Help, a data breach! What should you do? – Part 3: the content of notifications and internal record-keeping

Content of the notification to the DDPA

If a notifiable data breach has occurred, the notification to the DDPA must be submitted fully, carefully and in a timely manner (within 72 hours after becoming aware of the breach). Incomplete or unclearly worded notifications may result in follow-up questions from the DDPA.

To notify the DDPA, the notification form (in Dutch) on the DDPA’s website must be completed. The form requires detailed information about the data breach, including its cause and scope, the personal data involved, the affected individuals, the (potential) consequences, and the measures taken. The form also includes questions about other organisations involved, whether data subjects have been informed, and whether notifications have been made to other supervisory authorities. If not all information is immediately available, a follow-up notification can be submitted to the DDPA at a later stage.

Content of the notification to data subjects

Where a data breach is likely to result in a high risk to the rights and freedoms of the affected individuals, those individuals must in most cases also be informed. This communication must be in clear and plain language and should not be unnecessarily technical or obscure.

The notification to data subjects must include at least:

• A description of the nature of the data breach;
• The name and contact details of the Data Protection Officer (DPO) or another contact point;
• A description of the likely consequences of the data breach; and
• A description of the measures proposed or taken, including measures to mitigate possible adverse effects.

Content of the notification to contractual counterparties

Do not forget to inform any contractual counterparties in a timely manner. The content of such notifications must comply with the arrangements agreed upon in the relevant contract.

Internal registration in the incident and data breach register

Organisations are required to internally document data breaches, regardless of whether they are subject to a notification obligation.

It is therefore important to maintain an incident and data breach register. We recommend recording at least the following information for each data breach:

• The date and time at which the data breach was discovered;
• The date and time at which the incident occurred;
• A description of the incident;
• A description of the (potential) consequences of the incident;
• The corrective and preventive measures taken;
• Whether the incident was reported to the DDPA;
• Whether the incident was reported to the affected individuals;
• Whether the Data Protection Officer (DPO) was consulted (if applicable);
• Any other organisations or processors involved in the data breach;
• Any additional remarks; and
• The name of the person who made the registration.

A carefully maintained incident and data breach register is not only important in the context of supervision by the DDPA but also helps organisations identify recurring risks and improve processes and security measures.

First aid for data breaches & cyber incidents

What should you do if something goes wrong? It is not always possible to prevent a data breach or other cyber incident. To help organisations, we have drawn up a practical step-by-step plan entitled 'First aid for data breaches & cyber incidents'. This step-by-step plan consists of the following steps:

Practical 13-step action plan

• Step 1: Assess the situation
  What exactly happened? How and by whom was the incident discovered? This information forms the basis for the next steps.
   
• Step 2: Call the insurer
  Do you have cyber insurance? If so, call the insurer's emergency number immediately. They will guide you through the process
   
• Step 3: Put together a crisis team
  Quickly bring the right people together: at least the executive, the person responsible for IT/security (CISO, if there is one) and don't forget the DPO. Also call in a technical expert. Don't have a regular expert? We will be happy to put you in touch with our cyber partners.

• Step 4: Take immediate action
  Ensure that leaks in the system are plugged in as quickly as possible and that as much data as possible is saved. Limit the damage where possible.

• Step 5: Check the reporting obligation with the NCSC (within 24 hours!)
  Does your organisation fall under the Dutch Wbni or the Cyber Security Act (NIS2)? If so, you may need to report the breach to the Dutch National Cyber Security Centre within 24 hours. Not sure? Contact us, we will be happy to advise you.
   
• Step 6: Report a data breach to the DDPA (within 72 hours!)
  Is the data breach notifiable under the GDPR? If so, the controller must report it to the DDPA within 72 hours. Late reporting or failure to report may result in a fine. We can help you prepare and submit the notification.
   
• Step 7: Inform the data subjects
  Is it a high-risk data breach? Then the data subjects must be informed as soon as possible. We can help you draft a clear and comprehensive message.
   
• Step 8: Investigate alternative suppliers or service providers
  Identify which alternative suppliers or service providers are available (if necessary). We can advise you on the contractual implications of engaging other parties
   
• Step 9: Report the incident to the police
  If cybercrime is involved, it may be useful to report it to the police. We can help you gather information and contact specialised cyber departments within the police force. This will increase the likelihood that your case will be taken seriously.
   
• Step 10: Update reports in a timely manner
  Do the reports to the NCSC or the DDPA need to be supplemented? Make sure this is done on time. We are ready to help you with this.
   
• Step 11: Record the incident in the internal register
  Record the incident in the incident and data breach register, even if it was not a notifiable data breach. Don't have a register yet? We will be happy to provide one.
   
• Step 12: Investigate whether damages can be recovered
  We will work with you to determine whether you can recover damages and from whom.
   
• Step 13: Prevent recurrence
  Prevent future incidents by taking preventive measures.

For a number of tips, see our previously published blog: Data breaches in practice: three tips.

Contact us

Looking for more information about data breaches or other cyber incidents? Feel free to contact one of our lawyers if you have any questions about the step-by-step plan or if your organisation needs support.