What is a data breach?
To give you a technical definition, a data breach is a breach of security that leads to the accidental or unlawful destruction, loss, change, unauthorized disclosure of (or access to) personal data. This could be caused by anything from a mislaid USB stick or a stolen laptop to hacking, malware infection, or even a fire in a data centre.
Do I need to notify anybody of a data breach?
As of 1 January 2016 data controllers have to report data breaches to the Dutch Data Protection Authority (DPA) within 72 hours after the breach has been detected. If you don’t, you risk a maximum fine of €820,000 or 10% of your annual turnover. This report can be made via a straightforward form on the DPA’s website. As well as notifying the DPA, you should also record data breaches in your internal register.
Do I have to inform my customers in case of a data breach?
It depends whether their privacy will be compromised. If the breached data is unintelligible to third parties – because it has been sufficiently encrypted, for example – then it’s not necessary to contact your customers. However, if their privacy is threatened, you must inform them of the breach.
How can we best manage a data breach?
By preparing for the worst before it happens. Have an Incident Response Plan in place so you can react quickly and effectively to a breach. Check which parties are involved in processing personal data for your company (such as your hosting partner) and update their contracts, as they will probably be the first to notice any breach. Finally, limit the risk of potential data breaches by implementing strong technical and organizational measures – read the DPA’s Security Guidelines for more details.