Unauthorised disclosure is when personal data is shared or made available to someone who has no lawful basis to receive it. Under GDPR Article 4(12), it's one form of personal data breach — alongside accidental loss, destruction, or unauthorised access. The most common cause isn't hackers; it's a misaddressed email, a reply-all to a mailing list, or an S3 bucket left on "anyone with the link." If the disclosure risks people's rights, Article 33 requires notifying the supervisory authority within 72 hours of becoming aware — not of when it happened — and Article 34 adds notification to affected individuals where the risk is high.