The Data Breach Notification & the guidelines of the Data Protection Authority
Privacy - more than meets the eye
On January 1st 2016, the Dutch Data Breach Notification will come into effect. The new ‘privacy law’ can have serious consequences for organizations that fail to adequately protect the personal data they process. It will grant the Dutch DPA the right to impose a fine on organizations that do not notify a data breach – a fine that can amount to € 810,000.
Join us at Privacy With a View, November 6.
More than meets the eyeFor Deloitte, privacy is a key asset for organizations, regardless of fines and legislations. This is why, for the third time in a row, we organize Privacy with a View. The event is titled Privacy – More than meets the eye, and will take place on November 6. One of the keynote speakers will be the Head of the Supervision Private Sector Department of the Dutch Data Protection Authority (DPA), or the College bescherming persoonsgegevens. The Dutch DPA supervises processing of personal data in order to ensure compliance with the provisions of the law on personal data protection. It also advises on new regulations. Speaker Udo Oelen will be addressing different aspects of the Data Breach Notification.
Security measuresAccording to Oelen, companies need to take both organizational and technical measures to make sure personal data are not being processed illegitimately or become prey to hackers. Examples of breaches in security are USB sticks getting lost, client data that are hacked or medical files ending up in the recycling bin. The DPA needs to be notified when there is a considerable chance of serious negative consequences as a result of such a data breach. These consequences can be materialistic or non-materialistic, e.g. identity fraud.
Innovate? Remember the data!Personal data represent a tremendous value. Therefore, companies need to secure them according to the latest technological insights. As the practical experience of the DPA confirms, that still doesn’t happen often enough. For example, it’s very easy to start a web shop. But anyone that handles personal data needs to think about a secured line beforehand. When you innovate, you also need to take data into account from day one. The new legislation is meant to enhance the privacy awareness of companies, to make sure that there is an increase of transparency around data breaches, and to discourage organizations from sweeping incidents under the rug for fear of reputational damage.
Prepare and be alertOrganizations can prepare themselves by having their security in order, analyzing the kind of data they work with, and knowing the risks that can occur. They need to check regularly with which data they are still dealing and what the new techniques in security are. They also need to prepare for a scenario where a data breach does happen, and to answer the multitude of questions they will face. How do you handle such an event internally? Have you appointed one specific individual to judge whether the breach needs to be notified? Have you made sure the incident will be registered? Have you thought about the way you will interact with the press? And how can you be sure you keep an open eye for signals from the outside world that might suggest a security breach?
The new greenToday, a number of technologies are being developed that will make all our lives a whole lot easier. But meanwhile – as with the Internet of Things – we will be gathering more and more personal data. People are worrying what is being done with these data and what effect this will have on their freedom of choice. As an organization, you can probably distinguish yourself in the future by treating personal data with care and accuracy.
The importance of privacy will grow in the coming years. Oelen even calls privacy ‘the new green’. Would you like to hear more? Please join us at Privacy with a view on November 6.