On 19 February 2013, the Dutch Data Protection Authority (College Bescherming Persoonsgegevens, the "CBP") published its new guidelines on the protection of personal data. These guidelines will replace earlier guidelines published in 2001.
The guidelines will enter intoeffect on 1 March 2013. By that date, companies must have complied with a "Plan-Do-Check-Act" cycle, and their processing agreements (if any) must address the subjects specified in the guidelines.
Pursuant to the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens) a company needs to implement appropriate technical and organisational measures to secure personal data against loss or any form of unlawful processing. The measures should guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, and having regard to the risks associated with the processing and the nature of the data to be protected. The measures should also aim at preventing unnecessary collection and further processing of personal data. The CBP guidelines provide further guidance on this.
The new CBP guidelines set out a "Plan-Do-Check-Act" cycle consisting of the following steps:
1. A risk analysis
2. Implementation of appropriate security measures based on the risk analysis
3. Periodic checks on compliance with the security measures
4. Periodic evaluation and amendments based on changed circumstances.
Many companies have their personal data processed by a processor: an external body that processes personal data solely for and on behalf of a company and in accordance with that company's instructions. The processor may not use the personal data for its own purposes (examples include outsourcing of the payroll processing or hosting). The new guidelines contain a list of subjects that must in any event be provided for in the (processing) agreement (the agreement between the company and the processor regarding the processing of personal data).
According to the CBP, the highest level of security is, as a general rule, achieved by organising information security in accordance with generally accepted security standards such as the Code of Practice for Information Security Management (Code voor Informatiebeveiliging, NEN-ISO/IEC 27002:2007.nl), to which the new guidelines frequently refer. For the development and management of web applications, for example, the National Cyber Security Centre security guidelines for web applications can be used as the point of departure.
Click here for a summary of:
1. The "Plan-Do-Check-Act" cycle
2. Recommended security measures
3. Checks regarding security measures
4. The list of subjects that must in any event be provided for in a processing agreement.
To read the guidelines in Dutch, click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.