Data breach

Een datalek is een inbreuk die plaatsvindt op de beveiliging van persoonsgegevens binnen een organisatie. Hierbij is bijvoorbeeld sprake van ongeoorloofde toegang, vernietiging of verandering van persoonsgegevens.

How do I assess the risks of a data breach?

Personal Data Authority
July 28, 2022

Question & Answer

ANSWER

You must report a data breach to the Personal Data Authority (AP) within 72 hours. Unless there is not likely to be a risk. You inform affected individuals only if there is a high risk.

When estimating risk, you look at how likely a risk is to occur. And what the impact is if it does indeed happen.

Objectively assessing risks of data breach

Sometimes the risk is very obvious. For example, when complete medical records have been leaked. But more often it is an assessment. Even then, you must assess the situation objectively. The factors below help make your assessment objective:

The nature of the breach

Has personal data been deleted, altered or leaked? Example: leaking medical personal data to an unauthorized person has different consequences than if the data were lost.

The nature, sensitivity and scope of the personal data

The more sensitive the data, the greater the risk of harm. Also consider personal data that is already (publicly) available. Because it is precisely a combination of data that can increase the impact.

Ease with which individuals can be identified

Based on the data breach, can you easily tell who it is?

Severity of impact on individuals

The consequences of a data breach can be serious. Especially when the data breach can lead to identity theft or reputational damage, for example. The risk is reduced when the data has fallen into the hands of a trusted recipient who is not out to cause harm.

Special characteristics of the person

When data of vulnerable individuals are involved in the data breach, they may be at greater risk of harm. For example, children.

Special characteristics of your organization

To illustrate, the risks in a hospital data breach will be greater than in a data breach involving a newspaper mailing list.

The number of people affected

In general, a data breach can have greater consequences the more individuals are involved. However, a breach can have serious consequences for even one person.

Resource: sample list to report/don't report

It is your own responsibility to assess the risk of a data breach. The AP cannot do that for you without an investigation.

However, we do offer practical information to help you make your own informed decisions. Such as the example list to report/not report to the AP and persons involved.

Expert membership

Benefit now

Privacy in the workplace in-depth course.

Ensuring privacy in the workplace has become a complex challenge. Employers have increasing opportunities to collect and use employee personal data. Often to increase efficiency but in some cases decisions can be made that have major implications for data subjects. In this course, based in part on current case law, the do's and dont's regarding privacy in the workplace will be discussed. Can you fire an employee in the event of a data breach? And what do you do if an employee has recorded conversations in connection with a labor dispute? When does the employer's interest outweigh an employee's privacy rights? How do you deal with AI in job application procedures?

Learn more

Data breaches: preparing, recognizing and responding

During this course, the current state of affairs regarding the mandatory data breach notification will be covered. What exactly qualifies a data breach and what legal obligations apply with respect to a data breach? The additional obligations that follow from the policy rules of the regulators and the practice around reporting a data breach to the Personal Data Authority will also be discussed. In addition, other relevant factors, such as reporting, how to speak to the press and the options for preparing for a data breach will be discussed in detail during this course.

Learn more

Menu

FILTER BY CONTENT

How do I assess the risks of a data breach?

Personal Data Authority
July 28, 2022

Question & Answer

ANSWER

You must report a data breach to the Personal Data Authority (AP) within 72 hours. Unless there is not likely to be a risk. You inform affected individuals only if there is a high risk.

When estimating risk, you look at how likely a risk is to occur. And what the impact is if it does indeed happen.

Objectively assessing risks of data breach

Sometimes the risk is very obvious. For example, when complete medical records have been leaked. But more often it is an assessment. Even then, you must assess the situation objectively. The factors below help make your assessment objective:

The nature of the breach

Has personal data been deleted, altered or leaked? Example: leaking medical personal data to an unauthorized person has different consequences than if the data were lost.

The nature, sensitivity and scope of the personal data

The more sensitive the data, the greater the risk of harm. Also consider personal data that is already (publicly) available. Because it is precisely a combination of data that can increase the impact.

Ease with which individuals can be identified

Based on the data breach, can you easily tell who it is?

Severity of impact on individuals

The consequences of a data breach can be serious. Especially when the data breach can lead to identity theft or reputational damage, for example. The risk is reduced when the data has fallen into the hands of a trusted recipient who is not out to cause harm.

Special characteristics of the person

When data of vulnerable individuals are involved in the data breach, they may be at greater risk of harm. For example, children.

Special characteristics of your organization

To illustrate, the risks in a hospital data breach will be greater than in a data breach involving a newspaper mailing list.

The number of people affected

In general, a data breach can have greater consequences the more individuals are involved. However, a breach can have serious consequences for even one person.

Resource: sample list to report/don't report

It is your own responsibility to assess the risk of a data breach. The AP cannot do that for you without an investigation.

However, we do offer practical information to help you make your own informed decisions. Such as the example list to report/not report to the AP and persons involved.

KENNISPARTNER

Rosalie Brand

Expert membership

Privacy in the workplace in-depth course.

Data breaches: preparing, recognizing and responding

Join PONT | Data & Privacy

General

Service

Navigate

Berghauser Pont Media Group

CONTACT

Menu

FILTER BY CONTENT

How do I assess the risks of a data breach?

Personal Data Authority July 28, 2022

Question & Answer

ANSWER

You must report a data breach to the Personal Data Authority (AP) within 72 hours. Unless there is not likely to be a risk. You inform affected individuals only if there is a high risk.

When estimating risk, you look at how likely a risk is to occur. And what the impact is if it does indeed happen.

Objectively assessing risks of data breach

Sometimes the risk is very obvious. For example, when complete medical records have been leaked. But more often it is an assessment. Even then, you must assess the situation objectively. The factors below help make your assessment objective:

The nature of the breach

Has personal data been deleted, altered or leaked? Example: leaking medical personal data to an unauthorized person has different consequences than if the data were lost.

The nature, sensitivity and scope of the personal data

The more sensitive the data, the greater the risk of harm. Also consider personal data that is already (publicly) available. Because it is precisely a combination of data that can increase the impact.

Ease with which individuals can be identified

Based on the data breach, can you easily tell who it is?

Severity of impact on individuals

The consequences of a data breach can be serious. Especially when the data breach can lead to identity theft or reputational damage, for example. The risk is reduced when the data has fallen into the hands of a trusted recipient who is not out to cause harm.

Special characteristics of the person

When data of vulnerable individuals are involved in the data breach, they may be at greater risk of harm. For example, children.

Special characteristics of your organization

To illustrate, the risks in a hospital data breach will be greater than in a data breach involving a newspaper mailing list.

The number of people affected

In general, a data breach can have greater consequences the more individuals are involved. However, a breach can have serious consequences for even one person.

Resource: sample list to report/don't report

It is your own responsibility to assess the risk of a data breach. The AP cannot do that for you without an investigation.

However, we do offer practical information to help you make your own informed decisions. Such as the example list to report/not report to the AP and persons involved.

KENNISPARTNER

Rosalie Brand

Expert membership

Privacy in the workplace in-depth course.

Data breaches: preparing, recognizing and responding

Sign up for the newsletter

Join PONT | Data & Privacy

General

Service

Navigate

Berghauser Pont Media Group

CONTACT

Personal Data Authority
July 28, 2022