Contributed By Vondst Advocaten N V
There is no statutory requirement to implement a written information security plan or programme, incident response plan, or insider threat programme under Dutch law. In addition, there is no statutory requirement to appoint a chief information security officer, or the equivalent, to involve the board of directors in privacy-related matters, to conduct vulnerability scanning, penetration tests, or vendor and service provider due diligence or to provide training on handling personal data. Nevertheless, it is best practice in the Netherlands to do so. For example, implementing a written information security plan and conducting vulnerability scanning and penetration tests could be part of the appropriate security measures taken to comply with the GDPR, and, if applicable, the Wbni or other sector-specific laws and regulations. The implementation of an incident response plan could help to comply with data breach and cyber-security notification requirements under Dutch and EU laws.
The GDPR requires controllers, however, to conduct a DPIA for certain types of processing operations. The EDPB has provided guidance on this matter in its 2017 guidelines on DPIA and determining whether processing is “likely to result in a high risk for the purposes of the GDPR” (WP 248). Moreover, the GDPR requires certain categories of controllers to appoint a DPO.