Newsletter icon

Dutch DPA publishes new security guidlines for controllers and processors

19 February 2013

Gerrit-Jan Zwenne, Huub de Jong

Today the Dutch Data Protection Authority published new guidelines on the security of data processing. The new guidelines were long over-due and aim to replace an out-dated opinion, which was issued over a decade ago in 2001, outlining security measures for controllers and processors.

Pursuant to the Dutch Data protection Act (Wet bescherming persoonsgegevens) controllers and processors need to implement appropriate technical and organisational measures to protect personal data against loss or other unlawful processing. However the Act and other regulations only describe in very general terms how this legal requirement should be implemented. Therefore, many controllers and processors struggle knowing which exact security measures they need to put in place.

The new guidelines provide a theoretical overview of the legal framework and principles for the protection of personal data. They also contain instructions on how to implement these principles in practice. The overview of possible security measures includes measures such as access control, logging, incident response management, confidentiality agreements and encryption.

Unlike the 2001 opinion, the new guidelines do not contain a methodology to decide how sensible certain data processing is. As a result no clear link can be made between the sensitivity of the data processing and the possible security measures. In that respect the guidelines do not provide too much guidance on the measures to be implemented in specific situations.

In their first reactions, some controllers and processors express they had hoped that the DP Authority would take the opportunity to provide more concrete guidelines for the industry. The publication of the guidelines is well-timed. Within one or two months a Bill on data security breaches will be sent to Parliament. This Bill will include a breach notification obligation, and a max fine of EUR 200k for non compliance.

In 2012 the Data Protection Authority conducted 28 investigations on security breaches. Most incidents were the result of webform that were sent unsecured over the internet, in a number of cases the incidents involved medical or other sensitive data. In addition a number of hacking incidents were investigated, particularly SQL-injections and so-called cross site scripting.

The new security guidelines can be downloaded here (Dutch).

For further information please contact:

Gerrit-Jan Zwenne

Huub de Jong