On 1 January 2016, a change to the Dutch Data Protection Act will come into force that requires organisations to notify the Dutch data protection authority (DPA) of any data breaches. In many cases, individuals whose data are involved will also have to be informed. Failure to notify may result in penalties from the Dutch DPA of up to hundreds of thousands of euros. Meanwhile, the timelines for notifying a data breach are very short. So what should an organisation do to prepare itself? Here are four steps we recommend taking (see also our FAQ on data breaches):
Step 1: Draft an incident response protocol
The Dutch DPA requires all organisations processing personal data to have a security incident response protocol in place. It should enable the timely and effective handling of security incidents and should touch on topics such as informing relevant authorities and individuals, improving security after incidents and gathering evidence for legal proceedings.
Step 2: Create a data breach team
Data breaches should be handled by a team consisting of members of different departments, including legal, PR, and security. The legal member should have a thorough understanding of the legal requirements, the PR member should know how to inform the media and individuals involved, and the security member should have a good grasp of the IT infrastructure, as well as possible consequences and required countermeasures in the case of an incident. All members need to be familiar with the organisation’s incident response protocol and remain on standby in order to respond rapidly if necessary.
Step 3: Review agreements with external suppliers
Even if a data breach occurs at an external supplier, the notification obligation still rests with the organisation itself (as the controller). Organisations should therefore contractually ensure that external suppliers inform them fully and immediately to allow these organisations to comply with their notification obligations. This means that organisations need to review their existing processing agreements with external suppliers and to amend them where necessary.
Step 4: Monitor your security measures
These three steps focus on what happens when an incident occurs. But organisations are also required to take adequate security measures to prevent and detect data breaches. The required measures are the outcome of an internal assessment that all organisations handling personal data need to perform. The assessment and required measures should be laid down in a formal information security policy. And they should include regular monitoring to ensure that a breach is detected quickly.
We will be happy to explain in more detail the steps your organisation needs to take and to assist you in preparing an incident response protocol and the review of your supplier contracts.