Preventing a data breach and being prepared
A data breach can happen to every organisation. But you can take measures to ensure that you prevent data breaches as much as possible. If you nevertheless have a data breach, then it is important that you take swift action.
Is there a data breach in your own organisation? Or have you identified a data breach somewhere else in your environment and do you want to give the Dutch DPA a tip-off about it?
Directly reporting a data breach or giving a data breach tip-off
You prevent data breaches as much as possible by taking security measures that have been tailored to your organisation. To take swift action in case of a data breach, it helps to have a work process in place , which has been communicated throughout the organisation. In this way, everyone in your organisation will know what to do if there is a data breach.
On this page
Security measures
There is no ready-made solution that provides guaranteed security against data breaches for every organisation. In practice, it concerns a set of various measures that supplement and reinforce each other and that you have to check continuously and adjust where necessary ('plan-do-check-act'). This set of measures is different for each organisation. The basis for your security measures is your security plan.
Security plan
A good security plan for the prevention of data breaches always starts with a risk analysis to ensure that you know where your organisation is most vulnerable to data breaches. Based on this you determine the measures. Make sure that you have insight in the information flows in your organisation and which business and privacy risks they entail. Update this overview regularly.
These questions will help you do this:
- What do the information flows in your organisation look like?
- Where are the critical business processes?
- Which personal data do you process? At which (digital and physical) locations have they been stored? Which data are the most sensitive?
- Which systems do you have? Is there a functionality or software in your organisation that you do not need (anymore)?
- Which employees have access to which personal data? And do they really need that access for their job?
- What can go wrong? And what risks does that entail? Think of burglary, phishing, fire, loss of mobile devices, etc.
Preventing data breaches or mitigating consequences
The General Data Protection Regulation (GDPR) says that you have to take ‘appropriate technical and organisational measures’ for protecting personal data. However, what is appropriate varies from organisation to organisation.
As a supervisory authority, the Dutch Data Protection Authority (Dutch DPA) cannot give you tailor-made advice or provide technical instructions. We do offer a number of general tips, though. These tips are based on the most common data breach notifications that the Dutch DPA receives.
- Take sufficient security measures. Such as measures for reducing the risk of a data breach caused by ransomware.
- Carry out an internal cleaning-up action. For example, remove emails or files that are no longer necessary. These often contain personal data. Or clean up address books. In doing so, you prevent a data breach from affecting an unnecessarily high amount of personal data. When you remove personal data, check if these data are also in a backup. If so, remove the data from the backup as well.
- Make sure that your employees only have access to personal data that they really need for their job. Check the logfiles periodically for unlawful access.
- Raise the awareness of your employees. Among other things, of the risk of hacking, phishing and malware. You can, for example, use the information Eerst checken dan klikken that can be found on veiliginternetten.nl (in Dutch only).
- Only engage suppliers that offer sufficient guarantees for appropriate technical and organisational security measures. Conclude a processing agreement in which you exactly arrange which personal data the supplier processes for you and what you can expect from each other in the event of a data breach.
- Set bcc as a standard option in your email programme. This reduces the chance of a data breach caused by an employee inadvertently making the email addresses of a group mail visible to everyone.
- Secure mobile devices. There are several measures that you can take to mitigate the damage in the case of a data breach caused by, for example, the loss of a mobile phone. For example, encrypting the hard disk or using multifactor authentication.
Work process in the event of a data breach
To be able to respond swiftly to a data breach, you have to take measures to ensure that everyone in your organisation immediately identifies a (possible) data breach and reports it internally. In addition, it is a good idea to adopt an internal work process that provides guidance as soon as a data breach occurs.
Recognising a (possible) data breach
Swift action starts with recognising a possible data breach. You can discover possible data breaches by (automatically) monitoring your network traffic. Or an employee may see something suspicious. To be able to see a data breach, your employees first need to know what it is.
That is why you have to pay attention to the subject internally. For example, during a (induction) training or meeting. Tailor the information to the work process of the employee. For example, does someone email a lot with (unknown) external parties? Then draw this person's attention to recognising phishing emails, among other things.
Internal report
Your employees should not hesitate to report a data breach internally. A data breach can happen to everyone. In fact, taking immediate action is a sign of professionalism. That is why you have to pay attention to the subject internally. And to ensure that everyone has been informed of the work process in the event of data breaches and feels safe enough to dare report a data breach.
Your work process for data breaches
You include, for example, the following information in your internal work process for data breaches:
- Who the first point of contact is in the event of a (possible) data breach. For example the director, a privacy contact person or the Data Protection Officer (DPO).
- The period within which employees have to report a (possible) data breach to the point of contact.
- Contact details of the point of contact. Is there an emergency line outside office hours? Who is the backup during holidays?
- Arrangements on who does what when follow-up steps are taken to put a stop to a data breach.
- The way your organisation registers the data breach internally.
Also view
Privacy story
At Onno's administrative office, a data breach arose as a result of an incorrectly addressed email. "I did not realise sufficiently that emailing files is far too risky in the first place." (In Dutch)