Protect Your Customer Data Sufficiently
This is the message that Jacob Kohnstamm, the president of the
Dutch Data Protection Authority (the "Dutch DPA"),
delivered on 8 August 2009. Kohnstamm announced that the Dutch DPA
is going to tighten the rules for the security of customer data. To
be more precise, the Dutch DPA will give further substance to the
obligation to secure data set out in Article 13 of the Dutch Data
Protection Act (Wet bescherming persoonsgegevens
("Wbp")) with regard to the processing of customer
data.
After the new security measures will have been published, the
Dutch DPA will take up positions. Businesses will then be given
some time to implement the security measures. If they do not
sufficiently secure their customer data in the opinion of the Dutch
DPA, these businesses may expect the privacy watchdog to bare its
teeth. In the words of Mr. Kohnstamm, the Dutch DPA even threatens
to impose 'heavy penalties'.
The obligation to
provide security
The Dutch Data Protection Act imposes an 'open' standard
concerning the security of personal data. Article 13 requires
businesses to 'implement appropriate technical and
organizational security measures' to secure personal data
against loss or against any form of unlawful processing. Such
unlawful forms of processing include the affection of data, the
unauthorized acquisition, alteration or provision of data. The
implementation of the concrete security measures must take into
account the 'state of the art' and the 'costs of
implementation'. The technical and organizational measures to
secure personal data that are eventually taken must guarantee
'an adequate level of protection' having regard to the
'risks associated with the processing' and the 'nature
of the data to be protected'. Are you able to determine on the
basis of these abstract terms which security measures you have to
implement in practice?
The predecessor of the Dutch DPA, the Registratiekamer,
has given further substance to the open standard of Article 13 of
the Wbp before. In the advice 'Security of Registration of
Persons' of the Registratiekamer from 1994, and in its
advice from 1999 'CUSTOMER ALWAYS RIGHT, the use of customer
data for marketing purposes', Article 13 of the Wbp already
received further substance. These two advices show that it is
possible to distinguish various levels of security. For most
customer bases in which personal data are recorded for marketing
purposes, the 'basic level' of security will be sufficient.
In a later advice of the Registratiekamer from 2001 new
ideas were described about the securing of personal data, and
guidelines for security were given. However, this advice too is not
a concrete tool but only provides guidelines, so that the corporate
sector is still left empty-handed.
The Dutch DPA now wants to change this situation by publishing a
report containing concrete security measures applicable to the
security of customer data. This report will be the guideline for
the security of customer data by businesses. Please note that this
document will not be voluntary, but mandatory in nature. What will
happen if businesses do not implement the security measures? Then
the privacy watchdog will bare its teeth…
The power to impose a penalty
In August 2007 the Dutch DPA already announced that as a privacy
watchdog, it would begin to bare its teeth ever more. The Dutch DPA
does not intend to leave it at barking, but wants to start biting
businesses. Kohnstamm informed the corporate sector that businesses
that fail to implement the necessary security measures after the
obligation to secure data has been tightened will 'easily'
be imposed penalties. According to Kohnstamm, such penalties may
run up to 'millions' of Euros.
However, the Personal Data Protection Act awards no such power
to impose a penalty to the Dutch DPA. Nevertheless, Kohnstamm
stated that he wishes to use the tool of the 'order for
incremental penalty payments' to hit businesses. After all, the
Dutch DPA may compel a business that does not comply with the rules
of the Wbp to take measures. In practice this would mean that the
Dutch DPA would compel a business that does not comply with the
security obligation to implement the required security measures
still. If the business has not done so within a term set, it will
forfeit incremental penalty payments, unless the court in
preliminary relief proceedings would suspend the order for such
penalty payments. The level of the penalty payments will always
depend on the turnover of the business and the seriousness of the
'offense'.
The future
Now we will have to await the publication of the guidelines by the
Dutch DPA. As soon as this happens, we will report on this topic
again.