You must report all data breaches to the Dutch Data Protection Authority (AP) within 72 hours, using the data leak reporting desk (meldloket datalekken, in Dutch). In addition, you may also have to inform the data subjects, the persons whose data has been leaked. It is important that you always report a data breach to the AP, even if you are not sure whether it concerns a data breach. If further investigation shows that no data breach has occurred, this can simply be added to the report.
How do I report a data breach?
To be able to correctly fill in a report to the AP, you need to know 3 things:
- What kind of data breach am I dealing with?
- Is there a breach of confidentiality and has personal data been unintentionally disclosed?
- Is it a breach of integrity and has the data been changed?
- Or is it a breach of availability and is the data no longer accessible?
- What data has potentially been leaked?
If you know which data has been leaked, you can estimate whether the data leak poses a risk to the rights and freedoms of the data subjects. If there is no risk, you do not have to report the data breach to the data subjects. Do not underestimate these risks. Even innocent personal data can be extremely valuable in the wrong hands.
- What state is the data in?
Is the personal data encrypted and is the key still secure? Then you do not have to report it, unless this means that you have lost access to the data yourself. If that is the case, you are dealing with a breach of availability. Another example is password leaks. For example, have only the salted hashes (a technique to make decryption more difficult) of passwords been leaked? You do not have to report that. This kind of hashed data leak is not likely to happen.
Depending on your answers to the above questions, you decide whether or not to report. The general rule is that you must report a data breach if there is a risk to the rights and freedoms of the data subjects. In practice, it never hurts to report, while failure to report may be a risk. Are you still unsure whether or not you should report a data breach? The Dutch Data Protection Authority has a detailed explanation (in Dutch), with more examples. Also read the EU guidelines published about the notification obligation.
If the data breach you have discovered has led to unwarranted use of the data, that is, a cybercrime, you also need to report it to the police.