Data breaches are increasingly making the news. Whether it concerns accessing a medical file of a well-known Dutch person, a large-scale ransomware attack or obtaining personal data of millions of car owners. Data breaches are very annoying, not only for those involved but also for the organization that is dealing with a data breach. Think about the reputational damage when your company gets bad news. You can’t change it anymore, the data breach has already taken place, but how do you ensure that the data breach is handled properly?
Controller vs. processor
The first question is: “Who am I?”. The General Data Protection Regulation (GDPR) distinguishes between the controller and the processor. The name says it all, the controller is responsible. This party determines the goal (for example, sending newsletters) and the means (the deployment of a program that can send a large bulk of newsletters). If something goes wrong, such as all e-mail addresses are stolen by a hacker because the e-mail addresses were not properly secured by the processor, then appropriate action must be taken. The processor who sends newsletters on behalf of the controller will have to inform the controller as soon as possible, because as stated: the controller is responsible.
Report to the Dutch Data Protection Authority and data subjects
The next question is: “Should we report the data breach to the Dutch Data Protection Authority?”. The controller must determine whether the data breach poses a risk to the data subject. If that is the case, the controller will have to report the data breach to the Dutch Data Protection Authority. In order to determine whether a data breach is a risk for the data subject, it will be necessary to look at which personal data has been leaked. Is it, for example, financial data or perhaps health data?
If the conclusion is that the data breach must be reported to the Dutch Data Protection Authority, then that is not the end of it. The controller will also have to consider whether the data breach should be reported to the data subject(s). This is mandatory if the data breach entails a high risk. Could the data breach, for example, lead to discrimination because personal data about race or sexual orientation have been leaked? Or perhaps identity theft because a copy of the passport ended up in the hands of unauthorized persons?
Data breach register
Finally, the administration must be updated. The GDPR states that the controller must document all data breaches. It is customary to include data breaches in a data breach register. This gives you an overview of what happened and what steps were taken next. You can easily keep track of all data breaches in the Privacy Verified portal. Are you interested, or do you have questions about this? Then you can of course contact us!