Are you compliant with the new Dutch Law on Data Breach Notifications?

On January 1, 2016, the new Dutch Law on Data Breach Notifications came into effect. Organizations – both companies and government agencies – are now required to immediately report any serious data breach to the Dutch Data Protection Authority (Authoriteit Persoonsgegevens). And, if it is likely that the data breach will have an adverse effect on the privacy of those involved, those people have to be informed as well.

A data breach is defined as the act of accessing, deleting, modifying or releasing personal data, committed unintentionally by the organization. Not only releasing (e.g. leaking) personal data, but also the illegal processing of data, will be seen as a data breach. Examples of data breaches are a lost USB stick containing personal data, a stolen smartphone or malicious access to a database by a hacker.

Six tips to minimize risk
This new law was extensively discussed with a group of Leaseweb customers during a recent round table about security. “In 2016, having a good security policy is no longer a matter of debate. You simply need to have it,” said one of the participants during the event. “If you don’t have a good security policy in place, you will risk a fine up to €820,000 if you lose a customer’s personal data. In some cases, the fine can be even higher.”

The round table discussion confirmed what the media have written before: most organizations don’t have their act together when it comes to security. So the question is: are you compliant with the new law? If you aren’t (yet), use the following six tips to minimize risks:

1. First, study the documentation provided by the government. Make sure that you understand the terms used (the definition of personal data, for example)
2. Next, make an inventory of where personal data is being processed in your organization
3. The third step is to develop special procedures on how to deal with personal data. Think about who needs to access this data, who needs to process it and which actions are allowed when processing data. And make sure security measures are implemented during these procedures.
4. Make agreements with third-party organizations that process your customers’ personal data.
5. Appoint someone who is explicitly responsible for data management. This person is the main point of contact for the data protection authorities.
6. And last but not least: put everything on paper in a checklist (and make sure you test this checklist in practice). If an incident occurs, you will know exactly what to do.