1. Every organisation which processes personal data – and that is almost all organisations – is required from 1st January 2016 to report security breaches if they lead to a data leak.
2. A data leak is the theft, loss or misuse of personal data, for instance. The Data Protection Authority (CPB) adopts draft guidelines like in these instances:
3. A data leak must be reported to the CBP immediately (within two working days). The report is registered and is not made public.
4. A data leak must also be reported to the interested party whose personal data have been leaked if the breach will probably have detrimental consequences for their personal privacy.
5. If you violate the reporting requirement, then you risk a fine of a maximum of € 810.000,-.
The amendment of the law as of 1st January is radical. Almost every organisation processes personal data and every organisation runs a potential risk of being hacked or falling victim to a data leak in another way.
This actually means that every organisation must implement measures. If you work with a cloud provider, for example (a so-called data processor within the meaning of the Act), then you will have to conclude additional agreements with it. As it happens, most companies will want to retain responsibility for the reporting of a data leak. However, if the data leak occurs from the data processor, then you generally wouldn’t want it to make the report.
Every company will be well-advised (and this is also the CBP’s advice) to:
Broeseliske Van Vlijmen Advocaten can advise and assist you about Cyber Security. Preventively, in order to comply with the Act, but also once a data leak has occurred.