What to do in case of data breach?
Since the entry into force of the AVG, data breaches are increasingly in the news (as they are subject to mandatory reporting). And as the world continues to digitise, with all the economies of scale that this entails, the risks of data breaches are increasing. What is a data breach, what can be done about it and what role does Privacy First play in it?
With data breaches, most people think of data "leaking" due to poor security or a hack. However, the term is broader than that. Legally, a data breach is: any unauthorised or inadvertent destruction, loss, access or access, alteration, disclosure or other unauthorised processing of personal data (individual or traceable to an individual). In other words, something has happened to your data when it was not intended.
Examples of data breaches include:
- the loss of a USB stick containing personal data (where that data is thus 'out on the street');
- forwarding personal data to the wrong recipient;
- unauthorised inspection of a medical record;
- A cyber-attack in which personal data has been obtained. (Usually, this involves usernames and passwords, which can be used for identity fraud, or to access other websites).
Often, data breaches are caused by human error.
Risks of data breaches
The consequences of data breaches can be enormous, and have a major impact on people's private lives. Examples include: identity fraud, blackmail, reputational damage, discrimination or stigmatisation. These risks can be both quantitative (large amount of personal data) and qualitative (sensitive personal data). They can cause both material and immaterial damage.
Data breach obligations
Once there is a data leak, it must be stopped immediately by the responsible organisation, and measures must be taken to prevent its recurrence. The leak must also be recorded internally in a data breach register.
If there is a risk to data subjects (or people whose personal data has been leaked), the data breach must be reported to the affected individuals as soon as possible.
Where there is a risk to data subjects, the data breach should also be promptly reported to the Personal Data Authority (AP): within 72 hours of the discovery of the data breach. In case of significant damage or impact, the AP may take action against the organisation and/or impose fines.
What do you do about it?
Prevention is better than cure. Every organisation is legally obliged to have personal data security in place to the best of its ability, and to that end privacy by design apply.
That is: taking privacy into account already when designing an information system. Which means you don't have to pay fines afterwards, or apply privacy patches.
What does Privacy First do?
For years, Privacy First has been receiving signals, complaints and reports from citizens and consumers about possible data breaches (in government and business). We usually refer them to the AP and to specialised lawyers or attorneys who can help them further.
However, experience shows that the AP hardly ever treats complaints about data breaches seriously, or leaves them on the shelf for years. The AP also takes hardly any effective action, and almost no fines are imposed.
High time, therefore, for Privacy First to put its own house in order in this area. Soon you will read more about this on our website.