Dutch data protection authority raises expectations for GDPR compliance practices

In these letters, the Dutch DPA has asked the municipality of Eindhoven and the province of South-Holland to improve their compliance framework under the General Data Protection Regulation (GDPR), bringing it up to the so-called 'level 3 maturity', which means having a policy framework in place.

Data law expert Andre Walter of Pinsent Masons said that the latest development shows that the Dutch DPA is raising expectations for GDPR compliance maturity and organisations need to plan for the establishment of a documented GDPR policy framework.

“In recent warning letters, the Dutch DPA ordered organisations to bring their GDPR compliance practices to a 'level 3' state, which includes having a set of policy documents covering all GDPR principles and other relevant aspects, including but not limited to transparency, training, data breach handling, responding to data subject rights requests, data sharing and transfer, data retention,” said Walter.

The definitions of the maturity levels referred to by the Dutch authority are those set out by the Centre for Information Security and Privacy Protection (CIP) to indicate how mature an organisation is when it comes to safeguarding information privacy. Previously, the authority had been silent on the topic of maturity.

According to CIP’s privacy maturity model, 'level 2” is described as “reactive” and highly dependent on individuals, and 'level 3' refers to having organisation-wide policies that are applicable independently of the compliance individual.

The letters have made it clear that just having a data protection officer (DPO) to oversee GDPR compliance would be 'level 2', while also having a documented GDPR compliance framework would increase maturity to 'level 3'.   

“Growing to a higher level of maturity is a dynamic process. Appropriate governance, risk and compliance tools help to translate strategic objectives into tangible organisational responsibilities and to make achievements and overall progress measurable and transparent,” said Robert-Jan de Vries of TrustBound, an online software provider for information security and privacy. He added that those tools also enable the DPOs to progressively strengthen their position as an overseer and allow them to demonstrate the effectiveness of privacy activities.