Belgium: Update on Personal Data Security Breaches

Patrick Van Eecke writes:

Following several recent widely publicized data breaches in Belgium, the Privacy Commission issued a new recommendation on security measures and data breaches. The recommendation builds further on its previously issued security reference measures and details specific security requirements regarding a.o. IT architecture and development and production environments.

Remarkably, the Privacy Commission introduces a security breach notification obligation, but for “public incidents” only. Companies are required to have documented alarm and notification procedures for data security breach incidents. In case of a “public incident”, the Privacy Commission must be informed of the causes and damage within 48 hours. A public information campaign will be initiated within 24 to 48 hours after such notification. The Privacy Commission does not specify what is to be understood by a “public incident.”

Read more on Technology’s Legal Edge.