Not in the mood for a fine from the AP? Five practical tips to prevent data breaches

In recent years, data breaches have been regularly reported in the news. One of the largest and perhaps the most far-reaching was the data breach at the GGD in early 2021. That same year, New York Pizza also reported a data breach due to a hack at one of its software suppliers. The result: 3.9 million customer records potentially stolen. Recently, a data breach occurred at parcel service GLS , resulting in many unintended emails being sent to people who had not ordered a package at all. What can you do as a company to prevent this type of data breach? In this article, we provide five practical tips!

Tip #1: Limit the personal data collected.

First, it is important to minimize the amount of personal data collected by a company. This may sound like an open door, but in practice the unnecessary collection of personal data leads to many unnecessary risks and problems. Not only is the amount of data processed by the enterprise unnecessarily large in size, but in many cases these personal data are not deleted when their retention period has expired. The enterprise is an interesting prey for hackers because, after all, if they manage to penetrate, the spoils are great. In addition, the company also runs the risk of being fined by the Personal Data Authority (AP).

It is important to critically assess which personal data are necessary to process. In addition, it may be helpful to schedule an annual time to check the personal data processed. Has the retention period expired? Then destroy the personal data. Data you don't have cannot be leaked either!

Tip #2: Make sure you have good security.

Personal data processed under any of the bases listed by the General Data Protection Regulation (AVG) must be properly secured. The AVG requires companies to take appropriate (organizational and technical) measures to secure personal data. Security measures you can take as business owner include installing a firewall, additionally securing the wireless network and installing two-factor authentication to access personal data or applications. Also, don't forget to check security regularly. Is everything still up-to-date and up to standard? If so, you as a company are at less risk of a data breach.

Tip #3: Use encryption to encrypt personal data.

If a data breach, such as a hack, occurs, the damage can be limited by storing personal data encrypted (through encryption). Storing personal data encrypted greatly reduces any damage to data subjects, even if a data breach does occur unexpectedly. The risk that third parties, such as hackers, can actually make use of the leaked personal data by disclosing or selling it is then considerably less.

Tip 4: Make sure you have a good and complete privacy policy.

To properly process personal data, a good privacy policy is essential. In it, you briefly include what personal data you process for what and how you do it securely.

In addition, under the AVG, companies are required to inform data subjects about the processing of their personal data. The AVG has several requirements for this information obligation, which can be most easily complied with by drafting a privacy policy containing all the information. The privacy policy should then be posted in a public and accessible place, such as the company's own website. Some topics about which data subjects are required to be informed are the purposes of processing, the basis for processing, the retention periods of personal data and the rights data subjects have.

In addition, ensure compliance with policies within the company. After all, many data breaches occur as a result of human error. Proper compliance with the policy is therefore crucial to prevent data breaches as much as possible. By actively informing employees of the content of the privacy policy and reminding them regularly, they are more aware of proper compliance with the policy and what the dangers and risks are when processing personal data.

Finally, it is advisable to establish an internal data breach notification protocol. This is because, based on the AVG, a company is obliged to document every data breach. Moreover, there is a mandatory data breach notification. The mandatory notification means that companies must report the data leak to the AP within 72 hours after the data leak is discovered. If a data breach is not reported within 72 hours, there is an (additional) risk of a fine by the AP. By drawing up an internal mandatory data breach notification protocol, employees immediately know what to do when a data breach occurs and appropriate measures can be taken as soon as possible.

Tip 5: Check collaborations with external parties.

If working with third parties, it is important to determine whether this party qualifies as a data controller or processor. If a third party is a controller then this party must independently comply with all obligations and requirements of AVG.

If the third party is going to process personal data for the company and this party does not determine the purpose and means of the processing, then this party is a processor and a processor agreement must be concluded under the AVG. This should include, for example, which personal data will be processed and for how long, what the nature and purpose of the processing is and in what way the security of the personal data is guaranteed. It also includes what obligations the processor has, such as an obligation to report in the event of a data breach. A good processor agreement ensures that it is clear who is responsible for what when it comes to processing personal data.

Are you wondering whether your company processes personal data in accordance with the AVG? Or would you like more information about drafting a privacy policy or procedures around data breaches? Then contact our privacy specialists: Annemarie van Woudenberg or Joost van Dongen.

This page was last updated on August 14, 2023.