Reporting a data leak: what steps do you need to take?

You always hope that you’ll never have to use the information in this article, because if you do, then you most probably have had a data leak. Unfortunately, it is not a question of whether a data leak will take place in your organisation, but rather a matter of when. It’s wise to prepare for that contingency. These steps will ensure that you won’t miss a thing when you report a data leak.

Data leaks: (almost) impossible to prevent

Let’s start by assuming that data leaks are inevitable. Many of your employees handle information all day long. They make calls, send faxes, print out documents and send dozens of emails. A data leak can happen at any time. An employee could forget to pick up a printed document from the printer, forget to lock their screen, or send information to the wrong person – and just like that, confidential information is suddenly available to unauthorised parties.

If that happens, are you required to report the data leak? If so, what information do you need in order to fil a report, and who do you need to notify? Read more about the five things that play a role when reporting a data leak under the GDPR.

Reporting data leaks

When personal data has been leaked, the organisation must report the leak to the Dutch Data Protection Authority. Here’s what you need to do so you can be ready to report data leaks.

1. Make sure that your employees know that they need to report a data leak

When things go wrong, you need to report the data leak. The first step is someone reporting the leak to the Chief Information Security Officer (or data protection officer) of their organisation.

In practice, however, not all data leaks are reported to the appropriate official within the company. This could be due to various reasons. The people involved may not be aware that they have caused a data leak, or are afraid that their own position will be jeopardised if they report it. Some employees might take the gamble that their error won’t be detected.


This might possibly be the most difficult step of the entire reporting process. Employees need to be aware of the significance effective personal data protection. The organisation’s culture could play a role in encouraging employees to report data leaks, even if the employees failed to follow security procedures. Reporting a data leak should be easy, for instance by means of a form on the company intranet.

2. Gather information about the data leak

The CISO cannot assess whether the data leak needs to be reported to the Dutch Data Protection Authority until it’s clear what happened. In any case, you will need the following information:

What happened exactly?

To determine whether a security incident or data leak has taken place, you will need to find out what has happened exactly, and when. Do you know if unauthorised data processing has taken place? If that’s the case, then you are dealing with a data leak. If not, then you have a security incident.

For instance:

One of your employees accidentally sends an email containing a customer’s financial data to a journalist that they work with occasionally. The journalist immediately realises that this was a mistake and deletes the email without taking any other action. In this case, you have had a security incident, but you can clearly show that no unauthorised data processing has taken place.

What kind of data are you dealing with?

It is important to know what type of information you are dealing with in the event of a data leak. Is it sensitive personal data, or data which could adversely affect the protection of that personal data? If a Citizen Service Number is leaked, for example, it could have adverse effects for a customer (e.g. identity fraud). You need to know what kind of data was involved in order make an accurate assessment of the consequences of leaking specific information. Carefully consider how you are going to find out what type of data is involved in the data leak.

3. Assess whether the data leak needs to be reported and limit the damage

Use the information above to determine if the leak needs to be reported. Answer the following question:


Has any data been lost during the security incident or can it not be ruled out that data has been processed in unauthorised ways?

If so: You have a data leak. It needs to be reported.

If not: You do not have a data leak. It does not need to be reported.


But if you know that you have a data leak on your hands: make sure to limit the damage as much as possible. Destroy the accidental print-out, revoke the authorisation, or retrieve the emails that were sent accidentally.

4. Report the data leak to the Dutch DPA (if necessary)

If you are required to report the data leak, you can use the form from the website of the Dutch Data Protection Authority. You will need the information you have gathered in step two to file the report. In addition, you will need to state the impact of the leak, whether you have already informed the people involved, and what steps you plan to take to prevent future leaks.

5. Report the data leak to the people involved (if necessary)

In the event that it is necessary to notify the people involved that there has been a data leak, the AP states that this needs to happen ‘immediately’. There are no other instructions as how notification should take place. It is important to carefully consider how you intend to notify the people involved, for instance your customers. After all, the reputation of your organisation could suffer immensely. An excellent way is to give your customer helpful tips on dealing with the consequences of the data leak. Make sure you have communication formats prepared that enable your organisation to send quick notifications in case of a data leak. Also make sure that any overview of the leaked data is provided to the people involved through secure channels.

 How do you deal with data leaks?

The emphasis on how to handle mandatory reporting of data leaks is focused on an early stage of the process. An appropriate response requires considerable awareness within your organisation. Would you like to know how to increase employee awareness of privacy and the GDPR within your organisation? Then download our e-book free of charge.

Go to the e-book

RELATED
All_it_takes_is_one_human_error_to_compromise_your_organizations_reputation_blog_zivver

All it takes is one human error to compromise your organization's reputation

Professionals understand the value of their companies' reputation. Firms with a powerful and positive reputation attract better employees, partners, and clients. They're regarded as offering additional value, which usually allows them to impose a premium. Customers tend to be more dedicated and purchase broader ranges of services and products. As the industry believes […]

Read more
All_it_takes_is_one_human_error_to_compromise_your_organizations_reputation_blog_zivver

All it takes is one human error to compromise your organization's reputation

Professionals understand the value of their companies' reputation. Firms with a powerful and positive reputation attract better employees, partners, and clients. They're regarded as offering additional value, which usually allows them to impose a premium. Customers tend to be more dedicated and purchase broader ranges of services and products. As the industry believes […]

Read more
The User Representatives - Always here to help you!

The User Representatives - Always here to help you!

  At ZIVVER the success of our customers is paramount! For that reason, we have a dedicated Customer Success team to help our customers maximize their value from our product. Part of the Customer Success team are the User Representatives. Their ultimate goal is to create happy ZIVVER users, by solving all issues, providing information and representing their voice […]

Read more
Your_Success_our_primary Mission_The Customer Success team_ZIVVER_EN_blog

Your Success, our primary Mission! - The Customer Success team

At ZIVVER the success of our customers is paramount! Our purpose is to add real value to your organization. That’s nothing new, but now we even have a dedicated Customer Success team to help you achieve your desired goals with our product.  […]

Read more
gdpr_it’s_gonna_be_fines_zivver_en_blog

GDPR: IT’S GONNA BE FINES!

With the inception of the GDPR in May 2018, several companies and their offices were not, and many are still not ready to be compliant with the enhanced European privacy rules and were scared for the potential high penalty payments. This fear was not without grounds. […]

Read more
Introducing-open-conversation-starters-A powerful-new-feature-live on ZIVVERs-platform-blog-eng

Introducing open conversation starters! A powerful new feature from ZIVVER.

One of ZIVVER's most convenient and unique features is the conversation starter. It allows people who don't have an account (guest users) to take the initiative for a conversation with a ZIVVER user, in the same secure email environment. It protects both senders and recipients from possible data leaks caused by guest users. […]

Read more