Since 2016 you are obliged to report certain data breaches, in case you have had one. But when is a data breach really necessary to report? Find out in this article.
A Data Breach
We speak of a data breach when personal data falls into the hands of third parties who should not have access to that data. A data breach is the result of a security problem. The most common data breaches are leaked computer files, although a stolen printed customer list can just as easily constitute a data breach.
Other examples: cyber attacks (including DDos), email sent to wrong addresses, stolen laptops, discarded uncleaned computers and lost USB sticks.
Illegally obtained business data on a production process or market strategy concern valuable information, but do not fall under the common definition of data breach.
If a company telephone is lost or stolen, it may be a data breach. If a private telephone is lost, there is no data breach.
Some extra examples:
An employee has left his business laptop in his car and that laptop has been stolen from the car. That is, of course, a security incident, but is it also a data breach? That depends in the first place on what was on the laptop, of course, but for the example, let’s assume that there were (financial) customer data on the laptop.
Several years ago, one of our partners received an employment agreement from another employee. He could see everything regarding salary, personal data etc. Thus, there may even be a data breach within a company when an employee’s personal data is shared with another employee who is not allowed to inspect it.
A good way to secure data is to encrypt it. At that moment, the data becomes a series of numbers and letters that are meaningless. Only if you have the key you can view the data. However, if you lose the key, you will no longer be able to access the data. Others are not either, but the fact remains that the data is therefore unavailable, and that is also a data breach.
When to report a data breach?
So, you have had a data breach, but what’s next? Do you always have to report it? No. Only when there are really bad consequences for those involved. This can be the case when:
personal data of a sensitive nature have leaked. E.g. data on religion or belief, race, political persuasion, health, sexual life, trade union membership or criminal data.
the nature and extent of the breach lead to (a significant likelihood of) serious adverse consequences for the protection of personal data. You may still need to report the data breach if the nature and extent of the breach is such that it leads to (a considerable risk of) serious consequences for the protection of personal data. This will be the case, for example, where a particularly large amount of personal data of large groups of data subjects has leaked.
In both cases stated above, you have to report the data breach within 72 hours to the DPA. Some data breaches should be reported not only to the National DPA but also to the persons to whom the data leaked relate. This is the case if the data breach is likely to have an adverse impact on the privacy of the individuals concerned.
In our plugin, you can find a data breach inventory which will help you decide whether you need to report your data breach or not!