As from 1 January 2016, all security incidents that unintentionally result in the disclosure of personal data to third parties, will have to be reported to the Dutch Personal Data Authority (Autoriteit Persoonsgegevens) and, in some cases, even to the person whose personal data has been disclosed.

A security incident can take many forms: from a person entering a building and accessing or even taking personal data, to the more infamous example of a hacker. A lost phone, laptop or USB-stick can also be regarded as a security breach. Failing to report such an incident may lead to fines of up to EUR 820,000 or 10% of the company’s net annual turnover.

Also, as from 1 January 2016 the violation of various provisions of the Dutch Data Protection Act can be sanctioned more heavily. The number of provisions in the Dutch Data Protection Act for which an administrative fine can be imposed have been largely increased.

What does this mean for you?

When a data security breach is discovered, your organization will have to notify this immediately to the Authority and, in certain situation, to the data subjects concerned. As the notification has to be done immediately (as soon as reasonably possible), it will be too late to draw up a plan of action at the moment that a data security breach is discovered. Therefore, as from 1 January 2016, each organization needs to have an action plan for the unlikely event of a data breach.