New guidance on data breaches in Belgium

15 May 2013

Cédrine Morlière

The Belgian Data Protection Commission issued guidance relating to security measures aimed at preventing data breaches. This follows on serious data breaches reported in the Belgian press in December 2012. The issue concerned a Belgian public transport company's customer data which appeared to be accessible to the public on the Internet.

In order to prevent such data breaches, the Data Protection Commission recommends putting adequate security measures in place, using an example from the ISO/IEC 27002 norm as a template; or from the general guidance on security measures published on the Commission's website.

When the data breach results in a "public incident" (when a data breach results in a public leakage of private data), according to the guidance, the Data Protection Commission is to be informed of the causes and consequences of the incident within 48 hours. In addition, a public information campaign should be rolled out within 24-48 hours after notifying the Data Protection Commission.

The Belgian Data Protection Commission also announced its intention to reinforce the present legal framework. There is already a legal obligation for data controllers to put adequate security measures in place pursuant to the Belgian Data Protection Act, however, this obligation is not being implemented seriously enough, according to the Commission. The Commision will now lobby the Belgian legislator in order to be entitled to make its recommendations on security measures legally binding.

In the meantime, in cases of negligence relating to security measures, the Data Protection Commission will make use of all the present legal means to hold the data controllers liable and report any serious issues to the public prosecutor, with possible criminal sanctions as a consequence.

Companies wishing to reduce the risk of security breaches should check whether the security measures they have in place meet the standards recommended by the Belgian Data Protetion Commission in its new guidance.

(Recommendation 01/2003 dated 21 January 2013).