“Data from 2,000 patients were accessible through leakage”, “Laptop with patient data stolen from hospital”, “Private data nearly 900 jobseekers on the street after email error”. These headlines show that it is impossible to imagine the news without security incidents with personal data. In some cases, these security incidents were data breaches.
As of 1 January 2016, the obligation to report data breaches has been introduced in the Dutch Personal Data Protection Act (‘Wbp’). The obligation to report data breaches obliges organizations to report certain data leaks to the Dutch Supervisory Authority ( “Autoriteit Persoonsgegevens” hereinafter referred to as “AP”). in some cases also to the data subject whose personal data has been breached.
As of 25 May 2018, the General Data Protection Regulation (‘GDPR’) will apply. Under the GDPR, organizations are also obliged to report certain data breaches.
Below we will discuss, among other things, what a data breach is and when an organization is obliged to report a data breach. The differences between the reporting obligation for data breaches under the Wbp and the GDPR will also be discussed.
What is a data breach?
A data breach occurs when a security incident has taken place in which personal data has been lost or it cannot be excluded that personal data has fallen into the hands of third parties. It is irrelevant whether a security incident took place intentionally or accidentally.
If an organization uses an outdated version of antivirus software to protect its systems, this does not constitute a data leak. At the very most, this is a security breach. However, as soon as a virus infection of the systems subsequently results in personal data (e.g. of employees or customers) becoming accessible to third parties, a data leak does occur.
Other examples of security incidents that may involve a data leak include e-mails sent to the wrong addressee, forgetting a memory card on the train, theft of a laptop or the outbreak of a fire in which systems containing personal data are damaged and of which no back-up has been made.
When should a data breach be reported?
Not every data breach needs to be reported. For a data breach that is subject to the obligation to report, it must also be established whether reporting to the AP alone is sufficient or whether reporting to the person involved is also required. In principle, this assessment must be made by an organization itself. In order to support organizations in this consideration, the AP has drawn up guidelines within the framework of the Wbp. As the obligation to report data breaches under the GDPR will change, we expect that similar guidelines will also be drawn up in the context of the GDPR.
When should a data breach be notified to the Personal Data Authority?
Under the Wbp, a data breach must be reported to the AP if the data breach leads to (a significant chance of) serious adverse consequences for the protection of personal data. The amount of breached personal data, the number of data subjects whose personal data has been breached and the nature of the breached personal data all play a role in the assessment of this. Any breach of sensitive data such as special personal data, financial data, work or school performance, biometric data and log-in data will have to be reported sooner.
Under the GDPR, a different starting point will be used. Every data breach obliges an organization to report it to the AP, unless it is unlikely that the data breach entails a risk to the rights and freedoms of natural persons.
When should a data breach be reported to the data subject?
A data breach that must be reported to the AP does not always have to be reported to the data subject. A separate assessment must be made with regard to the obligation to report to the data subject. The idea behind the notification to the data subject is that this will enable him or her to be alert to and arm himself or herself against the possible consequences of the data breach.
Under the Wbp, a data breach must be reported to the person concerned if it is likely to have unfavorable consequences for his or her personal privacy. This is the case if the data breach leads to (identity) fraud, discrimination, damage to honor and reputation or an unlawful publication.
Under the GDPR, a data breach will have to be reported to the data subject if the data breach is likely to present a high risk to the rights and freedoms of natural persons. The concrete content of this criterion will have to be demonstrated, for example, by means of guidelines.
Under both the Wbp and the GDPR, the data subject does not have to be notified if appropriate protection measures, such as encryption, have been taken, as a result of which the leaked personal data are incomprehensible or inaccessible to third parties. In addition, the GDPR does not require any notification to the data subject if measures are taken afterwards to ensure that the high risk is unlikely to recur or if a notification would require disproportionate efforts. In the latter case, therefore, a public notice that is equally effective would suffice.
By what deadline should notification be made?
The notifications to the AP and possibly to the data subject, both under the Wbp and the GDPR, must be made without undue delay and, if possible, no later than 72 hours after the discovery of the data breach. This period also applies if an organization uses a processor. Even if a processor discovers the data breach, an organization is ultimately responsible for making the report on time. An organization is therefore dependent on fast action and efficient cooperation from a processor.
Maintaining an overview of data breaches
Pursuant to the Wbp, organizations must keep an overview of all data breaches that are subject to the obligation to report. Under the GDPR, organizations will have to keep an overview of all data breaches, including those that are not subject to the obligation to report.
Under the Wbp, the overview for each data breach must in any case contain the facts and information about the nature of the breach. If the data leak has been reported to the person concerned, the text of the notification to the person concerned must also be included in the overview. Under the GDPR, the facts and consequences of the data breach and the corrective measures taken must be included in the overview.
The Wbp and the GDPR do not specify how long the summaries must be kept. It follows from the AP’s guidance on the Wbp that a minimum of one year should be assumed.
Sanctions
In the event of non-compliance with the obligation to report data leaks, the AP may impose a fine. Under the Personal Data Protection Act, the amount of the basic fine is set between € 120,000 and € 500,000. In exceptional situations, however, the fine may amount to a maximum of € 820,000 or 10% of the annual turnover. Under the GDPR, the fine can amount to € 20,000,000 or 4% of the worldwide annual turnover. Non-compliance with the obligation to report data leaks can also cause considerable damage to an organization’s image.
What does the mandatory data breach notification mean for your organization?
Preventing a data breach is not always within your power. By taking appropriate protection measures, such as encryption, you can prevent a data leak from having to be reported to the person involved. Sector-specific security standards can be helpful in determining and implementing the appropriate protection measures for your organization.
In addition, the obligation to report data breaches requires both you and a processor to act adequately and expeditiously as soon as a data breach is discovered. It is therefore wise to conclude a processor agreement between you and a processor containing clear conditions. A data breach policy tailored to your organization can also be very useful. The increase in the level of fines for non-compliance with the obligation to report data breaches under the GDPR increases the importance of clear agreements with the processor and a data breach policy.
In addition, as of 25 May 2018 the overview of data breaches to be kept will increase in size. You should check whether a regular spreadsheet program will suffice to maintain this overview or whether you are setting up or having set up a special digital environment for this purpose, for example by your IT department.
If you are active in the financial or telecom sector, different legal regulations may also apply to your organization.