Reporting a data leak: what steps do you need to take?

You always hope that you’ll never have to use the information in this article, because if you do, then you most probably have had a data leak. Unfortunately, it is not a question of whether a data leak will take place in your organisation, but rather a matter of when. It’s wise to prepare for that contingency. These steps will ensure that you won’t miss a thing when you report a data leak.

Data leaks: (almost) impossible to prevent

Let’s start by assuming that data leaks are inevitable. Many of your employees handle information all day long. They make calls, send faxes, print out documents and send dozens of emails. A data leak can happen at any time. An employee could forget to pick up a printed document from the printer, forget to lock their screen, or send information to the wrong person – and just like that, confidential information is suddenly available to unauthorised parties.

If that happens, are you required to report the data leak? If so, what information do you need in order to fil a report, and who do you need to notify? Read more about the five things that play a role when reporting a data leak under the GDPR.

Reporting data leaks

When personal data has been leaked, the organisation must report the leak to the Dutch Data Protection Authority. Here’s what you need to do so you can be ready to report data leaks.

1. Make sure that your employees know that they need to report a data leak

When things go wrong, you need to report the data leak. The first step is someone reporting the leak to the Chief Information Security Officer (or data protection officer) of their organisation.

In practice, however, not all data leaks are reported to the appropriate official within the company. This could be due to various reasons. The people involved may not be aware that they have caused a data leak, or are afraid that their own position will be jeopardised if they report it. Some employees might take the gamble that their error won’t be detected.

This might possibly be the most difficult step of the entire reporting process. Employees need to be aware of the significance effective personal data protection. The organisation’s culture could play a role in encouraging employees to report data leaks, even if the employees failed to follow security procedures. Reporting a data leak should be easy, for instance by means of a form on the company intranet.

2. Gather information about the data leak

The CISO cannot assess whether the data leak needs to be reported to the Dutch Data Protection Authority until it’s clear what happened. In any case, you will need the following information:

What happened exactly?

To determine whether a security incident or data leak has taken place, you will need to find out what has happened exactly, and when. Do you know if unauthorised data processing has taken place? If that’s the case, then you are dealing with a data leak. If not, then you have a security incident.

For instance:

One of your employees accidentally sends an email containing a customer’s financial data to a journalist that they work with occasionally. The journalist immediately realises that this was a mistake and deletes the email without taking any other action. In this case, you have had a security incident, but you can clearly show that no unauthorised data processing has taken place.

What kind of data are you dealing with?

It is important to know what type of information you are dealing with in the event of a data leak. Is it sensitive personal data, or data which could adversely affect the protection of that personal data? If a Citizen Service Number is leaked, for example, it could have adverse effects for a customer (e.g. identity fraud). You need to know what kind of data was involved in order make an accurate assessment of the consequences of leaking specific information. Carefully consider how you are going to find out what type of data is involved in the data leak.

3. Assess whether the data leak needs to be reported and limit the damage

Use the information above to determine if the leak needs to be reported. Answer the following question:

Has any data been lost during the security incident or can it not be ruled out that data has been processed in unauthorised ways?

If so: You have a data leak. It needs to be reported.

If not: You do not have a data leak. It does not need to be reported.

But if you know that you have a data leak on your hands: make sure to limit the damage as much as possible. Destroy the accidental print-out, revoke the authorisation, or retrieve the emails that were sent accidentally.

4. Report the data leak to the Dutch DPA (if necessary)

If you are required to report the data leak, you can use the form from the website of the Dutch Data Protection Authority. You will need the information you have gathered in step two to file the report. In addition, you will need to state the impact of the leak, whether you have already informed the people involved, and what steps you plan to take to prevent future leaks.

5. Report the data leak to the people involved (if necessary)

In the event that it is necessary to notify the people involved that there has been a data leak, the AP states that this needs to happen ‘immediately’. There are no other instructions as how notification should take place. It is important to carefully consider how you intend to notify the people involved, for instance your customers. After all, the reputation of your organisation could suffer immensely. An excellent way is to give your customer helpful tips on dealing with the consequences of the data leak. Make sure you have communication formats prepared that enable your organisation to send quick notifications in case of a data leak. Also make sure that any overview of the leaked data is provided to the people involved through secure channels.

 How do you deal with data leaks?

The emphasis on how to handle mandatory reporting of data leaks is focused on an early stage of the process. An appropriate response requires considerable awareness within your organisation. Would you like to know how to increase employee awareness of privacy and the GDPR within your organisation? Then download our e-book free of charge.

Go to the e-book

shutterstock_219503161 (1)

What is the difference between personal data and privacy-sensitive information?

The GDPR is a hot topic. Due to all messages in the media, many myths circulate about this topic. A frequently-heard comment is: but it is related to privacy, and so it is forbidden under the GDPR anyway, right? To understand correctly what the law requires and what are the reasons for that, you should know what personal data are and how this differs from […]

Read more

The 3 most important things you need to account for in order to become GDPR compliant

The General Data Protection Regulation (GDPR) is a European law that protects the privacy of European citizens on the one side and helps to create awareness in processing personal information on the other. Thanks to GDPR, CISO’s like you have a lot of extra work to do. The amount of administrative proceedings that result from the GDPR is huge, your organisation […]

Read more
Untitled design

4 misconceptions about safe email

The European General Data Protection Regulation (GDPR) made the topic of privacy protection an important agenda item for every company. Almost all the time, risk analysis brings up email traffic as a very risky part. In the meantime however, I often encounter organisations that are pretty sure in their statement that the have their email traffic safe and under control. […]

Read more