Data breaches can spur wider GDPR compliance scrutiny, says expert

Amsterdam-based Jeroen Schouten of Pinsent Masons said hackers are increasingly extracting personal data in the early stages of cyber attacks – often before carrying out other disruptive activity, such as locking victim businesses out of their own systems. In that scenario, he said, businesses not only need to consider their obligations to notify a data breach but also, potentially, a much wider range of compliance issues.

“Attackers no longer need to encrypt systems to cause maximum damage,” Schouten said. “By stealing data first, they ensure that the harm – and the regulatory exposure – is immediate and irreversible. Backups solve encryption. They do not solve data theft. Attackers have recognised that distinction.”

“Exfiltration‑first attacks function as a stress test for GDPR compliance. When large datasets can be copied out unnoticed, it usually reveals that confidentiality, access restriction and monitoring were weaker than assumed. These incidents often expose a gap between compliance on paper and security in practice – and that gap can become very visible once regulators start asking questions.”

A data breach affecting Dutch telecoms provider Odido has spurred a wider investigation into its data retention practices. Data concerning around 6.2 million people is reported to have been exposed by hackers. The Dutch data protection authority, the Autoriteit Persoonsgegevens (AP), said it had received hundreds of complaints from former customers of the company following the incident. Odido’s compliance with telecoms security rules is being investigated by the State Inspectorate of Digital Infrastructure (RDI). The AP is looking into its compliance with data minimisation requirements under the GDPR. A mass claim against Odido which relates to the data breach has also now been lodged in the Netherlands.

Last week, the AP said it plans to proactively scrutinise whether the systems “several” ICT suppliers operate are sufficiently secure against the risk of cyber attacks. It highlighted how ICT suppliers often process the personal data of many different organisations and said that, because of this, there could be significant consequences if such a supplier experiences a data breach.

Schouten said: “The AP’s focus on ICT suppliers exemplifies the need for adequate supply chain security as introduced by the Cyberbeveiligingswet, which implements NIS2 in the Netherlands. Organisations cannot outsource operational control and retain legal responsibility without meaningful oversight. In today’s threat environment, a supplier breach is no longer a peripheral risk. It is a central governance issue with potentially massive downstream impact.”