Effective in 2016, Dutch and later Belgium ’ companies must notify the data protection authority (“DPA”) and sometimes individuals if they suffer certain data breaches that involve personal data under their control. Companies will have to take this seriously, as failure to notify may lead to fines up to €500.000,- (or potentially higher).
Who Is Affected?
The notification duty applies to data controllers that have an establishment in the Netherlands or Belgium and process personal data in the context of that establishment. It also applies to data controllers outside the EU that process personal data using equipment on Netherlands or Belgium soil.
Security is no longer just an issue for the CTO. It’s a strategic, board level concern. Security must be a priority for businesses. Bolting on security solutions as an afterthought to business systems isn’t good enough to protect confidential data against increasingly sophisticated cyber threats.
Sometimes, the simplest errors are the most costly in security terms. Leaving a confidential document on a train, or a laptop in a taxi, or having a password that is simple to hack, are all common mistakes that companies must protect against.
The growing use of mobile devices creates greater risk, too. Employees bring their own tablets and smartphones to the office, connecting to social networks and the Internet of Things, and with these devices comes more potential points of failure. Businesses commonly use messaging apps and file storage systems , which all create additional risks. Educating employees about their role in keeping the corporate network secure and creating a culture of security, is critical.
People present the biggest risk to the business, because they are the ones who make mistakes that hackers can exploit. Board members can be even more vulnerable than most; they’re more likely to travel with confidential documents than more junior employees, and will certainly have access to the most sensitive company information. They may be more experienced in business, but they may not be as tech-savvy as other employees .
The senior leadership team should be focused on cybersecurity and set it as a priority for the company. Security should be discussed regularly at the board level, and action taken to mitigate vulnerabilities.
It is important to have a long-term plan to protect the network, employees (and their devices), and documents, and to test that plan regularly using third-party penetration testing. This plan might include the following steps:
Avoiding breaches caused by human error
Review internal security regularly: enforce password changes, and limit what can exist outside the firewall. Regularly train employees in handling sensitive data, and keep tight control over who has access to it.
Create a clear protocol for what happens if a password is stolen, and ensure your systems can deny access rights to confidential data if needed. Always know where confidential documents are, at any given point, to avoid the risk of papers being left in a cab, or overlooked on a plane.
Securing confidential documents
Never use unsecured email send sensitive documents, and ideally avoid printing documents entirely. Use collaboration tools built with security in mind to communicate confidential information. Ensure that data is always encrypted (even when it is on the move) using encryption is ideal when documents are being stored on servers or devices.
Securing your datacenter
If you (or your suppliers) use a datacenter, secure the servers on which sensitive data is stored, and use physical security such as on-site guards, CCTV, strict access control, and generator back ups to keep the data safe and on-line.
Include redundant facilities to enable systems, storage and networks to continue even if something does happen to the primary systems. Back up data to a secondary, geographically separate disaster recovery environment and monitor your data 24/7.
Keeping the network secure isn’t an easy task, but the best place to start a culture change is at the top. And there are some challenges to help make the easiest thing to do also be the most secure thing to do.
And remember, we must act now to see that the ‘prevention rather than cure ‘ principle is fully applied in the future.