How to prevent a data breach

A telecom provider, an airline, a market research company: all had a data breach in early 2023. What do you do if your company has leaked customer data? And how do you prevent such a data breach?

What is a data breach?

In a data breach, personal data falls into the hands of people who should not have access to that data. Think name, address and phone number. A data leak occurs because of a security problem or because someone acts carelessly. For example, an employee leaving a flash drive with customer data on the train. Or personal data stored unsecured on a computer server.


In the event of a data breach, your company may suffer reputational damage (in Dutch). Nobody likes to tell customers or suppliers that their personal data is on the street. The consequences are also potentially serious for the victims. Criminals misuse their leaked personal data for phishing and identity fraud (in Dutch), for example.

A data leak is common, both in large and small companies. Serious data leaks must be reported to the Personal Data Authority (AP) within 72 hours, otherwise you may be fined.

Severity of data breaches increases

In 2022, the Personal Data Authority (AP) received more than 21,000 reports of a data breach. A decrease compared to 2021 when there were almost 25,000. The AP does see that the severity of data breaches is increasing. In serious data breaches, the risks and consequences are high. Criminals can, for example, misuse medical data and use it to make false insurance claims.

Discover the leak

A data leak happens very quickly. A mistake is easy to make. It certainly does not just happen to big companies. For example, you lose your laptop or you accidentally email sensitive information to the wrong person. Then you already have a data leak.

You often only discover a data leak due to a security problem when performing checks. You may then have been leaking data for a long time. So, pay attention to the following issues:

  • Regularly check the logs of your IT systems. Has data changed or disappeared unexpectedly? Are there any suspicious login attempts on accounts? With a logbook, you know who is in your network at what time. And what they are doing there. You can buy software that allows you to install a logbook.
  • Be alert to customers, suppliers and other business contacts complaining about phishing or other scam attempts.
  • Check notifications from your antivirus software or firewall. Is there any suspicious network traffic? Is suspicious software active?

Do you not trust it? Engage your IT administrator or ask a cybersecurity specialist for advice.

Video: GDPR: privacy and personal details

Protect personal data

With a few measures, you can prevent your own and your customers' personal data from falling into the wrong hands. For example, take the following actions:

  1. Discuss regularly with colleagues – say, once a year – how data is processed in your company. Send your data securely.
  2. Make sure you are well-versed in the GDPR, which covers the handling of personal data.
  3. Do not give out passwords, customer data, and access to your systems to third parties, such as self-employed professionals you hire or suppliers.
  4. Will a third party be processing personal data for your company? Then make sure you have a data-processing agreement (in Dutch). Are you self-employed? Then check for each new assignment whether you will be working with your client's personal data. In that case, you must enter into a non-disclosure agreement with them.
  5. Tell customers what data you are collecting and for what purpose. And give them the opportunity to opt out or to stop their data from being collected.
  6. Invest in good IT security for your laptop, computer, phone, and mobile devices. For example, use strong passwords or two-factor authentication. Also, discuss your security once a year with a cybersecurity expert.

Roadmap in case of data breach

Take the following steps if you have a data breach:

  1. Check is any personal data is involved. Personal data can be traced back to a person. Think of name, address, place of residence, but also phone numbers and e-mail addresses.
  2. Stop the data breach if it still exists. Think about remotely wiping a lost smartphone. Is fixing the data breach complicated? Then engage a cybersecurity or digital forensics expert.

Assess the risk of the data breach. The more sensitive the personal data, the higher the risk. Check the list of examples from the Personal Data Authority (AP).

Mandatorily report the data breach to the AP within 72 hours. This applies to data breaches that result in risk to the rights and freedoms of victims. Don't report it? Then the AP may impose a fine on you.

Report the data leak to the victims whose data you leaked. This applies to data leaks that could have major consequences for you and the victims. Think of reputation damage, identity fraud and discrimination.

In all cases, register the data breach in your mandatory data breach register.