What you need to know.

As a company, you must secure your databases sufficiently in order to prevent data breaches. A data breach occurs not only when unauthorised parties gain access to personal data (every company is confronted with hacking at one time or another) but also when personal data is lost (a laptop is stolen, someone mislays a USB stick, etc.).

If you become aware of a data breach within your company, in principle you must notify this to the authorities within 72 hours. An exception is made when the risk of negative consequences for the data subjects (such as identity fraud, financial losses, reputational damage or violation of professional confidentiality) is limited. For instance, this is the case when only data that are already publicly available have been stolen, or the personal data are encrypted and you have a back-up.   

By contrast, if the risk of negative consequences is high, you must notify the data subjects as well. The authorities can recommend this in response to the notification. This applies especially when sensitive or financial data are stolen.

In principle, you do not risk a fine when reporting a data breach, unless this clearly demonstrates that your databases are inadequately secured. However, you do risk a fine if you fail to comply with the notification obligation.

What you need to do by 25 May 2018.

Secure your databases and establish an internal security policy for preventing data breaches.

Set up an internal procedure for detecting data breaches, notifying a central responsible person within your company and evaluating the risks for those whose data are involved. Also establish external procedures regarding the notification to the authorities and communications with the data subjects.

Make sure that you document all of your data breaches – including those that do not have to be notified – in order to prove that you have fulfilled your notification duty.