Data breach procedure flows

General internal procedure in the event of a data breach

Please note: within 72 hours the notification must be made to the Dutch Data Protection Authority after the discovery of the data breach, regardless of the weekend or public holidays.

1.  Detection of a breach of the security of the systems by:

1. 1. Employee
      1. Register the incident and report it directly to the Privacy Officer. If the Privacy Officer is not available, the employee will report this to his manager. The manager is then responsible for informing the Privacy Officer as soon as possible.
      2. Inventory of the data breach in collaboration with the manager on the basis of the questions formulated in Appendix 1
   2. Customer / supplier
      1. Sends an e-mail or makes contact by telephone. 
      2. Employees register the information and forward the report to the Privacy Officer. If the Privacy Officer cannot be reached, the employee makes an inventory in collaboration with his manager, based on Appendix 1 and processes it in the ticket. The manager is then responsible for informing the Privacy Officer as soon as possible.

2. Investigation into the scope and technical aspects of a data breach by the concerned department manager in collaboration with engineers (within 24 hours).

1. 1. What breach of security measures has taken place and when?
   2. Which part of the IT system is involved and/or which equipment. Possibly: where is the equipment lost/stolen?
   3. What data is (possibly) involved?
   4. What are the (expected) consequences of the incident?

Simultaneous entry into force of the legal step-by-step plan by the Privacy Officer.

3. The engineers identify and implement measures to restore security after discussing the data breaches with the team (within 72 hours of reporting. If not feasible, as soon as possible).

4. If the incident must be reported or if reporting is desirable, the Privacy Officer, in consultation with the management, the lawyer and possibly the engineers, will prepare the report to the AP (within 72 hours).

5. If necessary: ​​inform the parties involved (at the same time as the AP report).

6. If necessary: ​​feedback to reporter (after AP report).

7. Inform (relevant) employees (after notification to the AP).

8. If necessary: ​​marketing prepares a press release (after notification by AP).

9. Evaluation of the procedure with all concerned. Initiation by Privacy Officer. 

Procedure in the event of a data breach during the weekend/free days

1. Detection or suspicion of a breach of the security of the systems by an employee, via a customer or third party.
2. The person who makes or receives the observation will inform the Privacy Officer. If the Privacy Officer is not available, the employee will report this to the escalation manager. The escalation manager is then responsible for informing the Privacy Officer as soon as possible.
3. Privacy Officer consults with the management.
4. Management decides whether action should be taken.
5. Privacy Officer calls in blue team when necessary.
6. Continue from step 5 of the above procedure.

Legal procedure

1. Detection of a breach of security systems or loss of equipment.
2. What data was accessible?
3. Can this data be regarded as personal data?
   1. Personal data is any information relating to an identified or identifiable person. A person is identifiable if his identity can reasonably be established without disproportionate effort.
4. Is there a data breach?
   1. Have the processed personal data been irretrievably deleted/affected, or is it unlawful processing? Illegal processing is the unintentional/unauthorized change, provision or accessibility of personal data. Use the following rule of thumb: personal data goes where it should not be.
      1. If so, then there is a data breach.
   2. Can it reasonably be excluded that personal data has been lost or unlawfully processed?
      1. If so, then there is no question of a data breach.
5. Is my company the data controller?
   1. The controller is the person who, alone or together with others, determines the purpose and means of the processing of personal data. 
   2. Example: you have outsourced the payroll administration to an external company. This company needs data from your staff to carry out payroll processing. In this construction you are responsible, because: 
      1. you set the goal, namely the data is used for the purpose of salary processing;
      2. you (partially) determine the resources. You have selected the company and made an inventory of which systems are used, you have indicated how you want to receive the data, etc. There is no objection to the fact that the other party also partly determines its own working method.
   3. If your company cannot be regarded as responsible, you are obliged to inform the person responsible of the data breach.
6. Should this leak be reported to the Dutch Data Protection Authority?
   1. A data breach must be reported to the AP, unless it is not likely that the breach poses a risk to those involved. For example when:
      1. The personal data is publicly available (public information);
      2. The personal data is encrypted and the password has not been leaked;
      3. It concerns accidental loss of personal data, while this data can be restored via a backup. 
      4. A report can be made on the website of the AP (www.autoriteitpersoonsgegevens.nl). 
7. Should this leak be reported to the data subject?
   1. A data breach must be reported to the data subject when the breach is likely to pose a high risk to the data subject. 
      1. High risk occurs when the expected adverse consequences of the data breach are likely to occur. Examples of adverse consequences: identity theft, reputational damage, financial losses, unwanted communication, and so on.
   2. Do the technical protection measures (such as encryption) that have been taken provide sufficient protection to be able to omit the notification to the data subject?
      1. Have the personal data been irretrievably deleted or damaged? Then encryption makes no sense and those involved must be informed. 
      2. Was all personal data encrypted at the time of the breach?
      3. Is the encryption adequate?
      4. Is the residual risk acceptable?
      If so, no notification to data subjects is required.
   3. Have immediate measures been taken to ensure that data subjects are not adversely affected by the data breach? If so, no notification to data subjects is required.
   4. Is informing all those involved a disproportionate effort (for example because a very large number of those involved are involved)? In that case, a personal communication per data subject is not necessary and data subjects can be informed in a different way. 

8.    Although a data breach does not have to be reported to the authority or to the data subject, there is a registration obligation. All data breaches that have occurred must be documented centrally by the company. 

Appendix 1 – Inventory plan for data breaches

1. Record the name, company, telephone number and e-mail address of the reporter.
2. When (date and time) and how was the leak detected?
3. In which system is the leak located?
4. How can the leak be used?
   1. Make sure that the operation of the leak is clear. The leak must be reproducible.
5. What data is accessible?
6. What actions are possible with regard to the data?
   1. Think of viewing, copying, changing, deleting or destroying, etc.
7. Does the reporter have ideas on how the leak can be repaired?
8. Will the reporter make the data breach public? If so, when? 
9. If yes, request the reporter to wait 72 hours so that measures can be taken first.

Appendix 2 – Informing data subjects

Some data breaches are so serious that the data subject(s) must be informed. Data subjects are the persons to whom the leaked personal data relates. Exactly when the data subject must be informed has already been described above. This appendix deals with the question of how the data subject should be informed. 
In any case, the notification will state:

1. The nature of the infringement (what happened?).
   1. When describing the nature and content of the infringement, a general description will suffice. It is not necessary to dwell on the technical details. It must be discussed which personal data has been leaked, what the consequences may be for the data subject and what measures have been taken to tackle the breach. It is important that the description is in clear and simple language. 
2. The estimated date and time of the incident.
3. The seriousness of the data breach.
   1. Inform the data subject about the consequences that are likely to occur as a result of the data breach. Think of identity theft, reputation damage, financial losses, unwanted communication, etc. 
4. The measures that have been taken to tackle the breach and limit the negative consequences for those involved.
   1. How was the vulnerability closed? Has a procedure been tightened up? Can the person concerned file a claim for damages, for example? 
5. The measures that the data subject must take to limit the negative consequences of the infringement.
   1. Think of changing usernames and passwords. 
6. Contact details/a central information point.
   1. In this way, the data subject can reach you if he or she has any questions about the data breach.
7. The authorities where the data subject can obtain more information about the infringement, if applicable.

The most important thing is that as many stakeholders as possible are reached with the information in order to limit the adverse consequences. The communication is free of form and may therefore be made in writing or electronically.