Maxim_Kazmin - Fotolia

There are Dutch lessons in breach notification as GDPR approaches

The Netherlands is a pioneer when it comes to legislating around data protection, so GDPR might not be as much of a shock as in other countries.

Data protection laws and regulations are about to get a boost in the spectre of stiff fines. The EU General Data Protection Regulation (GDPR) comes with a notification duty for data breaches, and the Dutch have pioneering experience.

The Netherlands previously took a leap forward with its own so-called cookie law, which obligated website owners to ask visitors explicit permission to place cookies on their computing devices. This was meant to curtail privacy-invading cookies and promote consumer awareness. In practice, this requirement had somewhat the opposite effect.

Web surfers got swamped with cookie requests and hence were trained to blindly click on “OK”.

A more recent example of Dutch eagerness to be on the front lines of privacy and regulation is data protection, accompanied by an official obligation for organisations to report data breaches. The Dutch notification duty is just over a year old, but its demise is coming.

It is set to be replaced by the incoming EU legislation of the GDPR, but there are lessons to be learned from the Dutch experience.

January 2016 marked the start of the Dutch application of a required notification in the case of data breaches, but the legal language mellowed in the period running up to it.

Instead of data breaches in the wide sense of the word, the requirement was adjusted to apply to data breaches that have significant negative consequences for the protection of personal data.

Already in effect

The Netherlands’ first year of operating with a notification obligation has provided hands-on experience and insight for companies, lawyers, watchdogs and governments. At first glance, there is still a lot to be done. This is made clear by nationwide market research into the first year, carried out by Pb7 Research and commissioned by security supplier Kaspersky Lab. Some 300 medium-sized and large organisations in multiple sectors were surveyed.

It turns out a large portion of Dutch companies and institutions have not reported an applicable data breach to the authorities – whether it be not at all or not in the timeframe dictated by the notification obligation. This is the case for 41% of organisations in the Netherlands, according to the research report (PDF, in Dutch).

Read more about GDPR

Countering the bad news of the violators, there is also a big portion that has conformed to the legal requirement to notify the Dutch privacy watchdog AP (Autoriteit Persoonsgegevens), and 33% of organisations have done so.

However, the bad news is that there is a significant number of companies and institutions that don’t know if a data breach has been reported. In fact, over a quarter (26%) of organisations are guilty of this.

The main cause for this is a lack of awareness – not strictly with regards to the legal obligation to notify, but an ignorance over which data breaches need to be reported. There also remains uncertainty over what represents an event having a “significant negative impact on privacy protection”.

The bad practices in the Netherlands have encouraged outspoken notification critic and lawyer Aldo Verbruggen. This partner at international law firm Jones Day caused a stir in the Netherlands last year, when he said it often makes more sense for companies not to report data breaches.

His argumentation is that notification can affect companies in several ways, such as damaging their reputation. Meanwhile, there is little to be gained from reporting data breaches, said Verbruggen in an interview with Dutch financial newspaper FD.

AP given pause for thought

Verbruggen repeated his “plea” in a panel discussion at the formal presentation of the research report on one year of Dutch notification duty. In that timeframe, watchdog AP has received a total of 5,500 notifications.

He said the research results should give AP pause for thought, but AP chairman Aleid Wolfsen countered his “damage claim” with reassurances that privacy authority does not engage in naming and shaming. This, however, does not guarantee public exposure is out of the question. The Dutch notification duty forces organisations to inform consumers if a data breach can cause them serious harm.

The threat of fines

The main damage notification can cause for data-leaking (or hacked) organisations is the fine a privacy watchdog can give them, however the AP has stated multiple times that strict enforcement is not the goal. Awareness and actions are what the AP wants to achieve in the marketplace, so the spectre of fines should not be seen as an immediate danger.

On the other hand, it’s not an idle threat. From May 2018, the GDPR takes over. The EU-mandated rule doesn’t come into effect immediately, and overrules any national legislation such as the Dutch notification duty. The GDPR is also stricter and harsher than the current Dutch law and notification duty.

It’s about the data

Furthermore, the wrong impression exists that the GDPR only affects EU countries, and hence only companies operating in that territory.

However, the data protection regulation (including its notification duty for data breaches) concerns not companies operating in the EU, but its citizens and their data. Any company that gathers, handles, processes, enriches or otherwise uses private information about or from EU citizens is covered by the GDPR.

Read more on Data breach incident management and recovery