|A data date|
|In story-telling tradition, no-one has been|
better-known for dealing with breaches
than the Dutch (see here)
What is a security breach? Article 4 of the Proposal for the Regulation defines "personal data breach" as "the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed". However, the duty of notification requires that such a breach must have serious adverse consequences. In this regard, the Dutch Act sets forth some parameters to help assess the consequence of a breach. These include the nature and scope of the breach, the nature of the personal data, the extent of the technical protective measures activated and the impact on the privacy of the individuals affected by the breach.
|Reporting a breach? You|
may need to exchange your
clogs for running shoes ...
Liability for violation of the Dutch Data Protection Act can be ascribed jointly to the data controller and the data processor, if the latter is also involved in the breach. The data controller and the data processor may agree to cooperate in fulfilling the obligation of notification. Incidentally, personal liability is also placed on company executives under the Dutch reform.
Liability will be punished with a fine of between 20,250 and 810,00 euros, depending on the seriousness of the violation. In extreme cases an administrative fine of 10% of the net annual turnover may be imposed, if the violation is not rectified after the Data Protection Authority sends its 'binding instruction'.
Given the sensitivity of personal data breaches, perceived as being of an urgent nature in everyday life, the reforms discussed here are welcome, provided that data controllers establish best practices in complying with the obligation to notify the breach in an effective and expeditious fashion. The time frame in which data controllers may exercise their discretion in notifying data breaches to the individuals affected should be as short as possible as to allow for the cooperation of data breach victims in containing the consequences of the breach. In this context a 24-hour time limit should be good where it is feasible.
Going Dutch: a national initiative on data breach notification overtakes EU proposal Reviewed by valentina torelli on Friday, June 19, 2015 Rating: