Digital security in the Netherlands
The Legal Expat Desk (LED) is an information hub by GMW advocaten, advising the expat community in the Netherlands since 2006. LED regularly publishes articles covering a wide spectrum of legal topics.
Whether you are self-employed or you sometimes work from home on a laptop from your employer, it is important to know what your responsibilities are when it comes to digital security in the Netherlands.
How to protect your data
It is much better to prevent data loss than being forced to deal with the consequences if data is lost or stolen.
It is therefore important to review how secure the personal data is that’s under your management. Being aware of proper data security can save you headaches, prevent problems for your clients and it will help to avoid any financial consequences of potential data loss.
Here are a number of tips to improve your awareness of data security:
› Draw up a code of conduct
By entering into internal agreements, your staff know what to do when they lose a telephone or USB stick, for instance. This at the same time reduces your risk of reporting too late and can prevent a lot of damage.
› Secure your files
If your data carriers are sufficiently secured, you reduce the risk of personal data ending up in the wrong hands when lost.
› Create agreements
Enter into agreements with any third parties that handle sensitive data from your company. You can often arrange with the processors of your personal data that they make the report in the event of a data leak. This can reduce the time it takes to report the data loss.
Dutch Data Protection Authority
The loss of any type of sensitive or personal data has to be reported to the Dutch Data Protection Authority. This includes data leaks or if the unlawful processing of personal data cannot be ruled out.
Digital security in the Netherlands
What constitutes a data leak can vary widely in terms of type and scope. Examples include a hacked server or the physical loss of a USB stick, smartphone or laptop.
Whether you need to report the incident depends on the contents that have been compromised.
Leaks involving the following type of data should be reported to the Data Protection Authority:
› data concerning private affairs (race, political affinity, trade-union membership, etc.)
› financial data (debts, salary information, etc.)
› data that can be used for blackmail (results of assessment interviews, addictions, relationship problems, etc.)
› login data and passwords
› data that can be used to commit fraud (copies of IDs, passports, citizen service numbers, etc.)
Who to report to and how fast
In the case of data loss, you will be held accountable for reporting it within 72 hours to the Dutch Data Protection Authority.
After this, the data leak must also be reported to the person the data is related to, if the data leak is likely to have adverse effects on their private life. This means that, if sensitive data has been leaked, it needs to be reported to the person in question on most occasions.
If it concerns the data of thousands of people, informing all of them can develop into a considerable and costly operation.
Failure to report data leaks
The Data Protection Authority can impose a maximum fine of 820.000 euros for the failure to report a data leak. In addition, they have the power to name and shame you when imposing a penalty. This means that you also run the risk of suffering damage to your reputation or the reputation of your company.
Staying on top of data security
Data leaks manifest themselves in many different shapes and forms. By giving proper thought to your procedures in advance, you can save your organisation a lot of grief.
Need more information on this matter? GMW advocaten will be happy to provide you with advice during a discussion without obligation and free of charge.
You are welcome to visit GMW advocaten in The Hague for a free one-hour consultation with one of their experts about any data security or privacy protection issues you may be experiencing.