You reported a potential data breach; what happens now?
1. The DPO will determine whether this is technically a data breach
A data breach is when personal data held by an organization is accessed, destroyed, altered or disclosed without this being the organization’s intention.
2. The impact of the privacy risk will be assessed
How long did the unwanted situation continue, what size of group is involved and what will be the damage for the data subjects if somebody who wishes to do harm accesses the breached data?
3. Next steps
What steps should be taken to end the unwanted situation as quickly as possible? Is follow-up investigation necessary in order to determine the impact?
4. Transparency and communication towards the data subject
How and using which information can the data subjects be made aware of the incident, so that they are informed and can take follow-up actions to reduce or remove potential risks.
5. Report to DPA?
Assess whether the data breach should be reported to the Dutch Data Protection Authority.
The obligation to report data breaches means that organizations (both businesses and government organizations) have to immediately notify the Data Protection Authority (AP) as soon as they have a serious data breach. And sometimes they also have to report the data breach to the data subjects (the people whose personal data have been affected by the breach).
6. Preventing similar incidents
What additional actions are needed and desirable for the employees involved in the potential data breach? This could include evaluation, formulating lessons learned and modifying work processes. It could also include specific awareness meetings and/or training sessions offered by the EUR privacy organisation. The case can be added as learning point in the EUR awareness campaign and/or privacy training and added to the FAG list on MyEUR. Agreements should be made with the employees involved in the potential data breach regarding a test moment to determine the effectiveness of the adapted working method.
Five basic guidelines for working with personal data
Please view the video below and share within your department.