Reporting a data leak: what steps do you need to take?

You always hope that you’ll never have to use the information in this article, because if you do, then you most probably have had a data leak. Unfortunately, it is not a question of whether a data leak will take place in your organisation, but rather a matter of when. It’s wise to prepare for that contingency. These steps will ensure that you won’t miss a thing when you report a data leak.

Data leaks: (almost) impossible to prevent

Let’s start by assuming that data leaks are inevitable. Many of your employees handle information all day long. They make calls, send faxes, print out documents and send dozens of emails. A data leak can happen at any time. An employee could forget to pick up a printed document from the printer, forget to lock their screen, or send information to the wrong person – and just like that, confidential information is suddenly available to unauthorised parties.

If that happens, are you required to report the data leak? If so, what information do you need in order to fil a report, and who do you need to notify? Read more about the five things that play a role when reporting a data leak under the GDPR.

Reporting data leaks

When personal data has been leaked, the organisation must report the leak to the Dutch Data Protection Authority. Here’s what you need to do so you can be ready to report data leaks.

1. Make sure that your employees know that they need to report a data leak

When things go wrong, you need to report the data leak. The first step is someone reporting the leak to the Chief Information Security Officer (or data protection officer) of their organisation.

In practice, however, not all data leaks are reported to the appropriate official within the company. This could be due to various reasons. The people involved may not be aware that they have caused a data leak, or are afraid that their own position will be jeopardised if they report it. Some employees might take the gamble that their error won’t be detected.


This might possibly be the most difficult step of the entire reporting process. Employees need to be aware of the significance effective personal data protection. The organisation’s culture could play a role in encouraging employees to report data leaks, even if the employees failed to follow security procedures. Reporting a data leak should be easy, for instance by means of a form on the company intranet.

2. Gather information about the data leak

The CISO cannot assess whether the data leak needs to be reported to the Dutch Data Protection Authority until it’s clear what happened. In any case, you will need the following information:

What happened exactly?

To determine whether a security incident or data leak has taken place, you will need to find out what has happened exactly, and when. Do you know if unauthorised data processing has taken place? If that’s the case, then you are dealing with a data leak. If not, then you have a security incident.

For instance:

One of your employees accidentally sends an email containing a customer’s financial data to a journalist that they work with occasionally. The journalist immediately realises that this was a mistake and deletes the email without taking any other action. In this case, you have had a security incident, but you can clearly show that no unauthorised data processing has taken place.

What kind of data are you dealing with?

It is important to know what type of information you are dealing with in the event of a data leak. Is it sensitive personal data, or data which could adversely affect the protection of that personal data? If a Citizen Service Number is leaked, for example, it could have adverse effects for a customer (e.g. identity fraud). You need to know what kind of data was involved in order make an accurate assessment of the consequences of leaking specific information. Carefully consider how you are going to find out what type of data is involved in the data leak.

3. Assess whether the data leak needs to be reported and limit the damage

Use the information above to determine if the leak needs to be reported. Answer the following question:


Has any data been lost during the security incident or can it not be ruled out that data has been processed in unauthorised ways?

If so: You have a data leak. It needs to be reported.

If not: You do not have a data leak. It does not need to be reported.


But if you know that you have a data leak on your hands: make sure to limit the damage as much as possible. Destroy the accidental print-out, revoke the authorisation, or retrieve the emails that were sent accidentally.

4. Report the data leak to the Dutch DPA (if necessary)

If you are required to report the data leak, you can use the form from the website of the Dutch Data Protection Authority. You will need the information you have gathered in step two to file the report. In addition, you will need to state the impact of the leak, whether you have already informed the people involved, and what steps you plan to take to prevent future leaks.

5. Report the data leak to the people involved (if necessary)

In the event that it is necessary to notify the people involved that there has been a data leak, the AP states that this needs to happen ‘immediately’. There are no other instructions as how notification should take place. It is important to carefully consider how you intend to notify the people involved, for instance your customers. After all, the reputation of your organisation could suffer immensely. An excellent way is to give your customer helpful tips on dealing with the consequences of the data leak. Make sure you have communication formats prepared that enable your organisation to send quick notifications in case of a data leak. Also make sure that any overview of the leaked data is provided to the people involved through secure channels.

 How do you deal with data leaks?

The emphasis on how to handle mandatory reporting of data leaks is focused on an early stage of the process. An appropriate response requires considerable awareness within your organisation. Would you like to know how to increase employee awareness of privacy and the GDPR within your organisation? Then download our e-book free of charge.

Go to the e-book

RELATED
Sending_or_receiving_credit_card_data_via_email_while staying_PCI_compliant

Sending or receiving credit card data via email while staying PCI compliant

To prevent cardholders’ information from falling into the wrong hands, the Payment Card Industry Data Security Standard (PCI DSS) was established to hold organizations to a common standard for securing cardholder information against unauthorized exposure and exploitation. […]

Read more
We_are_happy_to_introduc _ou _new_VP_of_sales_Chris_Brown_ZIVVER_eng_blog_update

We are happy to introduce our new VP of Global Sales: Chris Brown

"ZIVVER is entering new markets at high speed. We intend to lead in those markets. With Chris, we bring in a senior leader who has done this before multiple times. We love that he is not ‘just’ about sales. Chris has a deep, hands-on understanding of the problems our customers face and of the market space and a very inspirational and credible leader for our fast […]

Read more
We_are_happy_to_introduc _ou _new_VP_of_sales_Chris_Brown_ZIVVER_eng_blog_update

We are happy to introduce our new VP of Global Sales: Chris Brown

"ZIVVER is entering new markets at high speed. We intend to lead in those markets. With Chris, we bring in a senior leader who has done this before multiple times. We love that he is not ‘just’ about sales. Chris has a deep, hands-on understanding of the problems our customers face and of the market space and a very inspirational and credible leader for our fast […]

Read more
Cloud_based_office_support tools_that_are_U.S._rooted_fail GDPR_complianc_ZIVVER_Eng_blog

Cloud-based office support tools that are U.S. rooted, fail GDPR compliance

It is estimated that the U.S.A. supplies 80% of the global cloud computing services. And nearly all most-used cloud-based solutions for email and word processing are from the US. This causes a big issue for European companies using these vendors since they are not GDPR compliant. This is the conclusion of a research performed by the Swedish National Public Procurement […]

Read more
Cloud_based_office_support tools_that_are_U.S._rooted_fail GDPR_complianc_ZIVVER_Eng_blog

Cloud-based office support tools that are U.S. rooted, fail GDPR compliance

It is estimated that the U.S.A. supplies 80% of the global cloud computing services. And nearly all most-used cloud-based solutions for email and word processing are from the US. This causes a big issue for European companies using these vendors since they are not GDPR compliant. This is the conclusion of a research performed by the Swedish National Public Procurement […]

Read more
Idans welcome blog (2)

We are happy to announce our Chief Technology Officer: Idan York.

Idan will be responsible for vision outlining and implementation of technological strategies that align with ZIVVER’s expansion objectives. […]

Read more