How to: handling data breaches

How to: handling data breaches

This 'How to' applies to data breaches in the Netherlands based on Dutch law Netherlands Flag


Introduction

Our  Information Security Policy for employees  asks all colleagues to be alert to potential incidents and report them as soon as possible. This guide is intended for the person handling the reports.
What is a data breach?
The Dutch Data Protection Authority (AP) considers a  data breach  to occur when personal data is accessed without authorisation or without that being the intention, where the cause is a breach of the security of that data. Unintentionally destroying, losing, altering, or disclosing personal data as a result of such a breach also falls under the definition of a data breach.
Examples of data breaches:
  • Loss of a USB stick
  • Theft of a laptop
  • Intrusion by a hacker
  • Accidentally publishing personal data
  • Hacking, malware, or phishing
  • Personal data sent to the wrong person
  • Disasters such as a fire in a data centre
Mandatory notifications
    Data Protection Authority: The Dutch 'Algemene verordening gegevensbescherming' (AVG) requires that data breaches be reported immediately, within 72 hours, to the Dutch Data Protection Authority, unless it is unlikely that the breach poses a risk to the rights and freedoms of the individuals concerned.
    Data subjects: In addition, the breach must also be reported to the individuals concerned if it is likely to result in a high risk to their rights and freedoms.


Handling reported data breaches step-by-step

Step
Action
Responsible roles
Step 1: Assess the breach
  • Assess the nature of the leaked data, e.g.:
  • (special) personal data?
  • Passwords?
  • Data about financial situation or data that could be used for abuse?
  • Health data?
  • Assess the scale of the breach: how much data is involved?
  • Assess the potential impact on the individuals concerned.
  • Establish what the adverse consequences may be.
  • Assess the other factors  listed on the website of the Data Protection Authority.  
  • Determine who needs to be involved in handling the breach (within the organisation + any data processors).
IT lead + possibly:
  • Lead of the team within which the breach occurred.
  • For larger breaches: at least 1 board member.
Step 2: Limit consequences
  • Stop the breach if still possible.
  • Implement measures to limit the breach and the resulting damage.
Same as above.
Step 3: Report the breach to the Data Protection Authority
  • Determine  whether or not the breach must be reported to the Data Protection Authority  and document this consideration.
  • If it is decided to notify the Data Protection Authority, this must be done within 72 hours of discovering the breach.
  • Report via the  Data Breach Notification Form  of the Data Protection Authority.
  • More information on reporting data breaches can be found on the  website of the Data Protection Authority. 
  • Same as above + possibly: Communications officer.
Step 4: Notify data subjects
  • Determine whether or not the breach must be reported to the individuals concerned and document this consideration.
  • Inform the individuals concerned, following the  communication tips from the Data Protection Authority.  
  • Determine follow-up care actions for those involved.
Same as above + possibly:
  • Communications officer.
Step 5: Evaluate & improve
  • Evaluate how the handling of the breach went, identify lessons that can be learned, and document these.
  • Determine actions for improving security, log and implement them.
All colleagues who were involved in the preceding steps.