ICTRECHT The impact of the personal data security breach notification law On 1 January 2016 legislation will enter into force in The Netherlands requiring organisations to report personal data security breaches. Any loss, theft or unauthorized access to personal data constitutes a security breach, which must be reported if the impact is severe. And that s not all. Culpably allowing personal data to leak, neglecting the obligation to notify a breach, or processing personal data unlawfully, may result in penalties up to 810,000 or 10% of annual turnover per violation. What does this mean for your organisation? 1. What is a personal data security breach? According to the law, a personal data security breach has occurred when personal data was lost or processed unlawfully. Unlawful processing includes unauthorised access to or modification of such data. Therefore, the definition of a breach may be broader than you might think intuitively, and certainly is not limited to events where hacking is involved. Leaving a USB flash drive containing personal data behind in the train or sending emails with addresses displayed in the CC field instead of the BCC field also qualifies as a personal data security breach. In fact, even a data centre fire causing a loss of personal data would qualify as such a breach if there is no backup available. Breaches involving the loss or theft of data other than personal data are not relevant to this law, because they are not personal data breaches. So if someone steals the source code for your new software or copies a list of company names from your customer relations management system, it falls outside the scope of this law. Be aware, however, that you may be contractually obliged to report such breaches. As a professional organisation, it s up to you to take the proper security measures to prevent breaches from occurring. For instance, by using reliable encryption techniques, backup policies and audit trails. 2. When are you required to report a breach to the supervisory authority? t all personal data security breaches need to be reported. The law requires notification of a breach only if its impact is severe. A breach is deemed to be severe if it involves a large amount of data (quantitative severity), but also if it concerns particularly sensitive data (qualitative severity). Some examples from the second category are: login details; financial data; copies of identity documents; school or work results or performance assessments; data relating to personal beliefs; data relating to health. Severe breaches must be reported to the supervisory authority within two business days. ICTRecht B.V. Sarphatistraat Amsterdam 610-612 T 1018 +31 (0)20 AV Amsterdam 663 1941 T I +31 ictrecht.nl (0)20 663 1941 I E ictrecht.nl info@ictrecht.nl E info@ictrecht.nl
3. When are you required to report a breach to those affected? If the breach is likely to have adverse consequences for the private lives of individuals whose data was lost or processed unlawfully, you are required to report the incident not only to the supervisory authority but also to those individuals, within two business days. In most cases, these people are customers or employees. Adverse consequences can include: identity fraud; discrimination; reputational damage. In cases of quantitative severity (see previous question), it will likely be required to notify all potentially affected data subjects, because in most cases it will not be clear beforehand which of the potentially affected data subjects will actually suffer adverse consequences from the breach. 4. When is reporting a breach not required? Quantitatively and qualitatively severe breaches (as described in section 2) must always be reported to the supervisory authority. It makes no difference whether the leak arose from an error or was due to circumstances that were beyond your control (force majeure). However, breaches do not need be reported to those affected if the leaked personal data are unreadable. For example, if the personal data are encrypted or if they can be deleted remotely from a stolen laptop. Of course, in such cases you must be certain that no one has been able to access the data. The burden of proof will be on you in this case. It is up to you to ascertain whether you are required to report a breach to the supervisory authority and/or the persons affected. However, if you misjudge the situation and do not report a breach when you should, you can be penalised for that, too. 5. What is the procedure for reporting a breach? The supervisory authority has a standard form for reporting breaches. If a breach has occurred, you must fill in this form and submit it to the personal data protection authority. The completed form will then be saved in the authority s register, which is not public. In the event that a penalty is imposed in connection with the breach, this decision will be public. Naturally, a breach will also become public the moment the persons affected are notified. 6. Which information about breaches are you required to keep? When you report a personal data security breach to the supervisory authority, you must keep an overview containing all the facts and details of the leakage in your own records. Among the details to be recorded are the cause of the breach, the type of data that were compromised, when the breach was discovered and how it was closed. If you also notified the persons affected of the breach, it s vital to save all the relevant communications. You are required to retain all of this information for at least one year. Contractual arrangements should be made for this in the data processing agreement between the controller and the processor (see question 8).
7. What impact will the law have? From 1 January 2016, failure to comply with the law can result in an administrative penalty. Situations in which a penalty can be imposed include: failure to report a breach when required; failure to have proper security measures in place; processing personal data without permission or other legally valid basis; exporting personal data to countries outside the EU without making the proper arrangements. Penalties can be as much as 810,000 or 10% of annual turnover. In most cases, a warning will be issued initially, but the supervisory authority may decide to impose a penalty immediately in the event of an intentional act or gross negligence. 8. Are data processors required to report breaches? Many organisations outsource the processing of some personal data to third parties. For example, your organisation may use a customer relations management system offered as an online service by your vendor. Or a professional e-mailing system hosted by a third party. Or a third party developer may perform maintenance on some software you use on your own premises for the processing of client data, while having access to the actual databases to allow effective troubleshooting. The law refers to such third parties as a data processor. Data processors are not required to report data leakages to the supervisory authority themselves. However, they are required to ensure that their customers (the controllers of personal data) can make such a report in a timely manner. For this reason, it is crucial to draw up provisions setting out how a data processor will notify its controller in the event of a data leakage. These provisions can be included in a separate data processing agreement, which is usually attached to the main service agreement. Please note, however, that if you are a data processor and data in your own customer records were also leaked, you yourself are also required to After all, these data fall under your own responsibility. 9. What can you do to prepare for the obligation to report breaches? If you wish to be fully prepared for the new obligation to report personal data security breaches, here are some steps you can take: draw up a list of everyone who processes your data and check if you have data processing agreements with all of these parties; update your data processing agreements to contain a provision on personal data security breaches; conclude a n-disclosure Agreement (NDA) covering non-personal yet sensitive data with all parties you work with; check what system the companies that process personal data for you use to save personal data. Is it secure? Naturally, you should check this at your own organisation too. if organisations claim they are certified (e.g. ISO 27001), ask them about the scope of this certification; ask your insurance company or broker whether you are covered for personal data security breaches (cyber risk insurance); ensure you have internal procedures in place for handling and reporting breaches.
10. Procedure governing the obligation to report personal data security breaches If you discover a data leakage and want a quick overview of the reporting procedure, see the next page for a decision tree about reporting breaches. 11. Questions? If you are having difficulty determining whether you are required to report a breach or not, or if you have any questions about how to arrange agreements with third parties, or would like help drawing up an internal procedure for reporting breaches, please feel free to contact us on +31 20 66 31 941 or at info@ictrecht.nl and ask for one of our privacy and security specialists.
1. Do the leaked data qualify as personal data? For example, names, customer numbers, customer profiles, addresses and email addresses. 2. Does the breach involve your own customer details? For example, data stored by a hosting service or a cloud service provider ( data processors ) normally belong to their customers and are not their own data. 3. Have personal data been lost or processed unlawfully ( leaked )? For example, a lost laptop, a hack, a fire in a data centre or a former employee who has access to personal data. If in doubt, contact us. You must report the leakage to your customers. 4. Has a large amount (quantitative) or sensitive personal data (qualitative) been leaked? For example, the personal data of more than one thousand people, or data such as bank account numbers, login details or health-related data. If in doubt, contact us. 5. You are required to inform the supervisory authority of the data leakage by no later than the second business day after discovering the breach. 6. Is the data leakage likely to have adverse consequences for the private lives of individuals? For example, if sensitive personal data have been leaked or if there is a danger of identity fraud. If in doubt, contact us. You are only required to report the leakage to the supervisory authority. 7. Have the leaked personal data been protected in a manner that makes them unreadable or unusable? For example, by means of a strong encryption. If in doubt, contact us. You are required to inform both the supervisory authority and the persons affected by the data leakage. 8. Has the decryption key also been leaked? 9. You are required to inform both the supervisory authority and the persons affected by the data leakage. You are only required to report the leakage to the supervisory authority.