Data breach: to report or not to report?

A data breach can have far-reaching consequences, both for your organization and for the individuals involved. Therefore, it is important to act quickly in the event of a data breach and take the appropriate steps. We previously published an infographic that you can use to assess whether there is a data breach and whether the data breach must be reported and, if so, to whom. In this article, we explain this in more detail.

When is there a data breach?

A data breach involves cases where there is a security breach, where personal data has been accidentally or unlawfully leaked, destroyed or altered. Examples include a stolen laptop or a cyber-attack in which a hacker has captured customers' personal data. There is also a data breach when unauthorized disclosure of or unauthorized access to personal data has occurred. This is the case, for example, when personal data have been sent to the wrong recipient.

Should the data breach be reported and to whom?

The General Data Protection Regulation (hereafter AVG) imposes strict requirements on the registration of data breaches in an organization. For example, an organization must document every data breach, including the facts about the data breach, its consequences and the actions taken in response to the data breach.

Whether an organization must additionally report a data breach to the national privacy regulator, in the Netherlands the Authority for Personal Data (hereinafter: AP), depends on the (potential) impact of the data breach on the privacy of those involved. Important indicators are the nature and extent of the breach and the sensitivity of the personal data involved in the data breach. A data breach need not be reported only if the data breach is not likely to pose a risk to the rights and freedoms of affected individuals.

If it does require reporting, an organization is required to report the data breach to AP via the data breach hotline within 72 hours (after the data breach is discovered).

In some cases, notification must also be made to the data subjects themselves so that the data subjects themselves can take action. This is the case if the breach is likely to have adverse consequences for the data subjects. Think of a data leak with sensitive data about race, religion or sexual orientation that poses a risk of discrimination or a data leak with copies of identity documents and/or the BSN that poses a risk of (identity) fraud. There is also a high-risk data breach when the data breach contains credit card information that creates the risk that someone could place online orders at someone else's expense, resulting in financial damage.

What are the possible consequences?

Failure to report a data breach, or to report it in a timely manner, violates the AVG. European privacy regulators can impose large fines in that case. That the privacy regulators are actually using this power is evidenced by a number of recently imposed fines. For example, the British Data Protection Authority (ICO) recently announced it was imposing (record!) fines of over 200 million euros and 110 million euros, respectively, on airline company British Airways and American hotel chain Marriott following a data breach. Read more about this in Annemarie van Woudenberg's blog.

Avoid the risk of (high) fines and take action!

Is there a potential data breach within your organization? If so, it is important to act quickly and take the appropriate steps.

Do you have questions or want to learn more about privacy? If so, please feel free to contact one of our privacy specialists. We will be happy to assist you.