The Dutch Senate has approved a new bill to amend the Data Protection Act, with the changes seeing the introduction of mandatory breach disclosure, as well as increased powers for the local data protection authority, the CBP.
The legislative amendment follows on from the bill's approval by the lower parliamentary house in February and will force companies to report data breaches to the CBP if it impacts security and has a reasonable chance of impacting personal data protection.
In addition to reporting security events to the CBP, businesses must tell the affected people if their data is at risk. If the organisation has taken security precautions, such as encryption, the requirement for informing the affected persons is relaxed. However, encryption is no saving grace - for instance, a failure to alert the watchdog about a stolen encrypted hard drive would still be punishable.
If the data breach is not reported, the CBP can apply a fine, now up to € 810,000 (£583,000), or 10 percent of annual turnover. Previously, the data protection authority was able to find up to just € 4,500 (£3,325). Before the new legislation comes into force, the CBP will issue guidelines on implementation.
The CBP has also changed its name from 'College Bescherming Persoonsgegevens' to 'Autoriteit Persoonsgegevens' (Personal Data Authority). It is believed that the Dutch Parliament has approved these changes in line with the forthcoming General Data Protection Regulation.