Data protection in The Netherlands in the wake of GDPR

With its own Dutch Personal Data Protection Act launched in 2016, The Netherlands is a pioneer when it comes to legislating around data protection, a popular topic as  The General Data Protection Regulation (GDPR) comes into effect in only a month. Enhanced by the Cambridge Analytica scandal that brings attention to user data usage by Facebook and the overall technological progress of the past few years, data protection is a key element of conducting business today.

In this article we’ll be looking at how data is being collected, managed and secured by different entities, as well as how businesses can improve their data security to protect themselves from cybercrimes.

Data protection regulation in The Netherlands
The Dutch notification duty was an impressive step for data security in Europe. Anticipating the GDPR, this act requires any data controller to report any breach of required security measures associated with possible severe negative consequences for the protection of personal data to the Dutch Data Protection Authority. Additionally, data controllers are also required to notify affected individuals if the personal data breach is likely to adversely affect them, unless the compromised data is encrypted or otherwise unintelligible to third parties, and record all information concerning the breach.

While this act is set to be replaced by the incoming EU legislation of the GDPR, there are lessons to be learned from the Dutch experience. Enforcing this notification obligation has provided hands-on experience and insight for the Dutch government and companies. In a nationwide market research by Pb7 Research and commissioned by security supplier Kaspersky Lab, around 300 medium-sized and large organisations in multiple sectors were surveyed. The results showed that a large portion of Dutch companies and institutions have not reported an applicable data breach to the authorities – whether it be not at all or not in the timeframe dictated by the notification obligation. This is the case for 41% of organisations in the Netherlands, according to the report.

In May 2018 GDPR will overrule any national legislation, such as the Dutch notification duty, imposing even stricter requirements and sanctions. In The Netherlands, the GDPR will come into effect in the form of the Algemene Verordening Gegevensbescherming or AVG. Large tech giants based here that rely on customer data such as Uber, Facebook and Apple will have to comply with it along with everyone else.

Compliance with the AVG is designed to make these privacy guidelines easier to implement, by driving consistent policies across countries. But, although The Netherlands are ahead of the curve on many issues, a privacy governance report by PwC reviewed 350 companies in the country and found that only about 12% were adequately prepared for the new law last year. In late November of 2017, another report showed that 80% of companies were still not compliant with the new law.

Dutch smart cities
Technological innovation that makes The Netherlands one of the main change drivers in Europe and no. 3 on the 2017 Global Innovation Index (GII) gave way to renowned “Dutch smart cities”. Eindhoven, for example, has one of the “smartest” streets in the EU. On Stratumseind street, lamp-posts have been fitted with wifi-trackers, cameras and 64 microphones that can detect aggressive behaviour and alert police officers to altercations. There was even an experiment to change light intensity to alter the mood. All this is made possible by the collection and storage of data. Further east, in Enschede, city traffic sensors pick up a phone’s wifi signal even if it’s not connected to the wifi network. The trackers register the MAC address, the unique network card number in a smartphone, to find out how often people visit Enschede, and what their routes and preferred spots are. Based on The Internet of Things , these applications are designed to manage assets and resources efficiently.

According to Maša Galic, a researcher on privacy in the public space for the Tilburg Institute of Law, Technology and Society, since the data on Stratumseind, for example, is used to profile or actively target people, the “smart city” experiment is subject to data protection law. This means that people should be notified of data collection in advance and the purpose should be clearly specified, however this is not the case. The project manager in charge claims that the data is about crowds, not individuals.

Data is collected for the purpose of technological innovation and infrastructure improvements. In Silicon Valley, they call it “permissionless innovation”, a concept based on the idea that technological progress should not be stifled by public regulations. This would entitle the local administration to be secretive about what data is collected in a public space and what it is used for. The issue at hand is that municipalities are using private companies to collect, manage and store data. In many cases the cities themselves cannot answer every question related to how the data is being managed and what it’s being used for.

Once the GDPR comes into effect, any data used to analyze and optimize the use of services in these smart cities will need to be completely anonymous, and encrypted. The regulation asks for pseudonymization (a term used 14 times in the law) before any processing of personal data can occur. According to Jorge Ortega, a lawyer from Barcelona specializing in data protection:

“City councils are responsible for all data collected by all IoT devices in public spaces, and the use of that data. If a light sensor detects the movement of cars entering or leaving a parking garage, and therefore the movement of its residents, their privacy needs to be protected by default.”via

Cybersecurity
At the moment, it is believed that around 80% of small and medium-sized enterprises (SMEs) in the Netherlands do not comply with the rules of the GDPR which will be strictly audited by Dutch privacy watchdog AP. Although this is a large percentage, research by Capgemini and insurance company Interpolis shows that many entrepreneurs in the country score well in the areas of physical security, access to the corporate network and security of the website.

As is the case of most companies, the urgency of cyber security is not usually recognised until an incident occurs. Meanwhile, the number of SME victims of cyber crime is quite high, according to the baseline measurement of the cyber security in SMEs research group at The Hague University of Applied Sciences.

The Hague University’s baseline measurement shows that organisations are mostly affected by malware (30%) and phishing (10%). Malware, short for malicious software, refers to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other intentionally harmful programs. Phishing is the act of sending a communication to a user falsely claiming to be an established legitimate business in an attempt to scam the user into surrendering private information that will be used for identity theft. A company can easily fall victim to a cyberattack if their employees become a victim of malware or phishing and there are not enough security protections in place.

The most common mistakes that companies do when it comes to data protection include:

• Lack of an Information Security Plan
• Only viewing data security as an IT issue
• Relying on firewalls, antivirus and anti-malware software without updating them
• Inadequate training of employees and other users of data
• Not knowing where data is
• Lack of knowledge into various encryption types
• Business plans that lack security
• Transferring unencrypted and encrypted data
• Poor password control - only having one solution
• Assuming that employees care about security
• Forgetting about social engineering

Most of these can be neutralized by periodically changing  passwords, updating software and training staff to prevent and recognize “suspicious” attachments. Using security tools like password managers and two-factor authentication or hiring professional cyber security firms is the next step to ensure data protection.

To help minimize the cybercrime threat, the Dutch government is setting up the Digital Trust Centre (DTC) this year, in which it works with entrepreneurs on digital security.

“With the establishment of a Digital Trust Center in 2018, the government meets the desire of companies to help them with up-to-date information about risks and advice on digital security.”

Henk Kamp, former minister of economic affairs via

After the National Cybersecurity Strategy (NCSS) was adopted in 2011, a new cybersecurity law is to be implemented by the Dutch government, as a result of a decision made by the EU in which all member states are to adhere to the NIS Directive (Directive on Security of Network and Information Systems) before the 9^th of May, 2018.