Let's get digital: data breach notification requirement

The world is digitizing rapidly and the amount of data stored in the process is increasing dramatically. For example, (to give a small example) 90% of all available data worldwide was produced in the period 2013 - 2014. This data consists not only of nice pictures on social media and funny Youtube videos, but also of important - and in some cases - very privacy-sensitive information

Date: November 21, 2016

Modified November 14, 2023

Written by: Valerie Lipman

Reading time: +/- 2 minutes

The world is digitizing rapidly and the amount of data stored in the process is increasing dramatically. For example, (to give a small example) 90% of all available data worldwide was produced in the period 2013 - 2014. This data consists not only of nice photos on social media and funny Youtube videos, but also of important - and in some cases - highly privacy-sensitive information. The data remains digitally available for years. This is convenient, but also carries risks. For example, what if this information is stolen or otherwise lost? Until recently, the supervisory authority could do little about this. In fact, there was no duty to report such incidents. The government has recognized the need for appropriate measures and is now coming up with a Data Breach Notification Obligation. As of Jan. 1, companies and governments are required to report so-called "data breaches" to the Personal Data Authority (AP) and sometimes also to those involved. If they fail to comply with this reporting obligation, the AP can impose substantial fines of up to €810,000.

When are personal data processed?

Personal data is any data about an identifiable natural person. This can be data that refers directly to someone, such as their name. It can also be data that is indirectly traceable to a person, such as a phone number, zip code, or more sensitive information about a person's religion, or health.

Virtually every company stores individuals' personal data in a file, a collection. Think of general practitioners with digital patient records, hosting companies that manage their customers' data and any company that keeps payroll records. Virtually all such data is stored in clouds, on laptops, external hard drives and on USB sticks.

As soon as personal data are processed, the Personal Data Protection Act applies. Processing is a broad term. It also includes the mere storing of personal data.

What is a data breach?

A data breach involves cases where there is a breach of security where personal data has been lost, or it cannot reasonably be ruled out that personal data has been processed unlawfully. Examples include a lost USB stick, a stolen laptop, a break-in by a hacker, a malware infection or a calamity such as a fire in a data center.

That such incidents occur is evidenced by recent news. For example, a number of USB sticks were stolen from a District Attorney's office during a residential burglary. These USB sticks contained sensitive information about a criminal case. These types of incidents will have to be reported under future legislation to the AP and probably to the data subjects as well. Who does the data breach notification requirement apply to?

The mandatory data breach notification applies to Dutch companies and government agencies. If, as a company, you process fully or partially automated personal data (and this may soon be the case), there is a good chance that you are bound by the mandatory notification. For citizens, there is currently no mandatory notification.

When should a data breach be reported?

Notification must be made to the AP if there are serious adverse effects on the protection of personal data. In some cases, notification must also be made to the data subjects themselves. This is the case if the breach is likely to have adverse effects on personal privacy. The AP's website has a comprehensive document with guidance for companies and government agencies to determine when notification is required.

What are the possible consequences of not reporting a data breach?

The amendment to the Personal Data Protection Act allows the AP to impose high fines for violations. If the obligation to adequately secure personal data is not met or the duty to report is not complied with, fines can be imposed from €20,500 for minor violations, up to a maximum of €820,000 for intentional and repeated violations. In addition, the fine for legal entities has been made more flexible. This means that for appropriate punishment, the AP may also impose a fine of up to 10% of the legal entity's annual turnover.

How is a data breach reported?

The data breach hotline can be reached through the AP's website. Reporting is done by filling out an online form. The form will be available online in early January 2016.

Conclusion

Recent developments in ICT and the ever-increasing dependence on the Internet make the Data Breach Notification Obligation a welcome addition to the protection of personal data. It will have to be seen whether the introduction will lead to the desired result, namely careful protection of personal information. Indeed, appropriate legislation is not the solution to the problem. Both governments and companies will have to recognize the necessity of properly protecting data, especially now that digitalization is increasing rapidly and incidents are the order of the day.


Stay Focused

As attorneys for business owners , we understand the importance of staying ahead. Together with us, you will have all the opportunities and risks in sight. Feel free to contact us and get personalized information about our services.