Deloitte Risk Services B.V. Cyber & Privacy Advisory. Deloitte Cyber & Privacy Risk Services Data Breach Management

Download (0)

Full text


Deloitte Cyber &

Privacy Risk Services



Cover pages & Index 1-3

Data breach management 4

Challenges and opportunities 6



Data Breach Management

January 1st, 2016 - a big date in personal data handling in the Netherlands. From that moment onward data breaches are to be reported to the DDPA– and potentially to your clients, your customers, your business relations, and your employees as well. At the same time, perhaps just as strikingly, the DDPA will be equipped with an extensive fining authority: up to € 810.000,. Such fines are not only a financial concern for your organization, they may also evoke negative publicity, seeing as that data breaches can also draw a bill on your organizations’ public goodwill. Is your organization prepared to meet these new personal data protection challenges? And are there any opportunities to enhance your organization with the new personal data legislation in sight? First, allow us to provide some insight in the upcoming changes:

The new rules of the game as of January in a nutshell

1. Your organization is obliged to report security or data breaches to the DDPA. Not all breaches, only those that may adversely affect the privacy of the individual concerned (data subject). Your organization should be equipped to make this assessment. Timing is essential: the DDPA is to be notified of a data breach within two working days after the occurrence.

2. Further, in some cases, a breach should also be reported to the data subject directly. Apart from a need to take effective mitigating measures to contain the breach, this situation also calls for clever and

effective communication with your clients, your customers, your business relations and your employees.

3. An even more significant change in the new rulebook is that in 2016, the DDPA can also distribute penalties based on violations of legal obligations that go beyond the newly introduced broad data breach notification obligation. Improper processing, insufficient security, poorly managed personal data handling or abuse of sensitive data, these are all violations that can be subject to fines. The maximum fine is currently set to be € 810.000, but a higher amount may apply in the course of 2016.

4. If your organization offers public electronic communication services, you are currently already obliged to report data breaches. However, there is a reshuffling between addressees: no longer does your

A challenge lies ahead of your organization with the upcoming

impactful changes of the Dutch Personal Data Protection Act. Both

the introduction of the personal data breach notification obligation as

well as the Dutch Data Protection Authority’s (“DDPA”) widely

extended right to impose fines urgently call for action: correctly

interpreting the rules, understanding the required steps and

developing the required business processes. Every step is essential.

When a data breach nonetheless spins out of control, your crisis

management function can help your organization to emerge stronger

from the event. Altogether the new regulations create a new stimulus

to further embed privacy compliance. It is an opportunity for

enhancement, optimization and future-proofing of your organization.

When and where will you start?




What are your organization’s challenges?

In short: to interpret the new rules, to embed them in your organization’s processes, to make a good assessment and to take the necessary actions whenever a data breach occurs. Questions arise such as: ‘What is a data breach and how should I report it?’, ‘When should I report a breach?’, and ‘Should I report a data breach when the processor is not located in the Netherlands?’ First, your organization will need

to be aware of the questions that arise from the new rules in order to give the right follow-up. We created a shortlist of key questions that should be considered based on the framework guidelines published by the DDPA (figure 1).

Another challenge might be to meet the DDPA’s requirements of strict monitoring in order to detect data breaches. Especially, as there is a strict timeline of two

working days to decide whether reporting is compulsory.

Within these two working days after a data breach occurs, your organization needs to determine whether the breach should be reported only to the DDPA or also to the data subject.

How can we help?

Our multi-disciplinary Privacy Team can help you with setting up the needed data governance structures, processes and policies to monitor data flows, detect data breaches and manage them in a streamlined and efficient way.

If necessary we can provide First Aid on the short term in three steps: Identify, Adapt, and Roll Out: 1. Identify the readiness of your internal business processes for internally and externally reporting data


2. Adapt existing internal processes to the DDPA requirements;

3. Roll out the new approach by providing instructions, training and communication to prepare all stakeholders for the updated processes and assist in dry runs of your internal data breach notification procedures.

After having rolled out the new approach, or when your organization has established some of these processes already, we can assist with the follow-up and build a long term sustainable and mature firmament for future data handling and make privacy compliance part of your organization’s DNA.

And what if a crisis does occur?

Some crises can hardly be avoided. Even with well-designed data governance structures, policies and processes in place to prevent a data breach, the possibility of a data breach turning into a full-blown crisis

– especially when mismanaged - should be taken into account. Also note that today’s social media can dramatically increase your visibility during these situations, which can lead to significant reputational damage. A random, uncoordinated response to such a crisis will almost certainly exacerbate it.

Successful organizations are capable of preparing in advance for those data breaches that get out of hand,

respond effectively to crisis situations and recover successfully in an organized and structured way. Effective crisis management can transform data breaches into a situation that strengthens customer relationships, builds brand value and enhances market perceptions. It shows you are in control, even in bad times. If you have any questions on how to organize the processes and capabilities needed to prepare for, respond to and recover from a data breach crisis, our Resilience & Crisis Management Team can help. Why Deloitte?

Our joint teams offer the privacy and resilience services your organization needs. We answer your legal, organizational and technical privacy questions, assist in establishing a data breach management process and crisis management approach and help your organization emerge stronger from major crisis events. Contact

Would you like to know more on this subject? Please find our contact details below.

DDPA guidelines: key questions

Figure 1


Being Prepared for the obligation to report Data Leaks Is the reporting obligation applicable to me?

What should I arrange for if my organization processes personal data?


Report or not?

Is this a data breach? Should I report this data breach to the DDPA? Should I report this data leak to the data subject?


Report to the DDPA

How should I report the data breach to DDPA? When should I report the data breach to DDPA?


Report to data subject

How should I report the leak to the data subject? When should I report the leak to the data subject?


After reporting

Which information do I need to record in my report about the data breach? What does the DDPA do with my report?



Mr. Annika Sponselee Director – Privacy Team +31 (0) 6 10 99 93 02

Theodorus Niemeijer

Director – Resilience & Crisis Management Team



Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see for a more detailed description of DTTL and its member firms.

Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte’s more than 210,000 professionals are committed to becoming the standard of excellence.




Related subjects :