Since 1 January 2016, pursuant to Article 34a of the Personal Data Protection Act (‘WPB’), the obligation exists to report data leaks, based on which organizations who process personal data are obliged to report specific data leaks to the Dutch Data Protection Authority (AP) and in some cases also to data subjects whose personal data have been leaked. Also under the GDPR, organizations are held to report specific data leaks.
What is a data leak?
A data leak is at stake if a security incident occurs in which personal data have been lost for the controller (‘loss’) or if it cannot be excluded that personal data have fallen into the hands of third parties (‘unlawful processing’). In this case, it does not matter whether the security incident was intentional or accidental. If an organization uses an outdated version of antivirus software for the security of the systems, there may be a security leak, but this does not mean that there is a data leak. But as soon as a virus infection of the systems results in personal data having become accessible to third parties, there is a data leak. Other examples of security incidents that may involve a data leak include:
- a targeted attack by hackers;
- theft of a computer, telephone or laptop;
- loss of a file, USB stick or other data carrier;
- an infection by malware such as ransomware or cryptoware;
- discarding a confidential file together with the ordinary waste paper;
- sending an e-mail with personal data to the wrong person;
- loss of a password;
- a software or installation error in which data may have been lost;
- the viewing of files by unauthorized employees; and
- fire in a data centre.
Reporting a data leak
Not every data leak needs to be reported. Under the WPB, a data leak must be reported to the AP if the data leak leads to (a considerable chance of) serious adverse effects on the protection of personal data. This must be assessed on a case-by-case basis. Points of view that play a role include the scale of the data leak, the nature of the leaked data, the number of data subjects whose personal data have been leaked, and the position of the data subjects. The more personal data of larger numbers of people are lost or possibly exposed to unlawful processing, the sooner this must be reported. This is also the case if personal data of a sensitive nature are leaked. Personal data are of a sensitive nature – not to be confused with ‘special personal data’ – if loss or unlawful processing of these data may lead to stigmatization or exclusion of the data subject, to damage to people’s health, financial loss or (identity) fraud. Examples of such personal data of a sensitive nature include special personal data as referred to in Section 16 of the WPB (data about, inter alia, people’s origin, religion, political preference, sexuality and health); information about the financial or economic situation of the data subjects (debts, salary, payment details); usernames, passwords and other log-in data; data that can be abused for (identity) fraud (identity cards, tax &social security numbers or biometric data) and other data that may lead to stigmatization or exclusion of the data subject (such as data regarding addiction problems, work performance and/or relationship problems).
Under the GDPR, a different, stricter starting point will be applied. Pursuant to Article 33 GDPR, an organization who processes personal data must report any data leak to the AP, unless it is unlikely that the data leak will pose a risk to the rights and freedoms of natural persons. This stricter principle implies will lead to reporting at a much earlier stage. In accordance with article 33 (3) GDPR, the following data must in any event be reported to the AP:
- the nature of the data leak, if possible stating the categories of personal data that have leaked, the categories of data subjects, an indication of the amount of leaked data and the number of persons affected;
- the name and contact details of the data protection officer;
- the likely consequences of the data leak; and
- the measures taken to deal with the data leak or to limit the adverse effects thereof.
When should a data leak be reported to the data subject?
A data leak that must be reported to the AP does not always need to be reported to the data subject. A separate assessment must be made with regard to the obligation to report to the data subject. The idea behind the report to the data subject is that he can then be alert and will be able to guard himself against the possible consequences of the data leak. Under the WPB, a data leak must be reported to the data subject if it is likely to have adverse effects for his personal privacy. This is the case, for example, if the data subject is faced with (identity) fraud, discrimination, defamation or unlawful publication. Under the GDPR, a data leak must be reported to the data subject if the data leak is likely to pose a high risk to the rights and freedoms of natural persons. What this criterion means in real terms will still have to be determined, for example on the basis of AP guidelines. Both under the WPB and the GDPR, the data subject does not need to be informed if adequate protection measures are taken such as encryption, making the leaked personal data incomprehensible or inaccessible to third parties. In addition, pursuant to the GDPR, there is no need to notify the data subject if measures have been taken afterwards to ensure that the high risk is unlikely to occur or if a report would require disproportionate efforts. In the latter case, for example, a public announcement will suffice that is equally effective.
How soon must this be reported?
The reporting to the AP and possibly to the data subject must be carried out without undue delay and, if possible, no later than 72 hours after detection of the data leak, both under the WPB and the GDPR. This period also applies if an organization uses a processor. Even if a processor discovers the data leak, an organization is ultimately responsible for timely reporting. An organization is therefore dependent on quick action and efficient cooperation of a processor. Therefore, make sure to also instruct other people within the organization, such as employees, that any data leaks must be reported as soon as possible at all times.
Keeping track of data leaks
Under the WPB, organizations must maintain an overview of all data leaks that must be reported. Under the GDPR, organizations must keep an overview of all data leaks, including the leaks that do not need to be reported.
Under the WPB, the overview per data leak must in any event contain the facts and data concerning the nature of the breach. If the data leak has been reported to the data subject, the text of the notification must also be included in the overview. Under the GDPR, the overview must state what the facts and consequences of the data leak are, and which recovery measures were taken.
How long the overviews must be kept is not determined in the WPB or the GDPR. It follows from the AP guidelines regarding the WPB that the assumption is at least one year.
In the event of non-compliance with the obligation to report data leaks, the AP may impose a fine. Under the WPB, the level of the standard fine is set between € 120,000 and € 500,000. In exceptional situations, however, the fine may increase to a maximum of € 820,000 or 10% of the annual turnover. Under the GDPR, the fine may increase to € 20,000,000 or 4% of the worldwide annual turnover. Failure to comply with the obligation to report data leaks may also result in substantial reputation damage to an organization.
What does the obligation to report data leaks mean for your organization?
The occurrence of a data leak is not always within your control. By taking appropriate protection measures such as encryption, you can prevent a data leak from being reported to the data subject. Sector-specific security standards may be helpful in determining and implementing the appropriate protection measures for your organization. In addition, the obligation to report data leaks by you and by a processor requires adequate and prompt action once a data leak has been discovered. It is therefore very important to lay down clear arrangements in a processor agreement.
To conclude a processor agreement between you and a processor containing clear arrangements is therefore a wise thing to do. A script tailored to your organization with respect to data leaks may also be quite useful. The increase of the amount of fines for non-compliance with the obligation to report data leaks under the GDPR makes it all the more important to make clear arrangements with a processor as well as a script for data leaks.
It is important to clearly bear in mind that not the data leak itself, but the failure to report this to the AP may lead to an administrative fine being imposed. In case of doubt whether a data leak must be reported, it is therefore highly preferable to make a report. In view of the significant fines that may be imposed in the absence of a report, an organization who processes personal data has a major financial interest in ensuring that employees and other persons within the organization who have experienced a data leak in which (possibly) personal data have fallen into the hands of third parties (such as loss of a laptop or loss of a file or digital data carrier) report this to their employer as soon as possible, so that the harmful consequences of the data leak may be limited as much as possible, and, if necessary, this may be reported to the AP in time. It is therefore advisable to include an article in the employment contract with your employees or in your personnel manual that requires employees to report theft or loss of data carriers to the employer as soon as possible on pain of a penalty.