Cyber Security

The Personal Data Protection Act (WBP) was expanded on 1st January 2016 with the data leak reporting requirement. What does this mean for you as an entrepreneur?

1. Every organisation which processes personal data – and that is almost all organisations – is required from 1st January 2016 to report security breaches if they lead to a data leak. 

2. A data leak is the theft, loss or misuse of personal data, for instance. The Data Protection Authority (CPB) adopts draft guidelines like in these instances:

  • A lost USB stick;
  • A stolen laptop;
  • A break-in by a hacker;
  • Dispatch of e-mail where the email addresses of all recipients are visible to other recipients;
  • A malware infection;
  • A disaster such as a fire in a data centre.

3. A data leak must be reported to the CBP immediately (within two working days). The report is registered and is not made public.

4. A data leak must also be reported to the interested party whose personal data have been leaked if the breach will probably have detrimental consequences for their personal privacy.

5. If you violate the reporting requirement, then you risk a fine of a maximum of € 810.000,-.

In Brief:

The amendment of the law as of 1st January is radical. Almost every organisation processes personal data and every organisation runs a potential risk of being hacked or falling victim to a data leak in another way.

This actually means that every organisation must implement measures. If you work with a cloud provider, for example (a so-called data processor within the meaning of the Act), then you will have to conclude additional agreements with it. As it happens, most companies will want to retain responsibility for the reporting of a data leak. However, if the data leak occurs from the data processor, then you generally wouldn’t want it to make the report.

Every company will be well-advised (and this is also the CBP’s advice) to:

  • Set up a good incident management procedure;
  • Decide who in the organisation will assess data leaks and report them to the CBP;
  • Determine how you will inform the affected parties in the event of a data leak;
  • Determine how you will handle external indications concerning possible data leaks;
  • Monitor agreements with your data processors;

Broeseliske Van Vlijmen Advocaten can advise and assist you about Cyber Security. Preventively, in order to comply with the Act, but also once a data leak has occurred.