Data Authority demands firms reveal serious privacy hacks

From January 1st, 2016, all companies and organizations that work with personal details have to report all serious data breaches, the Data Protection Authority CBP announced on Monday. These data leaks include a lost USB drive containing personal information, a stole laptop or a  hack into a data base. Institutions that fail to report this, can face a fine of up to 820 thousand euros.

The Authority published its rules over this new reporting obligation on Wednesday. "The expectation is that protection of personal data will be given a much higher priority in the development of products and services.", chairman Jacob Kohnstamm said. "The obligation to report data breaches does not aim for this in itself, but is a means to ensure that data breaches are prevented."

According to the Authority, a data breach must be reported if it "leads to the significant risk of serious adverse consequences for the protection of personal data". In some cases, the organizations involved my also have to report the breach to the victims. This must be done if the breach is "likely to adversely affect" their privacy.