Legislative Update: Dutch Parliament Adopts Bill on Data Breach Notification
In brief, the bill requires data controllers to:
- Notify breaches immediately to the DPA if a breach is likely to have ‘serious adverse consequences for the protection of personal data’ (it is expected that the DPA will issue guidance defining what constitutes ‘serious adverse consequences’);
- Notify individuals, unless the personal data has been encrypted; and
- Maintain an internal data breach register recording all security breaches they experience that have or might have potential negative effects on individuals, including information about the breach, mitigating measures, and the text of notifications to the individuals affected. There is no obligation to make this register public.
It is not yet known when the bill will enter into force. Usually amendments to the Dutch Data Protection Act would enter into force immediately upon publication in the Dutch Government’s Gazette. However, a royal decree is required for laws to become effective, and it is not clear when this will happen: it could be at any time between the summer of 2015 and early 2016. The bill is a precursor to the data breach notification requirement in the EU General Data Protection Regulation, and will apply until the Regulation comes into force at some point in the future.
Companies are advised to consider how best to implement appropriate data compliance and data security policies.