I’ve been looking for an English language report on the new breach guidelines in Belgium and finally found one. Cédrine Morlière and Ludo Deklerck of Bird & Bird write:
When the data breach results in a “public incident” (when a data breach results in a public leakage of private data), according to the guidance, the Data Protection Commission is to be informed of the causes and consequences of the incident within 48 hours. In addition, a public information campaign should be rolled out within 24-48 hours after notifying the Data Protection Commission.
The Belgian Data Protection Commission also announced its intention to reinforce the present legal framework. There is already a legal obligation for data controllers to put adequate security measures in place pursuant to the Belgian Data Protection Act, however, this obligation is not being implemented seriously enough, according to the Commission. The Commision will now lobby the Belgian legislator in order to be entitled to make its recommendations on security measures legally binding.
Read more about the new guidelines on Bird & Bird. As always, I’m skeptical of the value of certain reporting demands such as notification to the public within 48 hours. Rushing to notify often leads to errors and necessitates revised notifications with more cost and more frustration or anger for those affected by a breach.