A piece of mail returns opened, a laptop is stolen or an e-mail ends up with the wrong recipient: a leak of personal data security is also known as a data leak. Since the 1st of January 2016, the data leak reporting obligation has applied in the Netherlands.
Organisations that process personal data are required to report a data leak to their Data Authority, in the Netherlands for example, this is the Autoriteit Persoonsgegevens (AP). In some cases, those affected (the individuals whose data is leaked) must also be notified. But even if a data leak does not have to be reported to the AP or data subjects, organisations are required under the General Data Protection Regulation (GDPR) to document data leaks.
A data leak is a leak of personal data security. A data leak occurs not only if personal data is lost, but also if unlawful processing of personal data “cannot be ruled out”. For example, if an insurer discovers that personal data could be viewed as a result of a poorly secured web application. Even if it cannot be determined whether that actually happened and what data was accessed, the leak must be considered a data leak. After all, in that case it cannot be ruled out that the personal data were processed unlawfully.
The purpose of the reporting obligation is to prevent data leaks and, if they do occur, to limit their consequences for those involved. The reason for the introduction of the reporting obligation was a number of incidents in which personal data was released with adverse consequences for the privacy of those involved.
Under the GDPR, this duty to report consists of the obligation to report a “personal data leak” to the supervisory authority on the one hand and to the data subjects on the other.
Under the GDPR, you must report a data leak to the regulatory authority if it has serious adverse consequences for the protection of personal data. Reporting is also required if a data leak leads to “a significant likelihood” of serious adverse consequences for the protection of personal data. The GDPR manual from the Ministry of Justice and Security shows that under the GDPR, in principle every data leak must be reported, “unless the leak is unlikely to pose a risk to the rights and freedoms of natural persons. You must report the data leak as soon as possible – but no later than 72 hours after the discovery. If this fails, an explanation will have to be given for the delay.
Under the GDPR, you must report a data leak to the data subjects if the data leak is likely to have adverse effects on their privacy. Examples of this are possible identity fraud, unlawful publication or discrimination.
The GDPR provides that an organisation must notify a data subject of a data leak if the leak poses “a high risk” to data subjects. There are a number of exceptions to this. For example, a data subject does not have to be informed if an organisation has taken measures that have eliminated the identified risks. An exception to the data leak reporting obligation to data subjects also applies to financial enterprises, as referred to in Article 1:1 of the Financial Supervision Act (Wft). Incidentally, this exception does not mean that the financial enterprise does not have to inform data subjects; if the duty of care requires it, despite the exception in the GDPR Implementation Act, the financial enterprise will also have to report the data leak to the data subjects.
If a company does not comply with the rules from the GDPR, the regulator can take enforcement action. This means that the regulator can impose a penalty or an administrative fine. This can get pretty serious: failure to report a data leak can be sanctioned with an administrative fine of up to 10 million euros or 2% of the worldwide annual turnover. In addition, the regulatory authority can, for example, use a binding instruction to require an organization to still report a data leak to those involved. Failure to comply with this instruction can be punished with an administrative fine or an order under penalty.
Want to know more about the steps you need to follow when identifying and reporting a data leak? You can follow our GDPR Awareness e-learning through our learning institute, The Ministry of Compliance. After completing the training, you will be familiar with the privacy rules and know how to deal with personal data, data leaks and the rights of data subjects in practice.
Read more about our privacy related services or reach out to us.