What is a data breach?
A data breach is any breach of security in which personal data has been lost, unlawfully altered, provided or viewed. Think of data files that are hacked or a laptop that is stolen. A sole threat or shortcoming in the security of personal data is not sufficient. In the event of a data breach, data is in any case lost or exposed to parties who are not entitled to the personal data (this is also referred to as 'unlawful processing'). Pursuant to the GDPR, an organisation is obliged to document all (possible) data leaks. Documentation takes place by including the (possible) data leak in a Register of Data Leaks. In addition, in certain cases there is an obligation to report to the Authority for Personal Data and the parties involved.
How to act in case of a data breach?
Pursuant to the GDPR, a personal data breach must be reported to the Personal Data Authority as soon as possible (within 72 hours at the latest). In addition, you have an obligation to report to those involved if the data breach probably entails a major risk to the rights and freedoms of those involved.
If there is an obligation to report, but you do not comply with it, you run the risk of forfeiting a substantial fine. It is therefore advisable to draw up a Protocol for your organization to Report Data Leaks. This Protocol Duty to Report Data Leaks is a tool for you and your employees to answer the question of whether there is a data leak at all and whether there is a duty to report. In any case, this states that there is an obligation to report:
- To whom and within what period of time a (possible) data breach must be reported;
- By whom and how the incident is investigated; and
- Who is responsible for reporting the leak to the Personal Data Authority and those involved.
Contact us
We at Legal Q can support you in drawing up a Protocol for the reporting of personal data breaches. For more information about this service or if you have any other questions about the AVG, please feel free to contact us.