so that authorised people cannot use it when needed. Under UK GDPR, a personal data breach covers breaches of confidentiality, integrity and availability, so an outage can be a data protection issue even without a leak.

• Confirm whether personal data is involved, rather than only systems or non-personal business records.
• Work out whether the data is unavailable, destroyed, altered or only temporarily inaccessible.
• Assess the likely risk to individuals, including delay, harm, distress or inability to access services.
• Decide whether the breach must be notified to the ICO within 72 hours.
• Consider whether affected individuals also need to be told without undue delay.
• Record the incident and your reasoning, even if you decide notification is not required.
• Check processor contracts, backup arrangements, access controls and incident response steps.

What Availability Breach GDPR Means For UK Businesses

An availability breach under UK GDPR means personal data is no longer accessible or usable when it should be, and that loss of access can count as a personal data breach.

UK GDPR defines a personal data breach broadly. It covers a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. That includes availability problems, not just hacks and leaks.

For a business owner, the practical question is simple: can the right people still access the personal data they need, when they need it, in a reliable and accurate form? If the answer is no, you may have an availability issue with data protection consequences.

Availability, confidentiality and integrity

These three concepts are often grouped together, but they are different.

• Confidentiality is about preventing unauthorised access or disclosure.
• Integrity is about keeping personal data accurate and unchanged except by authorised action.
• Availability is about making sure personal data is accessible and usable by authorised users when required.

A ransomware incident is a good example because it may affect all three at once. Your files may be locked so you cannot access them, altered by the attacker, and potentially copied or exfiltrated.

But an availability breach can also exist on its own. If a staff member accidentally deletes a customer booking database and there is no working backup, there may be no unauthorised disclosure at all. It can still be a reportable personal data breach.

What counts as personal data becoming unavailable?

Personal data becomes unavailable when authorised users cannot access or restore it within the time needed for the relevant purpose. The legal impact depends on context. A short outage affecting a low-risk internal contact list may not create risk to individuals. The same outage affecting health records, payroll files or urgent care bookings could be much more serious.

Examples of an availability breach GDPR issue include:

• a cloud storage outage that blocks access to customer account information for an extended period
• accidental deletion of HR records with no recent backup
• database corruption during a software update
• encrypted files after a ransomware attack
• a lost laptop containing the only local copy of personal data
• misconfigured permissions that stop relevant staff from reaching personal data they need to provide a service

What matters is not just the technical failure. It is the effect on individuals and on your ability to meet legal and commercial obligations.

Why the risk assessment matters

Not every personal data breach must be reported to the ICO. The trigger is whether the breach is likely to result in a risk to the rights and freedoms of natural persons. If there is a high risk, affected individuals may also need to be informed.

That means your analysis cannot stop at, “The server went down for two hours.” You need to ask what personal data was affected, how long it was unavailable, whether it can be restored, who was affected, and what harm might follow.

Potential harms can include:

• financial loss or identity fraud
• distress or anxiety
• missed medical, educational or employment opportunities
• inability to receive an essential service
• loss of control over personal information
• discrimination or reputational harm in more sensitive cases

This is where founders often get caught. They focus on fixing systems first and leave the legal assessment until later. In practice, you need both tracks running at once because the 72 hour notification window can pass quickly.

When This Issue Comes Up

Availability breaches usually show up during ordinary business events, not just major cyberattacks.

Many UK startups and SMEs first face this issue during growth. Systems change, staff numbers increase, and data sits across cloud tools, shared drives, local devices and outsourced providers. A simple mistake can suddenly turn into a GDPR incident.

Common founder moments

You might run into an availability breach GDPR problem in situations like these:

• before you sign a new software or hosting contract and discover the provider's backup and recovery commitments are vague
• before you spend money on setup for a system migration, where old records may be overwritten or corrupted
• after a ransomware attack locks access to operational databases containing personal data
• when an employee accidentally deletes a shared folder holding customer records
• when a processor suffers an outage and your business cannot access client information
• during a failed update or integration that breaks your CRM or HR platform
• when a leaver's account is closed incorrectly and linked records become inaccessible
• after a device is lost and it turns out the only usable copy of certain personal data was stored locally

These incidents affect businesses in very different sectors. A retail business may be unable to process customer returns or verify orders. A professional services firm may lose access to client files before a deadline. A healthcare or care-related provider may face a much more urgent risk if data needed for treatment or safeguarding becomes unavailable.

Processor and supplier problems

A lot of data availability issues begin with third parties. If you use a payroll platform, CRM provider, cloud host, outsourced IT company or document management system, your legal exposure does not disappear just because the outage happened in someone else's environment.

Under UK GDPR, controllers remain responsible for how personal data is handled. Processors have their own duties, but your business still needs to understand what happened, assess risk, and decide whether notification is required.

This is why data processing terms matter before you sign. Contracts should clearly cover:

• incident notification timing
• support during investigations
• backup and restoration arrangements
• security expectations
• audit or information rights
• sub-processor use
• exit and data return provisions

If those points are missing, an incident can become much harder to manage.

Temporary outage or true breach?

A short interruption is not automatically a reportable breach, but temporary loss of access can still qualify as a personal data breach. The ICO's approach is practical. You look at the facts and the effect.

For example, if a website account portal is down for 20 minutes overnight and no one is realistically harmed, the risk may be low. If a case management system is offline for a day and vulnerable customers cannot be supported, the position is very different.

The key point is that “temporary” does not mean “irrelevant”. Availability breaches sit on a sliding scale, and context drives the legal response.

Practical Steps And Common Mistakes

The best response is to treat data availability as both a legal issue and an operational resilience issue.

UK GDPR does not expect perfection, but it does expect appropriate technical and organisational measures. For a small or scaling business, that usually means having sensible systems, clear decision-making and a written record of what happened.

What to do when access to personal data is lost

When an incident happens, move quickly but do not guess. Your first steps should be structured.

1. Contain the incident. Isolate affected systems, preserve logs, stop further deletion or corruption, and involve your IT team or provider.
2. Confirm the facts. Identify what personal data is involved, whose data it is, when availability was lost, and whether the data can be restored.
3. Assess impact on individuals. Ask what real-world harm may follow from inaccessibility, delay or data loss.
4. Decide on notification. If there is likely risk to individuals, consider ICO notification within 72 hours of awareness.
5. Consider communication to individuals. If the risk is high, affected people may need clear, direct information without undue delay.
6. Document your reasoning. Keep a breach record even if you conclude notification is not necessary.
7. Fix underlying weaknesses. Review backups, permissions, contracts, security controls and staff practices.

If you do not yet know all the details within 72 hours, you may still need to notify the ICO with the information available and follow up later.

How to assess risk in a practical way

Risk assessment should be tied to actual business use of the data. Ask questions like these:

• What categories of personal data are affected?
• Does the data include special category data, criminal offence data or children's data?
• How many people are affected?
• How long was the data unavailable?
• Can it be restored quickly and accurately?
• Will people miss payments, services, treatment, appointments or legal deadlines?
• Could the incident expose people to fraud, distress or other harm?

A missing archive copy of old marketing contacts may present low risk. A lost live database containing payroll details, sickness information or housing support records may present much higher risk.

Common mistakes businesses make

The main risk is not only the outage itself. It is a poor response after the outage.

• Assuming no leak means no breach. Availability failures can still be personal data breaches.
• Ignoring temporary loss of access. The fact that data later comes back does not automatically remove the legal issue.
• Waiting for perfect information. Delay can cause missed ICO deadlines.
• Failing to keep records. You should document incidents and your assessment, including why you did or did not notify.
• Overlooking processor obligations. Supplier outages need contract review and active management.
• Relying on untested backups. A backup policy on paper is not enough if restoration fails in practice.
• Leaving privacy and IT in separate silos. The incident needs legal, technical and operational input together.

Prevention measures worth sorting out now

Before the next incident, most SMEs should tighten a few practical areas. You do not need enterprise-level systems to improve your position, but you do need sensible controls.

• Maintain secure, regular backups and test restoration.
• Map where personal data is stored, including shadow IT and local devices.
• Set clear retention and deletion rules so important records are not accidentally removed.
• Limit access rights and review them when roles change.
• Use written incident response procedures with legal escalation points.
• Review supplier and processor contracts for security and outage support terms.
• Train staff on deletion errors, phishing, ransomware risks and incident reporting.
• Keep your privacy notice, privacy policy and internal breach procedures aligned with actual systems.

For some businesses, a data protection impact assessment may also help where systems or processing activities create higher risks. That is especially relevant if the data is sensitive, large in volume, or central to delivering essential services.

How this connects to wider business documents

Availability incidents rarely sit in one document only. The legal work often touches several areas at once.

You may need to review:

• data processing agreements with software and service providers
• customer terms dealing with service levels, liability and incident management
• employment contracts and internal policies on device use and security
• privacy notices, privacy policy wording and internal data breach procedures
• business continuity and disaster recovery plans

That is why it helps to think about privacy before you sign a contract and before you spend money on setup, rather than only after a failure has happened.

FAQs

Is an availability breach the same as a data leak?

No. A data leak usually concerns confidentiality, where unauthorised people access or receive personal data. An availability breach is about personal data being inaccessible or unusable by authorised people when needed.

Do I always need to report an availability breach to the ICO?

No. You report if the personal data breach is likely to result in a risk to individuals' rights and freedoms. You should still record the incident and your reasoning even if you decide not to notify.

Can a ransomware incident be an availability breach even if data was not stolen?

Yes. If ransomware stops you accessing personal data, that can be an availability breach. It may also involve integrity or confidentiality issues depending on what the attacker did.

What if the data outage only lasted a short time?

A short outage can still count as a personal data breach, but whether it is reportable depends on the risk to individuals. Duration matters, but so do the type of data, the affected people and the consequences of losing access.

Does a supplier outage count as our problem under UK GDPR?

If your business is the controller, yes, it is still your responsibility to assess the incident and meet your obligations. That is why processor contracts and incident reporting terms are so important.

Key Takeaways

• An availability breach under UK GDPR happens when personal data is lost, destroyed, corrupted or inaccessible to authorised users when needed.
• It can be a personal data breach even where there has been no leak or external hack.
• Your legal response depends on risk to individuals, not just whether your systems were offline.
• Temporary outages can still qualify, especially where people may miss services, payments, support or other important outcomes.
• Businesses should assess incidents quickly, document decisions, and consider ICO notification within 72 hours where required.
• Good backups, tested restoration, clear processor contracts, staff training and incident response procedures are essential practical safeguards.

If your business is dealing with availability breach GDPR and wants help with data breach assessments, ICO notification decisions, processor contracts, and privacy compliance, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.