New reporting obligation for data breach of personal data
FHI, Federation of Technology Industries – June 12, 2018
Companies that store personal data are subject to the Personal Data Protection Act. Compliance with this law has been enforced by the AP, or Dutch Data Protection Authority, since January 1, 2016. Fines for violations can amount to a maximum of €820,000. With this, the legislator hopes to ensure that companies better protect personal data. Because data leaks must be reported, companies also have a greater incentive not to receive negative press.
What is it about?
Administrators of personal data must carefully manage and process them. Personal data may not be lost, mutilated, fall into the wrong hands or end up on the street and no unintended operations may be carried out on it. If this does happen, there is a data breach. If there is a data breach, this must be reported to the AP.
What are personal data?
These are data that say something about an identifiable natural person. Examples are medical data, payment data or personnel files. This also includes the emerging time/location data that can be collected with tracking/tracing equipment.
What does processing personal data entail?
Processing is: all actions that an organization can perform with personal data such as collecting, recording, organizing, storing, updating, modifying, retrieving, consulting, using, forwarding, distributing, making available, bringing together, linking, blocking, erasing and destruction of data.
Which companies are affected by this?
All companies that store personal data that can be traced back to the person in question. The need to act carefully increases with the degree of confidentiality. For example, loss, mutilation, etc. is less harmful when it concerns telephone numbers than when it concerns medical data or financial data. Companies working in the medical sector, for example, will have to deal with this more than companies in the industrial automation sector.
When must a report be made?
When there is a (sufficiently serious) data breach as a result of a security breach. This is the case, for example, when security is circumvented, such as a hack, often due to inadequate security such as loss of passwords, loss of a data carrier, or other human errors.
Advice
- Appoint a Data Protection Officer and keep a log of reportable data breaches
- Separate data from the person as much as possible, for example by using numbers/codes of which only the healthcare institution, for example, knows which person belongs to it.
- If you gain access to personal data processed by another institution, you must have a processing agreement with the relevant institution. Ensure who is responsible for what and has what powers
- Provide a protocol that describes what should be done in the event of a data breach
- If there is a data breach, report this to the Dutch Data Protection Authority. The people whose information has been leaked may also need to be informed. It may be advisable to hire a lawyer for this.