Data breach? This is what you have to do

Is there a data breach in your own organisation? Or have you identified a data breach somewhere else in your environment and do you want to give the Dutch DPA a tip-off about it?

Directly reporting a data breach or giving a data breach tip-off

Video 'Reporting a data breach: step by step' (in Dutch)

Step-by-step plan for a data breach

If there is a data breach in your organisation, you take the following steps:

1. Obtain an overview of the situation.
2. Take immediate action to stop the data breach and limit the damage caused by the data breach. This also includes an assessment of the risks.
3. Determine whether or not you have to report the data breach to the Dutch DPA. If so, do this immediately.
4. Determine whether or not you have to inform the victims about the data breach. If so, do this as soon as possible.
5. Register the data breach in your internal data breach register.

Below you can read an explanation of these steps. 

Step 1: Obtaining an overview in the event of a data breach

If there is data breach, the first step is to obtain an overview of the situation to ensure that you can take the appropriate follow-up steps. First of all, you have to know the type of data breach.

If you know the type of data breach, the following questions will help you obtain a further overview of the situation:

• What is the cause of the data breach?
• When did the data breach arise? And is the data breach still continuing?
• How long after the data breach arose was it discovered? And how was it discovered?
• What type(s) of personal data have been affected by the breach? For example, name, address, email address, credit card details and/or special personal data.
• How many personal data have been leaked (approximately)? How many persons does it concern?
• What groups of people does it concern? For example customers, employees, students or pupils, patients, residents, etc. Does it concern vulnerable groups? For example children, elderly people or people with a disability.
• How many unauthorised persons approximately (may) have had or have access to the leaked personal data?
• Do you have any idea who those unauthorised persons are? And are the unauthorised persons likely to have malicious intentions with the data? Or does it concern a known, reliable recipient?
• Has your organisation taken measures in advance, as a result of which the leaked personal data are (partially) inaccessible to unauthorised persons? For example because the data have been encrypted?

Step 2: Limiting the harmful consequences of a data breach

How you limit the consequences of a data breach depends completely on the situation. Firstly, you have to try to stop the data breach immediately if it still exists. Secondly, you have to take measures for limiting the negative consequences.

Examples of measures for limiting the damage in the event of a data breach are:

• Remotely erasing or encrypting a laptop, tablet or smartphone.
• Taking a published file offline.
• Asking a wrong recipient for a confirmation that the data from a letter or an email have been destroyed. Although you cannot be absolutely certain that the data have been erased based on such a confirmation, you can include this in your risk assessment.
• Remotely blocking access to an employee's account or cloud service.
• If you are obliged to inform the victims, indicate what they can do themselves to limit the damage.

In-depth investigation in the case of complex data breaches

Sometimes there is a complex data breach. Then it is often necessary to conduct an in-depth digital forensic investigation to establish the seriousness and the scale of the breach and to determine which measures you have to take for limiting the consequences of the data breach and preventing new, similar data breaches from arising.

Is there a complex data breach in your organisation? For example a data breach caused by ransomware? And do you have no idea what to do in such case? If yes, engage an expert, for example, a digital forensic expert.

Step 3: Reporting the data breach and informing the victims

You may be obliged to report the data breach to the Dutch DPA within 72 hours. You may also be obliged to inform the victims about the data breach immediately. You determine for yourself whether this is the case. In Reporting or not reporting a data breach, you can read how to do this.

Step 4: Registering the data breach in the data breach register

Under the GDPR, you are obliged to draw up a data breach register and keep it up to date. In this register, you keep a record of which data breaches have occurred in your organisation. You have to record all data breaches that have taken place within your organisation. Including the data breaches that you did not report to the Dutch DPA.

The objective of the data breach register is that you as an organisation:

• learn from previous data breaches and are aware of data breaches that took place in the past;
• take effective measures for reducing the chance of new, similar data breaches;
• demonstrate with your data breach register to the Dutch DPA that you comply with the data breach notification obligation.

Form and contents of the data breach register

You are free to determine the form of your register, provided that you include the information required by law in it. In any case, you have to state the following information about each data breach:

• the facts regarding the data breach, such as the cause, what exactly has happened, and which personal data it concerns;
• the consequences of the data breach;
• the corrective measures that you have taken.

To help you get started, below you will find tips from the Dutch DPA on how you can best set up your data breach register.

10 tips for professional data breach registration

1. Give a clear and complete description of incidents, their consequences and the corrective measures you have taken. 
2. Make an explicit distinction between corrective and preventive measures. Always record corrective measures in the data breach register. It may be useful to include these measures in the 'plan-do-check-act' cycle.
3.  Avoid fragmentation of registrations: make 1 clear-cut registration that is filled in comprehensively by every part of your organisation. Consider, for example, to make the registration accessible for all employees, so they will be able to check the overview before registering anything themselves.
4. Does your organisation have a Data Protection Officer (DPO)? Then record for each incident whether the DPO has been involved and if so, to what extent. 
5. Record for each incident whether the data breach has been reported to the Dutch DPA and to the victims. And give reasons for why this did or did not happen.
6. Be transparent towards the victims if there has been a data breach. Communicate clearly and in time about it. Keep the proof of that communication and include it in the registration.
7. Draw up a guide or provide a training for the employees who fill in the data breach registration. This instruction may be part of a documented reporting procedure for compliance with the data breach notification obligation.
8. Record which other organisations have been involved in a data breach. For example joint controllers, processors or sub-processors. This comes in handy when you conclude new processing agreements with these processors.
9. Consider the option of classifying the data breaches according to their nature, consequences, victims and possible measures.
10. Regularly discuss the data breach register at the proper level within the organisation as part of a 'plan-do-check-act' cycle. This enables you to learn from mistakes. The DPO or privacy contact person of your organisation can play an active role in these discussions.