The Data Breach Notification & the guidelines of the Data Protection Authority
Privacy - more than meets the eye
On January 1st 2016, the Dutch Data Breach Notification will come into effect. The new ‘privacy law’ can have serious consequences for organizations that fail to adequately protect the personal data they process. It will grant the Dutch DPA the right to impose a fine on organizations that do not notify a data breach – a fine that can amount to € 810,000.
November 3, 2015
More than meets the eye
For Deloitte, privacy is a key asset for organizations, regardless of fines and legislations. This is why, for the third time in a row, we organized Privacy with a View. The event was titled Privacy – More than meets the eye, and took place on November 6. One of the keynote speakers was the Head of the Supervision Private Sector Department of the Dutch Data Protection Authority (DPA), or the College bescherming persoonsgegevens. The Dutch DPA supervises processing of personal data in order to ensure compliance with the provisions of the law on personal data protection. It also advises on new regulations. Speaker Udo Oelen addressed different aspects of the Data Breach Notification.
According to Oelen, companies need to take both organizational and technical measures to make sure personal data are not being processed illegitimately or become prey to hackers. Examples of breaches in security are USB sticks getting lost, client data that are hacked or medical files ending up in the recycling bin. The DPA needs to be notified when there is a considerable chance of serious negative consequences as a result of such a data breach. These consequences can be materialistic or non-materialistic, e.g. identity fraud.
Innovate? Remember the data!
Personal data represent a tremendous value. Therefore, companies need to secure them according to the latest technological insights. As the practical experience of the DPA confirms, that still doesn’t happen often enough. For example, it’s very easy to start a web shop. But anyone that handles personal data needs to think about a secured line beforehand. When you innovate, you also need to take data into account from day one. The new legislation is meant to enhance the privacy awareness of companies, to make sure that there is an increase of transparency around data breaches, and to discourage organizations from sweeping incidents under the rug for fear of reputational damage.
Prepare and be alert
Organizations can prepare themselves by having their security in order, analyzing the kind of data they work with, and knowing the risks that can occur. They need to check regularly with which data they are still dealing and what the new techniques in security are. They also need to prepare for a scenario where a data breach does happen, and to answer the multitude of questions they will face. How do you handle such an event internally? Have you appointed one specific individual to judge whether the breach needs to be notified? Have you made sure the incident will be registered? Have you thought about the way you will interact with the press? And how can you be sure you keep an open eye for signals from the outside world that might suggest a security breach?
The new green
Today, a number of technologies are being developed that will make all our lives a whole lot easier. But meanwhile – as with the Internet of Things – we will be gathering more and more personal data. People are worrying what is being done with these data and what effect this will have on their freedom of choice. As an organization, you can probably distinguish yourself in the future by treating personal data with care and accuracy.