Under new legislation, businesses run the risk of being fined up to € 820,000

In the programme broadcast of De Financiële Telegraaf TV, I discussed the Dutch Data Leaks Notification Act (Wet Meldplicht Datalekken), which came into effect on 1 January 2016. Businesses run the risk of being fined up to € 820,000 if they do not have the appropriate procedures in place. Not only does this apply to major businesses, but also – for example - to owners of small web shops, who are often not aware of these requirements. Click here (Dutch) to watch the interview.

But what shoud I do?

Do you want to know exactly what measures you need to take in order to be compliant as soon as the act comes into force? Read my article (Dutch) 'De Wet Meldplicht Datalekken, iedereen moet aan de slag!' or check on managers-online.nl (also Dutch) the four preparatory measures that I mention in respect of the stricter requirements for database management as of 1-1-2016. Another option is of course that you contact me.

Prefer reading the interview?

Interviewer Roel den Outer: 'Good morning, and welcome to our programme, DFT ondernemen. The majority of Dutch businesses runs the risk of being fined for hundreds of thousands of euros, because they have not taken measures to comply with the new Data Leaks Notification Act. That Act will take effect on 1 January, so businesses must get their data management in order as soon as possible. How can they do that? Our guest is lawyer Olaf van Haperen. Olaf, welcome. What exactly does this new act mean, that will come into force on 1 January?'

Olaf van Haperen: 'In short, the act means that businesses have a notification obligation in the event of a data leak. And the definition of ‘data leak’ is quite broad.'

Roel den Outer: 'And to whom does this act apply?'

Olaf van Haperen: 'In fact, it applies to everyone. So government bodies and businesses. But also health care institutions, schools, no exceptions.'

Roel den Outer: 'Is there a term within which the notification must be made?'

Olaf van Haperen: '72 hours.'

Roel den Outer: ‘So, the regulator must be notified within 3 days?'

Olaf van Haperen: 'Yes, and that’s not easy.'

Roel den Outer: 'Okay. And what happens after the notification? That’s it?'

Olaf van Haperen: 'No, because what you notify is that there is a leak. You have to tell the regulator how it happened, and what you had done to prevent it and to minimize the loss/damage.'

Roel den Outer: ‘And if they believe that you have not tried hard enough, you can get fined?'

Olaf van Haperen: 'That’s correct.'

Roel den Outer: 'That fine, what amounts are we talking about?'

Olaf van Haperen: 'Where there is intent or gross negligence, the maximum fine is EUR 820,000.'

Roel den Outer: 'Surely, a small web-shop owner won’t get such a big fine for a leak, will it?'

Olaf van Haperen: 'No, you know, that is the maximum fine. The risk for a small web shop is not so much the fine, for the act provides two notification duties: the duty to notify the regulator, and the duty to notify the customers of the business. If the leak potentially has serious consequences, well, then I suggest that you hire the services of a call centre, or something else. In that case, the law provides that you must notify all your customers. '

Roel den Outer: 'Right, and that’s going to cost a lot of money.'

Olaf van Haperen: 'Well, actually I can’t imagine you will be left with any customers.'

Roel den Outer: 'Quite, trade will come to a halt.'

Olaf van Haperen: 'Yes.'

Roel den Outer: 'What can businesses do to prevent this from happening?'

Olaf van Haperen: 'It all starts with awareness. You have to realize what data you have. You have to understand that if an employee leaves the company, and you do not delete the data on his mobile phone, he will be out on the street with all the contacts that in fact are your contacts, as you are his former employer. So it starts with awareness. It is not until then that you can stop potential leaks.'

Roel den Outer: 'That means that you need to apply a very strict corporate policy.'

Olaf van Haperen: 'Yes, a very strict policy.'

Roel den Outer: 'So change all data whenever the situation changes. But you know, we’re all human, and a mistake is easily made. Is it possible as a business to take out insurance against such situation.'

Olaf van Haperen: 'That is a possibility, but the insurance company no doubt will make demands.'

Roel den Outer: 'It will say that you have to be extremely careful with your passwords.'

Olaf van Haperen: 'It will say: be aware, you need to change your passwords in good time. You have to understand what happens when someone leaves the company. In other words: awareness, know what data you have in the system. And if it happens, you need to have a procedure in place so that you know what to do in terms of notification.'

Roel den Outer: 'Okay. That new act will be effective as of 1 January. Do you think that the regulator will have hundreds of employees eager to start handing out fines?'

Olaf van Haperen: 'The regulator does not say how many employees it has for enforcing this new act. What it did say was that it expected tens of thousands of notifications.'  

Roel den Outer: 'Tens of thousands of notifications. So it’s fair to assume that they cannot follow up every notification with a fine.'

Olaf van Haperen: 'No. But you don’t want to be the first one.'

Roel den Outer: 'Quite right, you don’t want to serve as an example.'

Olaf van Haperen: 'Nope.'

Roel den Outer: 'Okay, Olaf, thank you so much!'

Olaf van Haperen: 'It was a pleasure!'