You must report a data breach to the Autoriteit Persoonsgegevens (AP) within 72 hours. Unless there is not likely to be a risk. You inform affected individuals only if there is a high risk.
When estimating risk, you look at how likely a risk is to occur. And what the impact is if it does indeed happen.
Sometimes the risk is very obvious. For example, when complete medical records have been leaked. But more often it is an assessment. Even then, you must assess the situation objectively. The factors below help make your assessment objective:
The nature of the breach
Has personal data been deleted, altered or leaked? Example: leaking medical personal data to an unauthorized person has different consequences than if the data were lost.
The nature, sensitivity and scope of personal data
The more sensitive the data, the greater the risk of harm. Also consider personal data that is already (publicly) available. Because it is precisely a combination of data that can increase the impact.
Ease with which individuals can be identified
Can you easily tell who is involved based on the data breach?
Severity of impact on individuals
The consequences of a data breach can be serious. Especially when the data breach can lead to, for example, identity theft or reputational damage. The risk is reduced when the data has fallen into the hands of a trusted recipient who is not out to cause harm.
Special characteristics of the person
When data of vulnerable people are involved in the data breach, they may be at greater risk of harm. For example, children.
Special characteristics of your organization
To illustrate, the risks in a data breach of a hospital will be greater than in a data breach involving a newspaper mailing list.
The number of people affected
In general, the more people involved, the greater the impact of a data breach can be. However, a breach can have serious consequences for even one person.
