Since the General Data Protection Regulation (GDPR) will affect most businesses, it is wise to be aware of the consequences if you violate its provisions.
Who supervises the GDPR?
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens or AP) is the supervisory authority in the Netherlands responsible for the supervision and enforcement of compliance with the GDPR.
Duty to report a breach
If a personal data breach results in a likely risk to the rights and freedoms of a data subject, data controllers must notify the AP of the breach 'without undue delay and, where possible, not later than 72 hours after having become aware of it'. Where there is a high risk for a data subject, the data subject must also be provided with the required information.
The AP should be informed of the following:
- the nature of the infringement
- the name and contact details of your data protection officer (if applicable)
- the probable consequences of the infringement; and
- the measures taken or proposed to address and mitigate the breach.
Powers of the AP
The AP has investigative and remedial powers under the GDPR. Corrective powers include: issuing warnings; ordering compliance with a data subject's requests to exercise their data protection rights; ordering compliance with the GDPR; and ordering restrictions on data processing activities.
Although the AP also has the power to impose fines, for relatively minor breaches, the exercise of the above-mentioned remedial powers may be sufficient to address a data breach. However, failure to report a breach is one of the aggravating factors for the imposition of a fine.
Fines under the GDPR
Organisations can be fined up to €20,000,000 or 4% of their total annual global turnover for the most serious breaches, whichever is higher. However, there are a number of factors that the AP must "duly take into account" when determining the imposition and level of a fine:
- Nature, seriousness and duration of the infringement;
- Caused damage;
- Intention or negligence;
- Mitigation by the controller;
- Appropriateness of existing safeguards;
- Relevant previous infringements, corrective actions ordered and compliance with any orders;
- The degree of cooperation with the AP;
- How the AP found out, including whether (and to what extent) the organisation notified; and
- Any other aggravating or mitigating factors.
Conclusion: prevention is better than cure
When violations of the GDPR are evident, proper notification of the violation to and cooperation with the AP is always the best option.
However, better safe than sorry
How can you protect sensitive information and prevent it from being disclosed unintentionally? By using SharePoint, you have the right basis for good document management.