As a consequence of certain recent data compromise cases, the Belgian Privacy Commission on 21 January 2013, has published a recommendation (01/2013) on security measures to be taken to avoid data breaches (the “Recommendation”).
The main points of the Recommendation can be summarised as follows:
- The Commission proposes some general measures to be taken, such as for example the implementation of at least three DMZ-zones to separate the local network from devices connected to the Internet;
- The Commission refers to the guidelines on information security of personal data which were published in June 2012 for a specific overview of measures;
- The Commission insist that data breaches be notified within 48 hours and that a public information campaign should be undertaken within 24 to 48 hours after the notification to the Privacy Commission;
- Based on its finding that Article 16, §4 of the Belgian Data Protection Act (the obligation to take all necessary technical and organisational measures) is not sufficiently complied with, the Commission announces that it will address the parliament to ask for the necessary competences to make its recommendations on the necessary security measures enforceable. Pending this request, the Commission shall use all its powers to ensure that data controllers breaching their obligations under Article 16, §4 of the Data Protection Act, are held legally liable for this. To this end, it will notify the public prosecutor of any such violation of the Data Protection Act of which it gains knowledge.
The full recommendation can be found on: