On 26 April 2021, the Litigation Chamber of the Belgian Data Protection Authority (BDPA) handed down its first fine specifically for cybersecurity failures.

This decision follows others where the Litigation Chamber considered cybersecurity failures as a factor among others (see e.g. decision of 22 January 2021), and it should serve as a signal for other organisations: all controllers and processors must ensure that the technical and organisational measures they have taken to keep personal data secure are appropriate. Otherwise, the bill could be magnitudes higher than the cost of implementing such measures. Fines across the European Union and in the United Kingdom for cybersecurity failures are often in the hundreds of thousands or even millions of Euros, with the more limited ones (such as this one, at 100,000 EUR) often linked to what could be viewed as limited cybersecurity failings – or a limited number of known affected data subjects. If an organisation fails massively at cybersecurity, a massive fine may be forthcoming.

Put differently, cybersecurity is not a sunk cost – it is a good and necessary investment. It is a crucial safeguard for the business, a sales argument as well in many cases but also a great way to limit the cost of (inevitable) incidents and to mitigate fines for inadequate measures.

Read here the analysis by our Data & Cy

Related articles

Cookie notification

This functionality uses third-party cookies. Change your cookie preferences to view this content or view more information.
These cookies ensure that the website works properly. These cookies cannot be disabled.
These cookies can be placed by third parties, such as YouTube or Vimeo.
By deactivating categories, it is possible that related functionalities within the website may no longer work properly. It is always possible to change your preferences at a later time. View more information.