Data Breach Policy
What constitutes a breach?
A breach is a lapse in security that results in the accidental (or purposeful) destruction, modification, loss, unauthorized disclosure of, or access to, personal data under the care of your organization. Breaches can include access by an unauthorized third party, the theft or loss of devices containing personal data, the sending of data to an incorrect recipient, the unauthorized modification of personal data, or the loss of availability of the data.
If the data breach is likely to present a risk to the rights and freedoms of the data subjects, then the organization must report the breach to the proper supervisory authority. However, if the breach has a low risk of affecting these rights and freedoms, it does not need to be reported. However, the organization should document whichever decision it makes so it is able to justify it down the road if necessary.
If the breach is serious enough to warrant notification, the organization must do so “with undue delay,” within 72 hours of the discovery of the breach, in accordance with GDPR. If the organization takes longer than this to notify the appropriate authority or the affected data subjects, they must be able to provide a reason for the delay. It may be the case that the organization will not know the cause of the breach or other relevant information within the required 72-hour notification period. In the event that not a lot of information is known about the breach, the organization will still be required to provide the initial notification to the appropriate authority, however they provide the details in phases and let them know when to expect further information.
What to do when a breach is suspected
Immediately notify the Data Protection Officer (DPO). The DPO will log the suspected breach and will assess the impact.
Containment and recovery
The Data Protection Officer (DPO) will first determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimize the effect of the breach.
An initial assessment will be made by the DPO in liaison with the relevant officer(s) to establish the severity of the breach. After that, the DPO will establish whether there is anything that can be done to recover any losses and limit the damage the breach could cause.
The DPO, in liaison with the relevant officer(s) will determine the suitable course of action to be taken to ensure a resolution to the incident.
Notification of subjects and authorities
The DPO will contact subjects within one (1) working day after the breach has been confirmed through an e-mail to a list of known contacts informing them of the breach, the potential consequences and the resolution. The DPO will also inform the Dutch authorities according to legal requirements.
Investigation and risk assessment
An investigation will be undertaken by the DPO immediately and wherever possible, within 24 hours of the breach being discovered/reported.
The DPO will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur.
The investigation will need to take into account the following:
- its sensitivity;
- the protections are in place (e.g. encryptions);
- what has happened to the data (e.g. has it been lost or stolen;
- whether the data could be put to any illegal or inappropriate use;
- data subject(s) affected by the breach, number of individuals involved and the potential effects on those data subject(s);
- whether there are wider consequences to the breach.
Evaluation and response
Once the initial incident is contained, the DPO will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.
Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.
The review will consider:
- where and how personal data is held and where and how it is stored
- where the biggest risks lie including identifying potential weak points within existing security measures
- whether methods of transmission are secure; sharing minimum amount of data necessary;