16-11-2015 15:03:29

As of January 1st, 2016, there will be a legal obligation to report data leaks. Each loss, theft or unauthorized use of personal data is considered a data leak, so it does not only concern large-scale breaches. And that is not all. Whoever leaks data or processes personal data without properly following the letter of the law, is at risk of getting fines up to € 810.000,- or 10% of the annual turnover per violation. What does this mean for your business?

1. What is a data leak?
The law speaks of a data leak when personal data is lost or processed without authorisation. Unauthorised processing is considered to be the altering and/or editing of personal data and unauthorised access to, or issuing of this data. In short: a fairly broad definition. It is not just a data leak when a hacker gains access to personal data. Losing a USB stick in the train or sending a mailing with addresses in the CC field (instead of the BCC field) is also considered to be a data leak. Even the loss of data in a fire in the datacenter when there is no backup available, is legally seen as a data leak.

As a business, you are expected to take the necessary precautions and proper security measures to prevent data leaks. For example by using encryption techniques.

Leaks where other data than personal data is lost or stolen, are not data leaks. When, for example, the source code of your new software is stolen or a list with company names from your relations data base is copied, this law does not apply.

2. When do you need to report a data leak to the supervising authority?
Not every data leak needs to be reported. The law states that ‘severe’ data leaks need to be reported within two work days. A leak can be serious when it concerns a large amount of data (quantitatively severe), but also when sensitive data is concerned (qualitatively severe). A few examples from the second category are:

• Login data;
• Financial data;
• Copies of identity documents;
• School or work performances;
• Data in relation to convictions;
• Data in relation to health.

3. When do you need to report a data leak to the affected persons?
In case the data leak will likely have negative consequences for the private life of the people whose data has been leaked, you are expected to not only report the leak to the supervising authority within two workdays, but also to the affected individuals. In most cases this will be the client. Negative consequences include:

• Identity fraud;
• Discrimination;
• Reputational damage.

The quantitatively severe data leak (see previous question) is usually always considered to be a negative consequence. Therefore quantitatively severe data leaks are always to be reported to the affected persons.

4. When do you not need to report a data leak?
A data leak that meets the criterion listed in question 2, should always be reported to the supervising authority. It does not matter whether the data leak was due to an error or as a result of force majeure.

However, a data leak does not need to be reported to the affected persons if the leaked data is unreadable, like when personal data are encrypted or when you can remotely delete the data from a stolen laptop for example. You do need to be certain that nobody had the opportunity to view that data. You bear the burden of proof for this.

The assessment whether or not a data leak needs to be reported to the supervising authority and/or the affected persons lies with you at all times. However, you can also be reprimanded for making an incorrect assessment.

5. How should you report a data leak?
The supervising authority will provide a standard form with which to report a data leak. This form needs to be filled out in case of a data leak. The form is then stored in a register that is only accessible to the supervising authority. When a fine is placed on the case of the leak, that decision will be made public however. A data leak will be public by default when the affected persons need to be informed.

6. What information on a data leak do you need to retain?
When you report a data leak to the supervising authority, you are expected to keep an overview in your administration. This overview needs to contain the facts and details on the leak. For example the cause of the leak, the kind of data that has been leaked, the moment the leak was discovered and in what way the leak was stopped. When the data leak has been reported to the affected persons, it is important to keep a file of the communications on the leak. You should assume a minimum retention period of a year for the storage of the aforementioned data. It is advisable to discuss this with the editor (see question 8).

7. What are the implications of the law?
As of January 1st, 2016, the law provides the possibility to impose fines in case the law is not complied with. This fine can be imposed, inter alia:

• Failure to report a severe data leak;
• Not having security in order;
• Processing personal data without authorisation;
• Exporting personal data to countries outside of the EU without the proper regulations.

The fine can amount to € 810.000,- or 10% of the annual turnover. Often a warning will be the first course of action, but the supervising authority may decide to fine immediately when there is reason to assume you have acted intentionally or have been grossly negligent.

8. Does a processor need to report data leaks?
In many cases the processing of personal data is outsourced to a third party. The law calls this third party a processor. Data can be accessible for a cloud service provider that runs updates on software, stored at a hosting provider, or be accessible for the marketing company that sends emails on behalf of clients.

A processor does not have to report a data leak to the supervising authority. However, the processor is expected to ensure that their client can make a timely report in case of a data leak. Written agreements need to be made to stipulate in what way the clients will be notified of a data leak by the processor. These agreements can be entered into a processing agreement.

Note; are you a processor and a data leak also contained information on your own client records, you do need to report the leak yourself. In the end, you are responsible for that information.

9. What can you do to prepare for the compulsory notification?
Do you want to be well-prepared for the compulsory notification of data leaks? Take the following actions:

• Take stock of who processes your data and whether or not you have a processing agreement with them;
• Update your processing agreement with a provision on data leaks;
• Make sure you have an NDA mentioning personal data with every party you work with;
• Check in what way the businesses that process personal data for you, store this data. Is it secure? Of course, check this for your own business as well;
• When companies claim to be certified (for example ISO 27001), request the scope of the certification;
• Check with your insurer or insurance agent whether or not you are insured against data leaks (cyber risk insurance);
• Adopt an internal procedure for handling and reporting data leaks.

10. Procedure compulsory notification data leaks
Did a data leak occur and do you want a quick and clear overview of what to do to report it? See the decision tree diagram in this link for reporting data leaks.

11. Questions?
Are you unsure whether a data leak should be reported or not, do you have question on how to arrange things with third parties or do you require assistance in setting up an internal procedure for reporting a data leak? Please contact ICTRecht on 020-6631941 or info@ictrecht.nl.
In the blog above you have read that you may have to make arrangements with a processor. In case BIT is your data processor, our Service Level Agreements will be updated with a provision on data leaks, starting on January 1st 2016, so you will not need a separate processing agreement with BIT. The issue of confidentiality as addressed in the blog is already part of our SLA’s. Finally, we would like to mention that all of BIT’s services are ISO 27001 certified, the scope (aka statement of applicability) can be found in our portal.  

---

By BIT:
In the blog above you have read that you may have to make arrangements with a processor. In case BIT is your data processor, our Service Level Agreements will be updated with a provision on data leaks, starting on January 1st 2016, so you will not need a separate processing agreement with BIT. The issue of confidentiality as addressed in the blog is already part of our SLA’s. Finally, we would like to mention that all of BIT’s services are ISO 27001 certified, the scope (aka statement of applicability) can be found in our portal.