In anticipation of the EU General Privacy Regulation, that is expected to be adopted around 2016/2017, the Dutch government decided to already implement a notification duty for data breaches, and also to significantly augment the powers of the Dutch Data Protection Authority. As of 1 January 2016, these new rules will become effective in the Netherlands. Both Dutch and foreign businesses that share personal data with Dutch organizations, should be well prepared to ensure compliance with the new privacy obligations.
The expanding processing of personal data makes organizations more and more vulnerable for data breaches. From a security perspective especially developments like the expansion of cloud-based services and e-commerce activities, and the implementation of new payment methods deserve the attention. According to security experts, organizations should thereby not only focus on possible external attacks. The risk of a data breach caused by employee negligence will be even more likely.
Criteria for notifying the Authority and the data subjects
Regardless the cause of a data breach, organizations, that are to be qualified as a data controller under Dutch law, will have to notify security breaches to the Dutch Data Protection Authority without delay. Such incidents should be notified if they have (or pose a significant risk of having) serious adverse consequences for the protection of personal data. Where there is a probable likelihood of negative consequences for the privacy of the affected individuals, the breach must also be reported to the data subjects concerned. The severity of the potential consequences is key when assessing the implications of a data breach. In this assessment the following factors should in any case be taken into account: the nature and scope of the data breach, the sensitivity of the breached personal data, the extent to which technical measures have been put in place, and the consequences for the privacy of the affected individuals. The Dutch Data Protection Authority will come with guidelines explaining which incidents must be reported and in what manner.
Data breach register
Organizations will also need to keep an internal register recording data breaches that have occurred. Such data breach register must in any event include the facts concerning the nature of the breach and the information pertaining to it, which was sent to the affected individuals. Furthermore, the register should include the measures taken after the breach. Purpose of the register is to have a self-learning effect. In what language the register will need to be drawn up, remains to be seen. Especially for global businesses that have Dutch establishments or that do business with Dutch organizations, this will be of relevance.
As of 1 January 2016, non-compliance with the main privacy obligations, including the mandatory notification of security breaches, will be punishable with a maximum fine of EUR 810,000, or 10% of net annual turnover from the previous year if the Dutch Data Protection Authority deems this a more suitable punishment. The fine cannot be imposed until after a 'binding instruction' has been issued, unless the violation has been committed intentionally or is due to serious culpable negligence, in which case a 'tit-for-tat' policy will apply. The Dutch Data Protection Authority additionally retains the option of imposing an order for periodic penalty payments.
Recommended steps to be taken
In view of the forthcoming breach notification requirements, it is advisable for organizations verify when such duties do apply to them and to prioritize the awareness of the risks of data leaks. More specifically, it is recommendable to introduce a Data Breach Response Plan, describing inter alia what measures an organization should take to prevent security breaches and how it should adequately respond to such incidents. Next to that, organizations are advised to check their insurance coverage and to also seek legal expertise in good time. A proper assessment of the situation by specialists in privacy, IT and media law, together with forensic experts, should mitigate the impact of data breaches as much as possible. The damages of such incidents will be serious enough, after all.
Elisabeth Thole is a lawyer at Van Doorne, Amsterdam. She leads the Van Doorne Privacy Team, and is a member of the Van Doorne Cyber Response Team. Elisabeth may be contacted at email@example.com