Help, a data breach! What should you do? - Part 2: the obligation to report data breaches

Data breach reporting obligation

Once it has been established that the incident qualifies as a data breach, it is important to check whether the data breach must also be reported to:

• The Dutch Data Protection Authority (the 'DDPA');
• The persons whose personal data are involved in the data breach (the 'data subjects'); and
• Other parties, if contractual agreements have been made with them.

Reporting a data breach to the DDPA and the data subjects is an obligation of the data controller. However, as a data processor, you must report data breaches to the controller in a timely manner, in accordance with the contractual agreements made in this regard.

It may be that a data breach must also be reported to the Dutch National Cyber Security Centre. We will return to this in one of our next blogs in this blog series.

When must a data breach be reported to the DDPA?

The main rule is that a data breach must be reported to the DDPA within 72 hours of becoming aware of it. This is not necessary if the data breach is unlikely to pose a risk to the rights and freedoms of the individuals involved in the data breach. The risk may consist of discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality or other harm. To determine the risk, a risk assessment must be carried out. This risk assessment can be made based on the following factors:

• The nature of the data breach;
• The nature, sensitivity and scope of the personal data involved in the data breach;
• The ease with which the individuals concerned can be identified;
• The severity of the consequences for the individuals concerned;
• Any special characteristics of the individuals concerned (e.g. children or patients);
• Any special characteristics of the controller (e.g. a hospital or other medical institution); and
• The number of individuals affected.

When should a data breach be reported to the people concerned?

The data breach must be reported to the persons concerned as soon as possible if it is likely that the data breach poses a high risk to the rights and freedoms of the persons concerned. This assessment is based on the same points as those listed above.

In the following situations, the data breach does not need to be reported to the people concerned:

1. The controller has taken appropriate technical and organisational measures to protect the personal data involved in the data breach. For example, by encrypting the data so that third parties cannot access it.
2. The controller has taken subsequent measures to ensure that the high risk to the individuals concerned is unlikely to recur.
3. Notifying the people concerned would require a disproportionate effort. For example, when contact details cannot be obtained. In that case, a public notification may suffice.
4. The controller is a financial undertaking (as referred to in the Dutch Financial Supervision Act).
5. There are other legitimate reasons for not reporting, such as national security, the investigation of criminal offences or in the context of journalism.

When must a data breach be reported to other parties?

A data breach must be reported to other parties if agreements have been made with those other parties. If your organisation is a data processor for another organisation, a data breach must in any case be reported in good time to the organisation that is the data controller. The exact time within which this report must be made is usually included in the processing agreement.

Enforcement by the DDPA

Failure to report a reportable data breach to the DDPA or data subjects, or failure to do so correctly or on time, is a violation of the General Data Protection Regulation ('GDPR'). The DDPA can act in the event of violations of the GDPR. For example, the DDPA can issue a warning or impose a fine and publish it. Fines under the GDPR can amount to €10 million per violation or 2% of the total worldwide annual turnover in the previous financial year (whichever is higher). If there are more serious circumstances, fines can be doubled (€20 million or 4% of annual turnover).

First aid for data breaches & cyber incidents

What should you do if something goes wrong? It is not always possible to prevent a data breach or other cyber incident. To help organisations, we have drawn up a practical step-by-step plan entitled 'First aid for data breaches & cyber incidents'. This step-by-step plan consists of the following steps:

The 13 steps:

• Step 1: Assess the situation
  What exactly happened? How and by whom was the incident discovered? This information forms the basis for the next steps.
   
• Step 2: Call the insurer
  Do you have cyber insurance? If so, call the insurer's emergency number immediately. They will guide you through the process.
   
• Step 3: Put together a crisis team
  Quickly bring the right people together: at least the executive, the person responsible for IT/security (CISO, if there is one) and don't forget the DPO. Also call in a technical expert. Don't have a regular expert? We will be happy to put you in touch with our cyber partners.
   
• Step 4: Take immediate action
  Ensure that leaks in the system are plugged as quickly as possible and that as much data as possible is saved. Limit the damage where possible.
   
• Step 5: Check the reporting obligation with the NCSC (within 24 hours!)
  Does your organisation fall under the Dutch Wbni or the Cyber Security Act (NIS2)? If so, you may need to report the breach to the Dutch National Cyber Security Centre within 24 hours. Not sure? Contact us, we will be happy to advise you.
   
• Step 6: Report a data breach to the AP (within 72 hours!)
  Is the data breach reportable under the GDPR? If so, the controller must report it to the Data Protection Authority within 72 hours. Late or non-reporting may result in a fine. We can help you prepare and submit the report.
   
• Step 7: Inform the persons concerned
  Is it a high-risk data breach? Then the individuals concerned must be informed as soon as possible. We can help you draft a clear and comprehensive message.
   
• Step 8: Investigate alternative suppliers or service providers
  Identify which alternative suppliers or service providers are available (if necessary). We can advise you on the contractual implications of engaging other parties.
   
• Step 9: Report the incident to the police
  If cybercrime is involved, it may be useful to report it to the police. We can help you gather information and contact specialised cyber departments within the police force. This will increase the likelihood that your case will be taken seriously.
   
• Step 10: Update reports in a timely manner
  Do the reports to the NCSC or the Data Protection Authority need to be supplemented? Make sure this is done on time. We are ready to help you with this.
   
• Step 11: Record the incident in the internal register
  Record the incident in the internal data breach register, even if it was not a reportable data breach. Don't have a register yet? We will be happy to provide one.
   
• Step 12: Investigate whether damages can be recovered
  We will work with you to determine whether you can recover damages and from whom.
   
• Step 13: Prevent recurrence
  Prevent future incidents by taking preventive measures.

We will explain this step-by-step plan in more detail in our next blogs. For a number of tips, see our previously published blog: Data breaches in practice: three tips | Ploum. 

Contact us

Looking for more information about data breaches or other cyber incidents? Feel free to contact one of our lawyers if you have any questions about the step-by-step plan or if your organisation needs support.