Data breaches in practice: three tips

Legal News

01 Feb '24

Author(s): Lars Boer en Nina Rijsterborgh-Witt

Data breaches occur frequently. An employee sends an e-mail containing a customer's personal data to the wrong e-mail address, or a company's database is hacked, making personal data accessible to unauthorized persons. Just some examples that show that a data leak can happen, often regardless of the precautions taken. An accident happens so easily and hackers are getting better at their 'trade'.

When a data breach unexpectedly occurs in your organization, one of the key issues is to deal with the data breach quickly and properly. Wondering how to do this? Then be sure to read on.

What is a data breach?

In the introduction to this blog, we already gave two examples of a data breach. However, many more variants of a data breach can be imagined. A data breach is any (security) incident in which an unauthorized party has carried out an activity involving personal data. Those activities are classified into three categories:

A breach of confidentiality: personal data has been viewed by or made accessible to persons who should not actually be allowed to view the personal data.
A breach of integrity: personal data was altered by persons not authorized to do so, or personal data was (accidentally) incorrectly altered by an authorized person.
A breach of availability: access to personal data by authorized persons is prevented, e.g. because the personal data has been deleted (by an unauthorized or accidentally by an authorized person), or because access to a system has been blocked.

As the consequences of the data breach vary from category to category, it is important in each case to check what kind of data breach has taken place.

What should you do after discovering a data breach?

After the discovery of a data breach, it is first and foremost important to gain a good understanding of exactly what happened and the extent of the data breach. Once it is clear what exactly happened, it should be examined which measures need to be taken to minimize the damage caused by the data breach. This will generally be, first and foremost, 'plugging the leak'. What further measures should be taken should be assessed on a case-by-case basis. Among other things, consideration should also be given to whether measures can be taken to prevent such an incident from occurring in the future.

The risk posed by the data breach must then be assessed. In principle, the data breach must be reported to the Dutch Data Security Authority (The Autoriteit Persoonsgegevens or in short AP). This does not apply if the data breach is unlikely to pose a risk to the rights and freedoms of the individuals whose personal data are involved in the data breach. If the conclusion is that a data breach needs to be reported to the AP, such reporting should take place within 72 hours of the discovery of the data breach. In doing so, a lot of information should already have been collected and provided.

It should also be considered whether the individuals whose personal data is involved in the data breach should be notified. These individuals must be notified if there is a high risk to the rights and freedoms of these individuals.

Finally, the data breach should (always) be recorded internally, in a data breach/incident register. This should include a note of what happened, the consequences of the incident, what measures were taken in the context of the incident and further prevention, and whether and how the Data Protection Officer (DPO) was involved in dealing with the data breach (if applicable). It should also note whether the incident was reported to the AP and the individuals whose personal data was involved in the data breach and why it was chosen to report the data breach or not. When completing the register, it is useful to make an explicit distinction between corrective and preventive measures. It is also useful to clearly record for each incident which part of the organization was involved in the incident.

Three tips to handle a data breach correctly

How a data breach should be handled differs from case to case. This should therefore be assessed on a case-by-case basis. However, the following three tips will come in handy in any situation:

Take preventive measures. Consider drawing up an Incident Response Plan so that the organization knows what to do in the event of a data breach and who is responsible for assessing and reporting it. Train employees on this so they can recognize data leaks. Also make agreements with processors and other parties you share data with about how to act in case of a data breach.
Check whether a notification needs to be made to the AP and do so (if applicable) as soon as possible, but in any case within 72 hours of becoming aware of the data breach. Even if you do not yet have all the information relating to the data breach, you should make a (provisional) notification. You can then complete it later.
Record the data breach internally so that it can be clearly retrieved at any time what exactly happened and how it was handled.

Do you want to take preventive measures to mitigate the consequences of future actions, or are you facing a data breach? If so, contact privacy@ploum.nl. We can help you, for example, assess whether there is a data breach that needs to be reported, report a data breach, prepare an Incident Response Plan and train your employees.

Contact