Data breaches: area of concern for every company

Virtually every organisation processes personal data. As of 1 January 2016, the requirement to report data breaches applies to every one of these organisations. This means that, in certain circumstances, organisations have to report a data breach to, in any case, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, ‘DPA’), and, in certain cases, also to the individual whose personal information it concerns. Failure to adhere to this obligation could result in a substantial fine. Hence, it is of importance to comply meticulously to this notification obligation. This newsflash explains in more detail when a breach of data actually occurs and whether this needs to be reported.

What is a breach of data?

A breach of data means that, due to a security breach, personal data, traceable to a single identifiable individual, is (i) unlawfully processed or (ii) lost. Data breaches involving personal data of a sensitive nature and/or a vast amount of data, need to be reported to the DPA immediately. Companies that do not want to risk a regulatory fine have to draft and implement policies to prevent and act on a data breach.

When does the obligation to report a data breach apply?

The obligation to report a breach of data only applies to organisations that process personal data as stipulated in the Dutch Data Protection Act (“Wbp“). Moreover, the organisation has to be responsible as described by the Wbp (the ‘controller’). This notification obligation does not apply if only anonymous data is processed. Anonymous data is data that cannot be traced back to a single (identifiable) person.

What constitutes a data breach?

Once confirmed that the obligation to report a breach of data applies to an organisation, the next question coming to mind, is whatactually constitutes a breach of data? Starting point is that every organisation is obliged to take appropriate precautions to sufficiently protect personal data against loss or any form of unlawful processing. However, this protection might be violated anyway. Fortunately, not every violation results in a data breach. Data breaches can only occur in case of an actual ‘security breach’. Examples of security breaches include a lost flash drive, a stolen laptop or computer hacking. If the protective measures only contain a vulnerability, this is referred to as a security issue, and not a data or security breach. A security issue does not require notification of the DPA.

Also, not every breach of security equals a data breach. A security breach is considered a data breach if the security breach resulted in the loss of personal information, or if it is not reasonably possible to exclude that personal data might be processed unlawfully as a result of the security breach. Loss means that the personal information is no longer accessible; for instance, because the hard drive the data was stored on is destroyed and no current back-up is available. However, if it is possible to ‘restore’ this personal information, for example by a back-up, this information is not considered lost. Even if no data is lost, the potential danger is not yet eliminated. The security breach might grant unauthorised individuals access to certain data, or the data might become inaccessible to authorised persons; for example, an email sent to the incorrect recipient, or a file corrupted by malware. These scenario’s are considered ‘unlawful processing’. If the security breach did not result in the loss or unlawful processing of personal data, it is not considered a data breach.

How to proceed in case of a data breach?

Not every single breach of data has to be reported. According to the Wbp, the DPA needs to be notified if the data breach causes a significant probability to material adverse effects on the protection of personal data, or if the breach actually has material adverse effects on the protection of personal data. Aspects to take into consideration are the nature of the personal data breached, the quantity of personal data breached per individual, and the number of data subjects whose personal data has been breached. Every separate data breach requires these aspects to be taken into consideration again. Therefore, it is impossible to develop set guidelines on what should or should not be reported. In general, though, it is highly likely that a breach of special personal data (personal data of a sensitive nature) needs to be reported. This is definitely the case for breaches involving large quantities of the aforementioned type of data. A breach of data of the financial administration of a commercial bank, or the patient administration of a health institution comes to mind.

Concluding that a breach of data must be reported to the DPA, does not automatically imply the data breach must be reported to the data subject(s), too. Separate deliberation is required to determine if this is necessary. The Wbp states that the data subject(s) need(s) to be informed if the data breach will likely adversely affect the personal privacy of the data subject(s). Data subjects and their personal interests may be harmed by the loss, misuse or abuse of their personal data; for example, unauthorised publication, defamation of character and reputation, (identity) fraud or discrimination. If personal data of a sensitive nature has been exposed, one should assume that, in principle, the data breach should not only be reported to the DPA, but to the data subject(s) as well.

How to report the data breach?

According to the Wbp, the data breach must be reported ‘immediately’, so without delay; this means within 72 hours from the moment the security breach resulting in the data breach was discovered. The incident needs to be reported to the DPA within those 72 hours, and in certain circumstances (subsequently) also to the data subject(s). The DPA has developed a standardised web form to report these breaches. This form has to be uploaded to the site of the DPA. When informing the data subject, the organisation must specify the type of breach, where the data subject could turn to for more information, and the organisation must recommend measures the data subject could take to mitigate any possible adverse effects of the data breach as much as possible. The organisation must provide this information to the data subject in a ‘proper and diligent’ way.

Measures to prevent a data breach

It is virtually impossible to exclude a data breach entirely. Therefore, it is crucial for your organisation to have insight on the data it processes, and that it implements the appropriate protective measures to ensure that the chances of a breach are maximally limited. Also, to ensure timely notification of a breach, it is important to create internal awareness within the organisation on how to handle a data breach. An internal policy on data breaches is not only relevant from a preventive point of view; when determining the (amount of the) fine, the DPA also takes into consideration if the organisation is culpable for (not reporting) the data breach. If the obligation to report the breach of data was not deliberately violated, nor was there any culpable negligence, the DPA may precede the imposition of a fine with a binding instruction. Therefore, it is worthwhile to give this your consideration. Ovidius will gladly investigate, together with you, which focus areas require priority from a Wbp perspective in your organisation. We can also examine measures could be taken to (start) comply(ing) with the requirement to report data breaches.

 

Instagram

Follow our team and the latest news

This error message is only visible to WordPress admins

Error: No feed found.

Please go to the Instagram Feed settings page to create a feed.