Duty to report data breaches

Data breach

In the case of a data breach we have to contend with a breakdown of the protection of personal data. In such a case it involves gaining access to, destroying, modifying, losing or releasing personal data in the absence of any intention to do so. As such, a data breach not only includes the actual release or leakage and processing of personal data but also the existence of any potential for this to occur.

Here are several examples of data breaches:

  • an unencrypted memory stick containing personal data that has been lost;
  • an inadequately secured telephone, laptop computer or tablet (personal or business) containing personal data or access to an RU account containing personal data which has been lost or stolen;
  • documents containing personal data which have been printed and left near a photocopier in the absence of any supervision;
  • if you establish that you have access to personal data to which you should not have access;
  • the transmission of sensitive data to the wrong email address (hence to someone to whom one did not intend to send it);
  • a hacker hacking into a computer containing personal data or gaining access to an RU account containing personal data.

Duty to report data breaches

The duty to report a data breach comprises part of the General Data Protection Regulation (GDPR). This duty to report a leak has been in effect since 1 January 2016 and entails that businesses and organisations are required to report a ‘data breach’ (or a suspected one), being the likelihood of personal data being lost or unlawfully processed. Such a report must be made to the Dutch Data Protection Authority (DPA). In some cases Radboud University is also required to report a data leak to all of the relevant data subjects, i.e. those people whose data has been leaked.

Reporting an incident

If you know or suspect that a data breach has occurred, please report this directly to the ICT help desk on Tel. +31 (0)24 362 2222.