The Dutch Data Protection Authority (CBP) has published new guidelines on data protection and implementation of data security principles, which replace the previous guidance from 2001. The guidelines seek to provide practical advice on how data controllers and processors can ensure compliance with the Dutch Data Protection Act (Wet bescherming persoonsgegevens).

The new guidelines include a theoretical outline of the Dutch data protection regime, and practical instructions on how to implement it. For example, the document suggests that Dutch companies should deploy security measures, such as access control, logging, incident response management, confidentiality agreements and encryption.

The new guidance differs from the 2001 version in that it does not include mechanisms for assessing the sensitivity of data processing that had been included in the prior guidance, which would have aided controllers in determining what measures should be implemented in specific situations.

The guidance has been released just as a new Bill on data security is scheduled to be introduced to the Dutch Parliament some time in April; it includes a breach notification obligation and a maximum fine of €200,000 for non-compliance.