Expertise: data breaches

Be prepared.

What is a data breach?

To give you a technical definition, a data breach is a breach of security that leads to the accidental or unlawful destruction, loss, change, unauthorized disclosure of (or access to) personal data. This could be caused by anything from a mislaid USB stick or a stolen laptop to hacking, malware infection, or even a fire in a data centre.

Do I need to notify anybody of a data breach?

Under the GDPR data controllers have to report data breaches to the Dutch Data Protection Authority (DPA) within 72 hours after the breach has been detected, unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. If you don’t, you risk a maximum fine of EUR 10.000.000 or up to 2% of your total worldwide annual turnover. This report can be made via a straightforward form on the DPA’s website. As well as notifying the DPA, you should also record data breaches in your internal register.

Do I have to inform my customers in case of a data breach?

Where there is likely a high risk to the rights and freedoms of customers as the result of a breach, they must also be informed. The threshold for communicating a breach to customers is therefore higher than for notifying supervisory authorities and not all breaches will therefore be required to be communicated.  If the breached data is unintelligible to third parties – because it has been sufficiently encrypted, for example – then it’s not necessary to contact your customers. However, if their privacy is threatened, you must inform them of the breach.

How can we best manage a data breach?

By preparing for the worst before it happens. Have an Incident Response Plan in place so you can react quickly and effectively to a breach. Check which parties are involved in processing personal data for your company (such as your hosting partner) and update their contracts, as they will probably be the first to notice any breach. Finally, limit the risk of potential data breaches by implementing strong technical and organizational measures – read the DPA’s Security Guidelines for more details.