Date: Jan. 28, 2019
Modified November 14, 2023
Written by: Valerie Lipman
Reading time: +/- 2 minutes
Digitization is everywhere, and the amount of data stored in the process is increasing dramatically. This brings with it new risks, including in the area of data security. What are the consequences when data is stolen or otherwise lost, and what can you do about it?
When personal data is processed as part of data, it is subject to the General Data Protection Regulation (hereinafter AVG). The AVG requires careful handling of personal data, under penalty of substantial fines. An important part of this is the security of personal data. Poor data security can cause various problems, such as a data leak.
The main rule on personal data security is that under the AVG, organizations must take both technical and organizational measures to ensure an adequate level of protection. Technical measures include access controls and network security, while organizational measures could include, for example, imposing confidentiality on staff members, providing instructions and training.
In addition, it is important as an organization to determine how data will be handled. For example, who has access to what data? The more people have access to the data, the greater the risk of an incident, of course. As an organization, limit access to data and personal data to those employees who really need it for their work. In doing so, it is also important as an organization not to process more personal data than necessary. For example, where possible, remove certain identifiable characteristics from data.
Many organizations work with other parties when processing personal data, such as in the context of payroll. The AVG stipulates that organizations must enter into a so-called processor agreement with such parties. Among other things, this processor agreement must describe how the protection and processing of personal data is regulated. For example, the processor may not use the personal data for its own purposes. What is important here is that an organization itself remains responsible for the protection of personal data. Therefore, only engage processors who can demonstrate that they also meet the legal requirements in the area of data security. For example, with an AVG certificate or an ISO/NEN 27001 and 27002 certification, organizations can demonstrate that they process personal data according to legal standards.
One of the biggest risks in data security is the occurrence of a data breach. A data breach involves cases where there is a security breach, where personal data has been lost or it cannot be ruled out that personal data has been processed unlawfully. Examples include a lost USB stick, a stolen laptop, a break-in by a hacker or a malware infection.
The AVG imposes strict requirements on an organization's recordkeeping of data breaches. For example, an organization must document every data breach, including the facts about the data breach, its consequences and the measures taken in response to the data breach. In addition, the data breach notification requirement applies, which requires organizations to file a notification with the Personal Data Authority (hereinafter AP) within 72 hours of discovering a data breach. In some cases, notification must also be made to the data subjects themselves. This is the case if the breach is likely to have adverse effects on personal privacy.
Whether an organization must report a data breach depends on the (potential) impact of the data breach on the protection of personal data and the privacy of data subjects. European privacy regulators have published the Data Breach Notification Obligation Guidelines . These guidelines are intended to help organizations determine whether they must report a data breach.
Failure to report a data breach, or to report it in a timely manner, constitutes a violation of the AVG. In that case, the AP can impose a fine of up to 20 million euros or 4% of the organization's annual worldwide turnover. For example, the AP recently fined transportation company Uber 600,000 euros for violating the data breach notification requirement, because Uber had not timely informed the AP and data subjects about a data breach in which unauthorized persons gained access to personal data. This involved personal data such as names, email addresses and phone numbers of customers and drivers.
Naturally, as an organization, you want to minimize the risk of a data breach or any unlawful form of processing. That is why it is important that data security within the organization remains a permanent point of attention. Make sure your organization complies with the AVG and avoid fines!
Would you like to know more about privacy or personal data security? Please feel free to contact one of our privacy specialists, we are happy to assist you: Valerie Lipman and Annemarie van Woudenberg.
As attorneys for business owners , we understand the importance of staying ahead. Together with us, you will have all the opportunities and risks in sight. Feel free to contact us and get personalized information about our services.