It has been known for quite a while, but now it’s getting really close: the new European legislation on privacy, data protection and the notification obligation in case of data breaches. This change in legislation has a major impact on organizations, including yours. So we would like to take the time to provide you with some useful tips on how to comply with this new regulation.
That you need to take care of the data you own as an organization, shouldn’t come as a surprise. Every organization is responsible for the ‘appropriate technical and organizational measures’ in order to secure all sensitive personal data. This includes not just financial details, but also personal information on your customers and personal details of your employees. That has been the case for ages already. With the new legislation starting on January 1st 2016, things will change considerably.
- First, there will be tighter control on the measures that organizations have taken to secure and protect these sensitive data.
- Secondly, organizations are legally obliged to notify every single data breach involving personal data to the Privacy Commission.
- Last but not least: the new regulation imposes severe financial penalties on whoever fails to comply with the data breach notification obligation.
Losing a USB stick can have serious consequences
You should also be aware that a “data breach” does not only mean that data are being publicly exposed as a consequence of a cyberattack or hack. “Data breaches” can also quite simply mean that a digital device containing personal data (laptop, smartphone, USB stick, …) has been lost or stolen.
Tips to comply with the data breach legislation
But what can you do in order to comply? Based on input from the Dutch privacy experts Privacy Valley, we have gathered the following tips for you.
- Use as little data as possible
Don’t be afraid to look at all data you have available with a very critical eye. Do you really need all of these data? If the answer is no, you should get rid of them. Take the time to perform such cleaning exercise regularly, and make sure to get rid of all potentially identifying data as much as possible.
- Restrict the access to data as much as possible
The more people can access certain data, the more likely it is that these data will eventually end up where they shouldn’t be. It is therefore wise to restrict the acces to sensitive data to only those people who really need it.
- Take adequate security measures
Every organization is expected to take appropriate measures to secure their data against loss or theft or any other form of unauthorized use. You should therefore examine your security infrastructure with a critical eye. Ideally you have your infrastructure audited, in order to get a completely accurate insight in your infrastructure’s readiness. If your organization is not ready for the new, tighter regulation and for all existing threats, you should urgently take the appropriate measures to remedy this dangerous situation. Not only will you be forced to inform the Privacy commission in case of data breaches, you also risk having to pay a serious penalty if it turns out that your security infrastructure wasn’t fit for your organization and your data. Failing to improve your security infrastructure could therefore harm your organization twice. So why not take the appropriate measures straightaway?
- Draw up a policy and action plan
We all know by now: it is not a matter of ‘whether’ you will be hit by a cyberattack, but rather ‘when’ you will be hit. So you should be prepared at all time. This means on the one hand that you should probably increase your security level and draw up an internal protocol on how to to secure data. On the other hand, you should have a protocol available explaining what to do when a data breach or targeted attack has actually happened. Because when it happens, your speed of reaction will be an important factor in limiting the damage caused by this attack or breach.
Make sure you inform the Privacy Commission as well as the people whose data have been affected. If you fail to inform all parties involved within the legally defined timeframe, you risk having to pay substantial fines, up to 810,000 euro.
Next steps to prepare for the data leak notification legislation
Although the law is not yet implemented in Belgium – contrary to the Netherlands, where it will be applied as of January 1 2016 – companies shouldn’t delay their preparations. Three elements are crucial and can me fulfilled with the right technology:
- Prevention: protect your data by encrypting it
- Detection: timely reporting by quickly detecting data breaches
- Inspection: forensics to prove the data breach was due to advanced methods that got around the regular security measures