Given that the General Data Protection Regulation (GDPR) will impact most companies, it is wise to be aware of the consequences if you violate its provisions.
Who oversees the GDPR?
The Dutch Data Protection Authority (DPA) is the supervisory authority in the Netherlands responsible for overseeing and enforcing compliance with the GDPR.
Data breach notification
If a personal data breach is likely to result in a risk to the rights and freedoms of a data subject, the controllers must notify the DPA “without undue delay and, where feasible, not later than 72 hours after having become aware of it”. Where a high risk exists for a data subject, the data subject must also be informed of the prescribed information.
The following must be communicated to the DPA:
- the nature of the breach
- the name and contact details of your data protection officer (if applicable)
- the likely consequences of the breach; and
- the measures taken or proposed to address and mitigate the breach.
Powers of the DPA
Under the GDPR, the DPA has investigative and corrective powers. Corrective powers include: issuing warnings; ordering compliance with data subject requests to exercise their data protection rights; ordering compliance with the GDPR; and ordering restrictions on data processing activities.
Although the DPA also has the power to impose fines, for relatively minor breaches, the exercise of the aforementioned corrective powers may be sufficient to address a data breach. However, failure to report a breach is one of the aggravating factors for imposing a fine.
Fines under the GDPR
Organizations can be fined up to €20,000,000 or 4% of total worldwide annual turnover for the most serious breaches, whichever is higher. However, there are a number of factors that the DPA must take “due account” of when determining whether to impose a fine and the level of a fine:
- Nature, gravity and duration of the infringement;
- Damage caused;
- Intentional or negligent character;
- Mitigation by the controller;
- Adequacy of existing safeguards;
- Relevant previous infringements, ordered corrective measures and compliance with any orders;
- The degree of cooperation with the DPA;
- How the DPA found out, including whether (and to what extent) the organization provided notification; and
- Any other aggravating or mitigating factors.
Conclusion: prevention is better than cure
When GDPR breaches are evident, properly reporting the breach to and cooperating with the DPA is always the best option.
However: prevention is better than cure
How can you protect sensitive information and prevent its unintentional disclosure? By using SharePoint, you have the right foundation for sound document management.