As an employer, you are at risk of data breaches. To prevent data breaches and possible fines from the Personal Data Protection Authority (AP), you must comply with various obligations that follow from the General Data Protection Regulation (AVG). But what if you do face a data breach? What measures should you then take? The new guidelines provide more clarity on this and help assess the risk. If there is a risk, it is important to report the data breach correctly and on time.
Meanwhile, the AVG has been in effect for almost three years and many employers have experienced their first data breaches. Since its entry into force, the Personal Data Authority (the AP) has already imposed various sanctions for non-compliance with data breach obligations. These sanctions include six hefty fines, including a fine for late notification of a data breach. The fine in question was €600,000.
To avoid being fined, it's important that you follow the rules properly the moment you detect a data breach!
If an employee reports a possible data breach, you should follow the following steps:
Step 1: Check whether there is indeed a data breach;
Step 2: Is there a data breach? Register the data breach in the data breach register and take corrective and preventive measures where necessary;
Step 3: Consider whether you should report the data breach to the AP and/or data subject(s) and ensure timely notification.
Within the general guidelines on data breaches, the main rule is that a data breach must be reported to the AP within 72 hours of the discovery of the leak. This is not required if there is not likely to be a risk. The data subject(s) need only be informed if there is a high risk.
It has been found that it is not always clear which data breaches must be reported to the AP and/or to the data subject(s). Assessing the risks also proves difficult.
For that reason, the European Data Protection Board (EDPB) has created new guidelines on data breach notifications. The guidelines supplement the already existing general guidelines on data breaches. Incidentally, the new guidelines have not yet been finalized. This will not take long now that the consultation has closed.
The guidelines should help in assessing these risks. They have chosen to provide examples of categories of data breaches that are common, indicating;
what measures an organization should have taken in advance in that case;
What actions the organization should take after the incident;
How the risks can be assessed; and
In which cases the AP and data subject(s) must be notified.
Examples of data breaches detailed in the guidelines include:
Sending an e-mail containing sensitive data to the wrong recipient;
sending a letter containing personal data to an incorrect address;
a situation where identity fraud causes an email address to be changed in a company's system so that emails are sent to someone other than the customer;
theft of documents containing personal data.
More articles by RWV Lawyers
