Contributed By Vondst Advocaten N V
The GDPR, Implementation Act and Wbni do not provide for affirmative security requirements, such as certification or external audits.
In general, Member States, the supervisory authorities, the EDPB and the European Commission must encourage the establishment of voluntary data protection certification mechanisms and of data protection seals and marks, to demonstrate that processing operations are in compliance with the GDPR, and appropriate safeguards exist in the context of data transfers (Article 42 of the GDPR). There are as yet no GDPR certification bodies accredited in the Netherlands. Applications for accreditation should be submitted to the Dutch Council for Accreditation (‘Raad voor Accreditatie’) (RvA), which is appointed as an accreditation body (within the meaning of Article 43 of the GDPR, pursuant to Article 21 of the Implementation Act).
Member States, supervisory authorities, the EDPB and the European Commission must encourage the drawing up of codes of conduct for the purpose of specifying the application of the GDPR (Article 40). The AP has published requirements that submitted codes of conduct must comply with on its website. The EDPB is expected to provide further guidance on codes of conduct under the GDPR.
Furthermore, Article 30 of the GDPR requires parties to implement adequate technical and organisational measures, such as a process for regularly testing, assessing and evaluating the effectiveness of the measures implemented and the ability to ensure confidentiality, integrity, availability and resilience of processing systems and services.
Under the former Data Protection Act, the AP provided guidance on adequate security measures that are still relevant in daily practice, such as in its 2017 guidance on patient data in the cloud, and its 2013 policy guidelines on data security on the internet. In this latter guideline, the AP encourages controllers to pay close attention to security and to implement a ‘plan-do-check-act’ cycle. Guidance can also be derived from the AP’s 2007 guidance document ‘Publication of personal data on the Internet.’
The security of network and information systems of operators of essential services and digital service providers is primarily governed by the NIS Directive, which has been implemented in the Wbni.
Articles 14 and 16 of the NIS Directive do not prescribe specific technical and organisational measures to be taken to secure network and information systems. Operators of essential services and digital service providers must take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems that they use, as well as to prevent and minimise the impact of incidents. What is appropriate and proportionate depends on the state of the art, and the risk posed. The aforementioned requirements are implemented in Articles 7 and 8 of the Wbni.
Sector-specific legislation contains further security requirements.
The ENISA and the NCSC regularly publish analyses and recommendations relating to critical networks and systems.