GDPR’s Tactical Role in Data Breaches

GDPR’s Tactical Role in Data Breaches: The Case of the Netherlands

Introduction

GDPR (General Data Protection Regulation) refers to a regulation on the processing and protection of personal data in the EU. In EU countries, including the Netherlands, the GDPR sets standards for the processing, storage, and protection of personal data. The GDPR actively ensures data security and privacy by regulating how organizations use and protect individuals’ data.

Table of Contents

Objectives of GPDR

The GDPR defines the subjects and objectives as follows:

    1. This Regulation sets rules for personal data protection and free data movement.
    2. This Regulation safeguards natural persons’ fundamental rights, especially their personal data protection.
    3. For data protection reasons, the Union shall not restrict or prohibit the free movement of personal data within it.

The GDPR contains many principles regarding the processing, storage, and protection of personal data. To comply with these principles, companies need to review their data protection policies and procedures and take the necessary measures. The GDPR mandates that organizations transparently disclose how they use and protect individuals’ data. It also requires implementing data security measures and reporting data breaches.

Dutch Data Protection Authority (Autoriteit Persoonsgegevens – AP) carries out the implementation and supervision of the GDPR in the Netherlands. The AP supervises the implementation of the laws on the processing of personal data in the Netherlands and penalizes violations. Also, the AP can impose fines on companies that do not comply with the GDPR and investigate data breaches.

Data Protection Officer (DPO)

A Data Protection Officer (DPO) is a collection of roles and duties defined by the European Union’s GDPR. The GDPR sets standards for the protection and processing of personal data and applies to all member states in the EU. The main role of the DPO is to provide the expertise and leadership to manage and implement an organization’s data protection obligations.

Note: Articles 373839 of the EU GDPR provide extensive guidance on the DPO.

Data Protection Officer Responsibilities and Requirements

According to GDPR Article 37, each business that gathers or uses the personal data of EU people should appoint a data protection officer. DPOs are in charge of performing routine security audits, and teaching personnel involved in data processing. In addition, they are responsible for educating the business and its workers about compliance. Also, DPOs operate as the company’s point of contact for any Supervisory Authorities (SAs) that regulate data-related activity.

The following are only a few of the duties of the DPO under GDPR Article 39:

    • Teaching the staff and the business on crucial compliance needs
    • Providing training to employees that handle data Doing audits to verify compliance and proactively handle any possible problems
    • Acting as the company’s primary point of contact with the GDPR Supervisory Authorities
    • Keeping an eye on results and offering guidance on the significance of data protection initiatives
    • Keeping thorough records of every action the business takes to process data, including the reasons behind each action, which have to be disclosed to the public upon request
    • Interacting with data subjects to provide them with information about the company’s security policies, how their data is utilized, and their right to have their personal data

Which Companies are Required to Appoint Data Protection Officers?

Public Bodies and Organizations

Public bodies and organizations (e.g., government agencies, municipalities, public service providers) must appoint a DPO. Also, regulatory or executive bodies that process personal data on a large scale must do it.

Large-Scale Data Processors

The GDPR states that it is mandatory for large-scale data processors to appoint a DPO. This usually applies if the company’s core business or activities require the processing of large amounts of personal data.

Special Categories of Data Processors

Organizations that process special types of data (e.g., health data, biometric data) must appoint a DPO according to the GDPR.

Systematic Monitoring or Large Scale Data Subjects

According to the GDPR, organizations that systematically monitor data subjects or engage in large-scale data processing activities must appoint a DPO. For example, companies that monitor online behavior or conduct large-scale marketing activities fall into this category.

These criteria may vary depending on the size of the organization, its operations, and personal data processing activities. In particular, large companies, publicly accountable organizations, and organizations that process sensitive types of data must appoint a DPO.

The language of GDPR indicates that the size of an organization does not necessitate the need for a DPO. Instead, it is the size and scope of data handling that determines this requirement. Unfortunately, GDPR does not specifically define what they consider to be “large-scale” data handling.

While there are no exact guidelines around data handling scale, most small businesses won’t need to hire a DPO. However, if their core focus is data collection or storage, they may need one.

Qualifications of Data Protection Officers

The GDPR does not include a specific list of DPO credentials. However, Article 37 of the GDPR requires a data protection officer to have “expert knowledge of data protection law and practice” in the first place. To explain in a few bullet points:

    1. Expert Knowledge: Data Protection Officers must have in-depth knowledge of data protection law and practice. This enables them to understand the requirements of the GDPR and effectively implement data protection policies.
    2. Legal Competence: Data Protection Officers should know data protection legislation and related legal issues. This helps data controllers to carry out data processing activities in compliance with legal requirements.
    3. Business Knowledge: Data Protection Officers should understand the business processes and data processing activities of data controllers. This ensures that data protection policies are implemented under business needs.
    4. Communication Skills: Data Protection Officers must have effective communication skills. This ensures the flow of information about data protection policies and procedures between data controllers and employees.
    5. Independence: Data Protection Officers must play an independent role between data controllers and processors. This ensures the impartial application of data protection policies.

Important Information: Companies that process EU citizens’ data are subject to the GDPR, even if they are not in the EU.

Netherlands GDPR Authority: Autoriteit Persoonsgegevens

Image of The Netherlands' GDPR authority Autoriteit Persoonsgegevens website homepage

In the Netherlands, the regulatory authority corresponding to the GDPR is the Autoriteit Persoonsgegevens. This authority enforces and supervises the laws in the Netherlands regarding the processing and protection of personal data. The Autoriteit Persoonsgegevens reviews complaints and imposes sanctions if necessary. Then, it sets rules to ensure the protection of individuals’ data and investigates violations.

The tasks of the Autoriteit Persoonsgegevens (AP) include the following:

    1. Personal Data Protection: The AP establishes and enforces rules on the lawful collection, processing, storage, and sharing of personal data.
    2. Audit and Investigation: The EP audits whether organizations are providing appropriate access to personal data and conduct investigations on complaints.
    3. Guidance and Training: The EP provides guidance and training materials on personal data protection for businesses and individuals.
    4. Legal Sanctions: The AP imposes legal sanctions in the event of misuse or breach of personal data. These sanctions may include fines.

There is more information about Autoriteit Persoonsgegevens’ GDPR implementation and personal data protection standards in the Netherlands on its official website.

Crafting a Privacy Policy: Essential Steps and Guidelines

Screenshot of Mysoly's Privacy Policy page

Understanding Privacy Policies Under GDPR

A privacy policy is an internal document that explains how an organization processes and protects personal data under applicable law. There is no policy with this name in the GDPR. However, there is an obligation to inform the data subject in Articles 121314. In general, it appears as “Privacy Policy” on the web pages of companies. As a result, data processors must inform the data subject under this or a similar title.

Privacy policy is one of the most important changes brought by GDPR. With this change, every website must have a privacy policy without exception. In this policy:

    1. What kind of information does your website collect and for what purpose?
    2. How does your website process the collected data?
    3. How does your website protect the information collected?
    4. Does your website share the information collected with others? If so, with whom?
    5. Does your website have control over site members’ data?
    6. How will you notify users in the event of a data breach?

Crafting a Comprehensive Privacy Policy

You should answer the questions above. These questions will increase according to the working principles of your site. In general, the following points are important when preparing this privacy policy or privacy statement:

      1. Comprehensive and Detailed: Your policies should cover all information regarding personal data collected and processed. You should explain in detail the processes of data collection, use, sharing, and protection.
      2. Clear and Understandable Language: You should write your policies in a language that everyone, including general users, can easily understand. Also, you should use clear and understandable language, avoiding complex legal terms.
      3. GDPR Principle Compliance: Your policies must comply with the core principles of the GDPR. These principles include transparency, honesty, purpose limitation, data accuracy, storage limitation and security.
      4. User Rights: You must specify the rights of users recognized by the GDPR (e.g., right of access, right to rectification, right to erasure, etc.). You should explain how individuals can exercise these rights and how they can request them.
      5. Security Measures: You should explain the technical and organizational measures for the security and confidentiality of personal data. You should specify the and notification processes in case of a data breach.
      6. Timeliness: Review and update your policies regularly. You should keep your policies up to date in line with new data processing activities or changing legal regulations.
      7. Accessibility: You should present your policies in a place that is easily accessible to users. You can provide accessibility with links to your policies on the homepage of your website or in an easy-to-access menu.

Data Breaches and Actions To Be Taken Under GPDR

GDPR Notification Requirements

Data breach refers to unauthorized access, disclosure, or loss of personal data. The GDPR imposes various obligations on organizations to prevent and manage such breaches. In the event of a data breach, relevant organizations need to notify the competent data protection authority and affected individuals. This notification must include information on the nature and effects of the breach. It also must include the corrective measures taken or to be taken. In addition, affected individuals may need to be informed about the possible consequences of the data breach.

Articles 3334 of the GDPR emphasize this issue and state as follows.

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay (Article 33, 1).

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay (Article 34, 1).

Responsibilities in the Netherlands

In the Netherlands, a data breach is reported to the relevant authority, the Autoriteit Persoonsgegevens. If the data breach leads to unauthorized use of data, i.e. cybercrime, you must also report this to the police.

When there is a data breach, you first need to determine what type of data breach you are facing and what state the data is in. A data breach can be a breach of confidentiality, integrity or availability. Where data has been leaked, you should assess what data has been leaked and how this leak may affect the rights and freedoms of data subjects.

Data breach notification is important depending on the severity of the data breach. The general rule is that you should notify a data breach if there is a risk to the rights and freedoms of data subjects. So, when there is a data breach, it is important to properly assess the data breach and make the necessary notifications.

The GDPR mandates the notification of data breaches, an important obligation. Failure to notify the competent authority can lead to serious penalties. Therefore, when a data breach occurs, organizations must take immediate action and make the necessary notifications.

AWS Security Solutions for Data Protection and System Security

Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud. It offers over 200 fully featured services from data centers globally. However, AWS’ GPDR-compliant services and data security solutions are becoming increasingly important.

AWS's Security Services

AWS helps customers protect their data by offering strong security features. It offers various services such as IAM (Identity and Access Management) for identity and access management, KMS (Key Management Service) for data encryption, and VPC (Virtual Private Cloud) for network security. These services provide advanced capabilities to protect and monitor customers’ data.

Security groups are AWS firewalls at the virtual network level and control traffic to AWS services (e.g. Amazon EC2 instances, RDS databases, etc.). These groups control traffic to a specific resource (for example, an EC2 instance) and traffic that this resource sends to other resources. You can manage security groups in the AWS management console, in the “VPC” (Virtual Private Cloud) section of AWS. These groups contain user-defined rules to securely manage traffic between resources.

RDS Database and Security

AWS’s RDS (Relational Database Service) simplifies database management while also ensuring security. RDS backs up databases daily, provides data encryption, and uses security groups that control database access. This helps customers keep their sensitive data safe.

Data Security and Application Layer Security

AWS offers various solutions for data security and application layer security. Solutions such as protection of web applications with AWS Web Application Firewall (WAF) or threat detection with Amazon GuardDuty provide data security. These services aim to protect users’ data from malicious attacks.

We have summarized the basic security services. AWS has services for much more and much more comprehensive security measures. Most of the companies already use cloud computing today. We provide the services we offer to our customers by using AWS cloud computing services. Therefore, we believe that we are safer with the security measures we take as well as the security by AWS.

Conclusion

The topics in this article provide critical information to help modern businesses and individuals strengthen their data protection strategies. Starting from the basics of the GDPR, we covered critical topics such as data breaches, privacy policies, and security measures. We covered in detail how to prevent and manage data breaches, and how to create privacy policies. Also, we mentioned how to take security measures and the role of trusted cloud computing providers. These recommendations can help businesses and individuals improve data security and protect their digital assets. Remember, data protection is not just an obligation, it can also be a competitive advantage. We need to take this information into account to build a secure digital future.

Mysoly | Your partner in digital!

serkan kilic

Picture of Yavuz Baytemur
Yavuz Baytemur
DevOps Engineer
Picture of Yavuz Baytemur
Yavuz Baytemur
DevOps Engineer