A data breach can have serious consequences for individuals and companies. What can you do yourself as an individual, and what does the responsible company owe you?
The recent incident at the Dutch telecom provider Odido makes it clear once again: a data breach can happen to anyone. We constantly leave a trail behind when we purchase products or services from companies. Companies want to collect as much data as possible to get a clear picture of who their customers are.
As individuals, we can only hope that this data is handled with care, but practice unfortunately shows that this is not always the case. Personal data is highly valuable to cybercriminals for extorting companies or, even worse, for identity theft. But what can you do if you become a victim of a data breach? We presented the first four questions everyone should ask during a data breach to the Belgian Data Protection Authority (DPA).
How do you protect yourself against phishing and fraud?
The risks of a data breach depend on the context of the breach and the type of data leaked. In most cases, you as an individual will be a prime target for phishing, especially when the perpetrators make the data public or put it up for sale in criminal circles.
read also
Hackers leak first batch of stolen Odido data on dark web
“Stay vigilant for suspicious emails, text messages, phone calls, or messages on apps. Criminals combine leaked data with publicly available information to send targeted, convincing phishing emails or to pose as a bank employee over the phone,” warns Aurélie Waeterinckx, spokesperson for the Belgian Data Protection Authority, in a written response.
The DPA provides several concrete tips to protect yourself:
- Hang up if an institution calls or messages you unexpectedly.
- Never share information outside of official channels.
- Limit the visibility of social media profiles.
- Check the sender’s email address for subtle changes in the domain (e.g., ‘0’ instead of ‘o’).
- Be skeptical of the content and do not click on links, especially when they contain exclusive offers or urgent requests.
With good password and account hygiene, you limit the risk of leaked login details being used to take over accounts. The classic rules here are not to reuse passwords, to change them if necessary, and to enable MFA whenever possible. Using free tools like HaveIBeenPwned.com, you can check for yourself if your data appears in a leaked database.
What data are companies allowed to keep about you?
“In principle, all types of personal data can be processed by organizations to fulfill a specific and legitimate purpose, provided there is a legal basis,” says Waeterinckx. Extra rules apply to so-called ‘special categories’ of data, such as biometric data and data that can be read directly from an identity card.
Waeterinckx: “The principle of data minimization applies here: no more data may be processed than is necessary to achieve the intended purpose. In addition, the principle of storage limitation applies, which means that companies may not keep that data longer than necessary.”
When staying at a hotel, you often cannot check in nowadays without having your identity card scanned. Strict, specific rules also apply to identity card data because of the sensitivity of the information if it were to be leaked. The DPA advises being careful with your identity card yourself as well. “Those copies are often stored securely, but not always. If services still request your identity card to make a copy, make any unnecessary information illegible,” writes the spokesperson.
If you still feel uncomfortable with the data companies have about you, know that under the GDPR law, you have the right to demand that this data be deleted. Companies are required to respond to such requests ‘within a reasonable timeframe.’ Make this a good habit: the more data an organization processes about you, the greater the risk of leaks, and therefore of damage.
Are companies required to contact you?
If your data has been involved in a data breach, you would prefer to be informed as quickly as possible. In that case, you would likely rather receive a personal message with an apology from the responsible company than read about the breach in the news. The GDPR provides clear guidelines for situations in which companies must personally inform their customers.
read also
What should you do in the event of a data breach? 4 questions answered
First and foremost, companies must notify the local authority, such as the DPA in Belgium, within 72 hours if it is “likely to result in a risk to the rights and freedoms of individuals,” Waeterinckx clarifies. “If the breach poses a high risk to the affected individuals, the company must also communicate with the individuals themselves as soon as possible, so they can take protective measures.” This is especially essential when it involves sensitive data that could lead to identity fraud, discrimination, financial loss, or reputational damage.
It is likely that a company will inform you, but you might also discover a data breach that is not yet known. In that case, inform the company in question immediately, preferably via email with screenshots as evidence. The DPO (Data Protection Officer) is the person you should contact.
Government institutions and organizations that handle personal data ‘systematically and on a large scale’ are required under the GDPR law to appoint a DPO. Meanwhile, many organizations that are not legally required to do so also have a DPO on the payroll. However, a study by the EDPB, the European Union’s umbrella privacy body, published in 2024, concluded that DPOs often have to make do with limited time and resources.
Are you entitled to compensation?
Odido did not make itself popular by clearly stating in its communication that affected customers should not expect any compensation. The company argued that the leaked data posed ‘no direct’ risk. As a regulator, the DPA does not have to issue a final judgment on this, Waeterinckx clarifies.
“The DPA is an independent authority that supervises the application of the GDPR and other provisions concerning privacy.” Individuals can submit a request for mediation or a formal complaint to the authority if they believe a company is at fault for a data breach or has failed to meet its responsibilities. The authority will then start an investigation and, if an infringement is found, impose an appropriate sanction if necessary.
For those seeking compensation, the path to civil court remains necessary. The court will rule on fault, damage, and causal link. “The DPA is not a civil court that can demand compensation,” Waeterinckx adds.
A data breach is unpleasant for any individual or organization. Victims are advised to act quickly and critically: report the breach if necessary, secure your accounts immediately, and be extra alert for phishing. The core principle remains: handle personal data sparingly and carefully, because prevention is still better than cure.