https://staging.ploum.nl/uploads/Artikelen_en_Track_Records_en_expertise/Privacy/pexels-cottonbro-studio-5474294.jpg

Data breaches in practice: three tips

Legal News

01 Feb '24

Author(s): Lars Boer en Nina Rijsterborgh-Witt

Data breaches occur frequently. An employee sends an e-mail containing a customer's personal data to the wrong e-mail address, or a company's database is hacked, making personal data accessible to unauthorized persons. Just some examples that show that a data leak can happen, often regardless of the precautions taken. An accident happens so easily and hackers are getting better at their 'trade'.

When a data breach unexpectedly occurs in your organization, one of the key issues is to deal with the data breach quickly and properly. Wondering how to do this? Then be sure to read on.

What is a data breach?

In the introduction to this blog, we already gave two examples of a data breach. However, many more variants of a data breach can be imagined. A data breach is any (security) incident in which an unauthorized party has carried out an activity involving personal data. Those activities are classified into three categories:

  • A breach of confidentiality: personal data has been viewed by or made accessible to persons who should not actually be allowed to view the personal data.
  • A breach of integrity: personal data was altered by persons not authorized to do so, or personal data was (accidentally) incorrectly altered by an authorized person.
  • A breach of availability: access to personal data by authorized persons is prevented, e.g. because the personal data has been deleted (by an unauthorized or accidentally by an authorized person), or because access to a system has been blocked.

As the consequences of the data breach vary from category to category, it is important in each case to check what kind of data breach has taken place.

What should you do after discovering a data breach?

After the discovery of a data breach, it is first and foremost important to gain a good understanding of exactly what happened and the extent of the data breach. Once it is clear what exactly happened, it should be examined which measures need to be taken to minimize the damage caused by the data breach. This will generally be, first and foremost, 'plugging the leak'. What further measures should be taken should be assessed on a case-by-case basis. Among other things, consideration should also be given to whether measures can be taken to prevent such an incident from occurring in the future.

The risk posed by the data breach must then be assessed. In principle, the data breach must be reported to the Dutch Data Security Authority (The Autoriteit Persoonsgegevens or in short AP). This does not apply if the data breach is unlikely to pose a risk to the rights and freedoms of the individuals whose personal data are involved in the data breach. If the conclusion is that a data breach needs to be reported to the AP, such reporting should take place within 72 hours of the discovery of the data breach. In doing so, a lot of information should already have been collected and provided.

It should also be considered whether the individuals whose personal data is involved in the data breach should be notified. These individuals must be notified if there is a high risk to the rights and freedoms of these individuals.

Finally, the data breach should (always) be recorded internally, in a data breach/incident register. This should include a note of what happened, the consequences of the incident, what measures were taken in the context of the incident and further prevention, and whether and how the Data Protection Officer (DPO) was involved in dealing with the data breach (if applicable). It should also note whether the incident was reported to the AP and the individuals whose personal data was involved in the data breach and why it was chosen to report the data breach or not. When completing the register, it is useful to make an explicit distinction between corrective and preventive measures. It is also useful to clearly record for each incident which part of the organization was involved in the incident.

Three tips to handle a data breach correctly

How a data breach should be handled differs from case to case. This should therefore be assessed on a case-by-case basis. However, the following three tips will come in handy in any situation:

  • Take preventive measures. Consider drawing up an Incident Response Plan so that the organization knows what to do in the event of a data breach and who is responsible for assessing and reporting it. Train employees on this so they can recognize data leaks. Also make agreements with processors and other parties you share data with about how to act in case of a data breach.
  • Check whether a notification needs to be made to the AP and do so (if applicable) as soon as possible, but in any case within 72 hours of becoming aware of the data breach. Even if you do not yet have all the information relating to the data breach, you should make a (provisional) notification. You can then complete it later.
  • Record the data breach internally so that it can be clearly retrieved at any time what exactly happened and how it was handled.

Do you want to take preventive measures to mitigate the consequences of future actions, or are you facing a data breach? If so, contact privacy@ploum.nl. We can help you, for example, assess whether there is a data breach that needs to be reported, report a data breach, prepare an Incident Response Plan and train your employees.

Contact

Attorney at law

Lars Boer

Expertises:  IT-Law, Privacy law, Procurement law, Cybersecurity , Technology, Media and Telecom, Commercial Contracts, Start-up and Scale-up,

+31 6 2075 1001 L.Boer@ploum.nl LinkedIn

Share this article

Stay up to date

Click on the plus and sign up for updates on this topic.

Expertise(s)

Privacy law

Also interested in these articles?

Customs

14 Oct 24

Interest on arrears following a customs debt
Intellectual property rights

13 Oct 24

Ploum in IP Stars 2024
Customs

07 Oct 24

The importance of demand letters in legal proceedings
Environmental law

13 Aug 24

Consequences for (combustion) plants by the Collective Decree Environmental and Planning Act I&W Environment 2025 (Verzamelbesluit Omgevingswet I&W Milieu 2025)!

Environmental law

13 Aug 24

Construction industry beware: environmental performance limit (milieuprestatie) for new buildings to be amended!
Food safety & product compliance

04 Jun 24

Update new allergen labelling policy: publication document 'Guidelines on cross-contamination of allergens'
Transport law

13 May 24

“Written agreement of the passenger” as defined by the Air Passengers Rights Regulation (Regulation (EC) 261/2004)
Notarial practice

02 May 24

Cooperation in healthcare
Privacy law

08 Apr 24

Odido fined by Dutch supervisory authority for processing traffic data
Fraud and white collar crime

04 Apr 24

New European Environmental Crime Directive is coming: criminal law gets to deal with climate change too
Food safety & product compliance

21 Mar 24

New allergen labeling policy for pre-packaged foods

Food safety & product compliance

19 Mar 24

New information obligation for manufacturers (and other economic operators) of medical devices

Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.

Personal data

 

Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Edit profile' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Thank you for your interest in our newsletter.

Stay up to date with the latest legal developments in your sector. Fill in your personal details below to receive invitations to events and legal updates that matches your interest.

Personal data

 

Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Edit profile' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Create account

Get all your tailored information with a My Ploum account. Arranged within a minute.

I already have an account

Benefits of My Ploum

  • Follow what you find interesting
  • Get recommendations based on your interests

Create account

Get all your tailored information with a My Ploum account. Arranged within a minute.

{/exp:user:register}

*This field is required

I already have an account

Benefits of My Ploum

Follow what you find interesting

Receive recommendations based on your interests

{phrase:advantage_3}

{phrase:advantage_4}


Why do we need your name?

We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.

Password

A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.