01 Feb '24
Data breaches occur frequently. An employee sends an e-mail containing a customer's personal data to the wrong e-mail address, or a company's database is hacked, making personal data accessible to unauthorized persons. Just some examples that show that a data leak can happen, often regardless of the precautions taken. An accident happens so easily and hackers are getting better at their 'trade'.
When a data breach unexpectedly occurs in your organization, one of the key issues is to deal with the data breach quickly and properly. Wondering how to do this? Then be sure to read on.
In the introduction to this blog, we already gave two examples of a data breach. However, many more variants of a data breach can be imagined. A data breach is any (security) incident in which an unauthorized party has carried out an activity involving personal data. Those activities are classified into three categories:
As the consequences of the data breach vary from category to category, it is important in each case to check what kind of data breach has taken place.
After the discovery of a data breach, it is first and foremost important to gain a good understanding of exactly what happened and the extent of the data breach. Once it is clear what exactly happened, it should be examined which measures need to be taken to minimize the damage caused by the data breach. This will generally be, first and foremost, 'plugging the leak'. What further measures should be taken should be assessed on a case-by-case basis. Among other things, consideration should also be given to whether measures can be taken to prevent such an incident from occurring in the future.
The risk posed by the data breach must then be assessed. In principle, the data breach must be reported to the Dutch Data Security Authority (The Autoriteit Persoonsgegevens or in short AP). This does not apply if the data breach is unlikely to pose a risk to the rights and freedoms of the individuals whose personal data are involved in the data breach. If the conclusion is that a data breach needs to be reported to the AP, such reporting should take place within 72 hours of the discovery of the data breach. In doing so, a lot of information should already have been collected and provided.
It should also be considered whether the individuals whose personal data is involved in the data breach should be notified. These individuals must be notified if there is a high risk to the rights and freedoms of these individuals.
Finally, the data breach should (always) be recorded internally, in a data breach/incident register. This should include a note of what happened, the consequences of the incident, what measures were taken in the context of the incident and further prevention, and whether and how the Data Protection Officer (DPO) was involved in dealing with the data breach (if applicable). It should also note whether the incident was reported to the AP and the individuals whose personal data was involved in the data breach and why it was chosen to report the data breach or not. When completing the register, it is useful to make an explicit distinction between corrective and preventive measures. It is also useful to clearly record for each incident which part of the organization was involved in the incident.
How a data breach should be handled differs from case to case. This should therefore be assessed on a case-by-case basis. However, the following three tips will come in handy in any situation:
Do you want to take preventive measures to mitigate the consequences of future actions, or are you facing a data breach? If so, contact privacy@ploum.nl. We can help you, for example, assess whether there is a data breach that needs to be reported, report a data breach, prepare an Incident Response Plan and train your employees.
11 Nov 24
14 Oct 24
13 Oct 24
07 Oct 24
13 Aug 24
13 Aug 24
04 Jun 24
13 May 24
02 May 24
08 Apr 24
04 Apr 24
21 Mar 24
Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.
Stay up to date with the latest legal developments in your sector. Fill in your personal details below to receive invitations to events and legal updates that matches your interest.
Follow what you find interesting
Receive recommendations based on your interests
{phrase:advantage_3}
{phrase:advantage_4}
We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.
A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.