130 days, 1,500 notifications: Does Dutch breach rule foreshadow GDPR?
Lokke Moerel and Alex van der Wolk write:
As we write this, it is now four months since the new data breach notification law in the Netherlands went into effect. Since 1 January 2016, data controllers are obliged to notify the Dutch data protection authority (DPA) and individuals if the security of personal data has been compromised. The new Dutch law requires:
- The Dutch DPA must be notified where there is a considerable likelihood of the breach having serious adverse effects on the privacy of the affected individuals. This is a higher threshold than provided for under the GDPR, where the DPA must be notified of a breach, unless it is unlikely to result in a risk to the privacy of individuals.
- Individuals must be notified if such a breach has a considerable likelihood of adversely affecting the privacy of the individual. This seems to be a lower threshold than provided for under the GDPR, where individuals must be notified directly if a breach is likely to result in a high risk to the privacy of the individuals.
At a speech during the International NCSC One Conference on 5 April 2016, a representative of the Dutch DPA indicated that in the first 100 days it received more than 1,000 breach notifications under the new data breach notification law. By early May, we heard that the number has now already surpassed 1,500. Extrapolating these numbers would result in a total of 4,200 notifications to the DPA per year. The DPA also indicated that it is not surprised by this number, as there are more than 130,000 organizations in the Netherlands that would be subject to the new notification requirements.
Read more on IAPP.