Reporting a data leak: what steps do you need to take?

4 min read
Data leak reporting

Data leak reporting

You always hope that you’ll never have to use the information in this article, because if you do, then you most probably have had a data leak. Unfortunately, it is not a question of whether a data leak will take place in your organisation, but rather a matter of when. It’s wise to prepare for that contingency. These steps will ensure that you won’t miss a thing when you report a data leak.

Data leaks: (almost) impossible to prevent

Let’s start by assuming that data leaks are inevitable. Many of your employees handle information all day long. They make calls, send faxes, print out documents and send dozens of emails. A data leak can happen at any time. An employee could forget to pick up a printed document from the printer, forget to lock their screen, or send information to the wrong person – and just like that, confidential information is suddenly available to unauthorised parties.

If that happens, are you required to report the data leak? If so, what information do you need in order to fil a report, and who do you need to notify? Read more about the five things that play a role when reporting a data leak under the GDPR.

Reporting data leaks

When personal data has been leaked, the organisation must report the leak to the Dutch Data Protection Authority. Here’s what you need to do so you can be ready to report data leaks.

1. Make sure that your employees know that they need to report a data leak

When things go wrong, you need to report the data leak. The first step is someone reporting the leak to the Chief Information Security Officer (or data protection officer) of their organisation.

In practice, however, not all data leaks are reported to the appropriate official within the company. This could be due to various reasons. The people involved may not be aware that they have caused a data leak, or are afraid that their own position will be jeopardised if they report it. Some employees might take the gamble that their error won’t be detected.

This might possibly be the most difficult step of the entire reporting process. Employees need to be aware of the significance effective personal data protection. The organisation’s culture could play a role in encouraging employees to report data leaks, even if the employees failed to follow security procedures. Reporting a data leak should be easy, for instance by means of a form on the company intranet.

2. Gather information about the data leak

The CISO cannot assess whether the data leak needs to be reported to the Dutch Data Protection Authority until it’s clear what happened. In any case, you will need the following information:

What happened exactly?

To determine whether a security incident or data leak has taken place, you will need to find out what has happened exactly, and when. Do you know if unauthorised data processing has taken place? If that’s the case, then you are dealing with a data leak. If not, then you have a security incident.

For example: one of your employees accidentally sends an email containing a customer’s financial data to a journalist that they work with occasionally. The journalist immediately realises that this was a mistake and deletes the email without taking any other action. In this case, you have had a security incident, but you can clearly show that no unauthorised data processing has taken place.

What kind of data are you dealing with?

It is important to know what type of information you are dealing with in the event of a data leak. Is it sensitive personal data, or data which could adversely affect the protection of that personal data? If a Citizen Service Number is leaked, for example, it could have adverse effects for a customer (e.g. identity fraud). You need to know what kind of data was involved in order make an accurate assessment of the consequences of leaking specific information. Carefully consider how you are going to find out what type of data is involved in the data leak.

3. Assess whether the data leak needs to be reported and limit the damage

Use the information above to determine if the leak needs to be reported. Answer the following question:

Has any data been lost during the security incident or can it not be ruled out that data has been processed in unauthorised ways?

If so: You have a data leak. It needs to be reported.

If not: You do not have a data leak. It does not need to be reported.

But if you know that you have a data leak on your hands: make sure to limit the damage as much as possible. Destroy the accidental print-out, revoke the authorisation, or retrieve the emails that were sent accidentally.

4. Report the data leak to the authorities

If you are required to report the data leak, you can use the form from the website of your local Data Protection Authority. You will need the information you have gathered in step two to file the report. In addition, you will need to state the impact of the leak, whether you have already informed the people involved, and what steps you plan to take to prevent future leaks.

5. Report the data leak to the people involved (if necessary)

In the event that it is necessary to notify the people involved that there has been a data leak, the AP states that this needs to happen ‘immediately’. There are no other instructions as how notification should take place. It is important to carefully consider how you intend to notify the people involved, for instance your customers. After all, the reputation of your organisation could suffer immensely. An excellent way is to give your customer helpful tips on dealing with the consequences of the data leak. Make sure you have communication formats prepared that enable your organisation to send quick notifications in case of a data leak. Also make sure that any overview of the leaked data is provided to the people involved through secure channels.

How do you deal with data leaks?

The emphasis on how to handle mandatory reporting of data leaks is focused on an early stage of the process. An appropriate response requires considerable awareness within your organization.

Would you like to know how to increase employee awareness of privacy and the GDPR within your organisation? Then download our free e-book to learn more.


Written by
Picture of Francis Mustert

Francis Mustert

Francis studeerde Communicatiewetenschap aan de Universiteit van Amsterdam. Na haar stage bij Vodafone kreeg ze de smaak te pakken en startte zij haar Master Corporate Communication. Daarna ging zij in MKB aan de slag waar zij zelfstandig alle facetten van de marketing en communicatie opzette. Bij ZIVVER vindt ze de gedreven ondernemendheid aanstekelijk. Het meeste energie krijgt zij van kansen signaleren en ten volste benutten. Waarom? Omdat stilstand achteruitgang betekent. In haar vrije tijd staat Francis graag op het volleybalveld, maar geniet ook van de derde helft. Daarnaast maakt ze graag één keer per jaar een mooie reis.

Originally published on June 29, 2018

Last update on July 15, 2021