Privacy and Security Investigations

The coming into force of legislation on the protection of personal data leads to a shift of control over personal data from the controller (the companies and institutions) to the data subject (the individual). This shift in direction is fundamental in nature and structural for data processing architectures and operational systems.

These investigations are aimed at determining the resilience of the controller or the processor when supervisory authorities start exercising supervision and data subjects exercise their rights. The time frame that is monitored or rights are exercised may be back in time.

What is our approach?

The Data Protection Officer (DPO) and or the compliance officer can opt for inventory investigations or targeted thematic investigations. The results give cause to reconsider the compliance activities and/or to advise the controller to take appropriate measures aimed at limiting liability and cost risks in the field of data protection.

  • Research frameworks: we can set up and carry out these studies on the basis of NOREA standards frameworks, for example the privacy control frameworks for privacy and security. It should be borne in mind, however, that the supervisory arrangement of the supervisors is developing rapidly and that the parties involved exercise their rights from their perspective.
  • Integral compliance approach: within the integral compliance approach of an organization, the protection of personal data as referred to in the law and agreed in agreements has a place. The supervisors and the data subjects exercise rights from their perspective.
  • Supervision arrangement: the Dutch Data Protection Authority (AP) has a very powerful supervision arrangement, reporting data breaches within 72 hours. For 72 hours, the management and security measures of the administrative organization and internal control aimed at protecting personal data as referred to in the law, agreements made and indicated in policy objectives have demonstrably worked effectively.

Plan of action

The investigation can be in the nature of an audit at a certain maturity level (assurance investigation) or internal control to test the effective functioning of the management and security measures taken to protect personal data (compliance investigation). Both types of investigations can be supported with smart compliance.

More information

Do you have any questions or do you need an appointment? Feel free to contact us on +31 0 (70) 392 22 09 or