Reporting a data breach: take timely action

General Data Protection Regulation

 

The General Data Protection Regulation (GDPR), aka theGDPR obliges companies falling within the scope of the regulation to take measures in the event of a data breach.

​

There shouldn't just be oneregisterbe kept in which all data breaches are registered, companies must also have a possiblereport data breachto the competent supervisory authority personal data. In Belgium this is theData Protection Authority(GBA).

​

The GDPR is a relatively new privacy legislation and has been in force in all European member states since 2018. It applies to all companies and public authorities that collect and process personal data. 

​

Read more aboutGDPR.

 

​

What is a data breach?

 

Personal Data Breach

 

In the GDPR itself, there is no mention of a 'data breach', but of 'a 'personal data breach'.

​

Such a breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise processed” (Article 4 GDPR).

​

Quite a sandwich, but what exactly does this mean?

​

​

Examples of data breaches

 

There arenumerous examplesto figure out where there is a data breach. For example, many people think primarily of a hacker who has entered the company, but a data breach can also be more subtle.

​

For example, there is a data breachthe loss of a USB stickcontaining unencrypted personal data, asystem crashdue to human error where the personal data was not backed up or displayed on aunsecure web page.

​

Also acyber attackwhere personal data has been stolen or an infection withransomwarewhereby personal data has been made inaccessible fall under the term data breach. Also consider, for example, hacking, theft or the accidental loss or destruction of personal data.

​

It is therefore not necessary to speak of a data breachmalicious intentbe in play. On the contrary, many data breaches are a result ofhuman mistakesorimprudence.

​

​

Keeping an internal register

 

A company must register any personal data breach in ainternal registry, sometimes referred to as a 'data breach register', which is kept by the company itself.

​

All kinds of data must then be documented in this register, such as the time when the incident was established, a description of the person or persons involved, the likely consequences of the breach and a description of the measures taken.

​

​

Report data breach

 

When a personal data breach (data breach) has occurred, a company must take action and report it. This is howevernot always mandatory.

​

​

To whom should the data breach be reported?

 

A data breach serves both thecompetent supervisory authority, this is the Data Protection Authority (GBA), if theinvolved personsbe reported in the data breach.

​

TheData Protection Authoritymust be notified of the data breach by the data controller within the company within 72 hours. There is an exception to this, namely when the personal data breach is unlikely to pose a risk to the rights and freedoms of the individuals involved.

​

The notification of data leaks to the GBA is done via an electronic form, which is available on the website of the GBA, viathis link. This form must be completed in one of the three national languages and then submitted via a web portal.

​

Only if the infringement poses a high risk to the rights and freedoms of thedata subjectthis person must be personally informed of the data breach.

​

​

Risk analysis

 

The GDPR therefore assumes that for each incident a certain consideration andrisk analysisis made to determine whether there is a high risk. Many questions can arise here: after all, what is a (sufficiently) high risk? 

​

mr. Franklinoffers first aid and makes an online tool available,Dr. Breach, so that you can easily make an initial analysis of the risk and seriousness of the infringement. The tools arefree and completely anonymous.

​

​

Competent authority for personal data in the Netherlands

 

InThe Netherlandsis the competent supervisory authority theAuthority for Personal Data(AP). Companies in the Netherlands that are confronted with a data breach must report this to this authority within 72 hours.

​

​

Why is there a data breach notification obligation?

 

With the introduction of the GDPR, the European Commission wants to strengthen and protect the privacy of European citizens and their rights and freedoms. This is also referred to as 'involved persons'. A data breach sometimes leads to adverse consequences for these persons involved.

​

Making it mandatory to report a data breach provides moreawarenessat companies, so that they handle the personal data they collect and process in a better and safer way. That way there will be moretrust createdto customers and employees.

​

​

Are there sanctions?

 

Yes, sanctions are given for non-compliance with the GDPR, includingFineswhich can be high. You can find out more about these fineshere.

​

It is remarkable that the notification of a data breach can also give rise toa further investigationwithin a company by the GBA and that this investigation can then extend to points that are not related to the data breach. Recently one becamedecisionfelled by the GBA, whereby a company was thus sentenced to a fine of 50,000 euros.

​

A fine is something you would rather avoid as a company. Therefore, consult the experts at Mr. Franklin for all your questions and specialized advice.