Anne-Mieke Verbunt, lawyer at Halsten Lawyers:
“At Halsten, we have proven experience with the process that follows the report of a possible data breach. In such cases, we immediately set up a crisis team and maintain an overview based on our legal expertise. Then, we advise, and quickly regain control over the situation.
After the incident has been reported to the Dutch Data Protection Authority, we take necessary the operational steps taking account of the time pressure involved. This includes contacting the data subjects, setting up a call centre for answering questions, organising interpreters for foreign data subjects, etc. We also immediately call in an independent third party to determine who bears ultimate responsibility. Based on our quick response, a thorough investigation and calling in the right experts, control is quickly gained of the situation, and subsequent legal steps can be taken, such as holding the party who caused the data breach liable, suspending outstanding invoices or levying pre-judgment attachment.”
Together with one of the privacy specialists on team Halsten, Anne-Mieke looks at this project and the approach: “With this client, but also in other cases involving a data breach, we need to work under considerable pressure to quickly determine exactly what is happening. Almost immediately after the data incident is discovered, measures must be taken to put an end to both the incident and the invasion of the privacy of the data subjects. A data breach or incident must be reported to the Dutch Data Protection Authority within seventy-two hours after discovery. This means that we immediately call together a crisis team of specialists. First, we take inventory to determine whether a data breach is involved, and therefore if unauthorised access to the data was obtained and thus the rights and freedoms of the data subjects were violated. After the report to the Dutch Data Protection Authority, a decision is made about informing the data subjects involved.”