7 December 2015

Penalty powers of DPA: what to expect?

Over the past few years, we have observed privacy compliance becoming a boardroom issue in the Netherlands. Enforcement – albeit without serious penalties – was a significant risk and reputational damage could be high. But the legal stakes will be even higher next year when the Dutch Data Protection Authority (DPA) will be able to impose penalties of hundreds of thousands of euros. What should organisations expect and how can they prepare themselves?

What do the new penalty powers of the Dutch DPA mean for organisations?

From 1 January 2016, the DPA will be able to impose financial penalties up to a maximum of EUR 820,000 per violation or – if deemed insufficient – up to 10% of the worldwide annual turnover of a company. The DPA will, however, first have to issue a binding instruction (bindende aanwijzing) to an organisation. It can impose a penalty only if the organisation does not comply with such an instruction. There is one important exception: if the violation was intentional or is the result of seriously culpable negligence (ernstig verwijtbare nalatigheid), the DPA can impose a penalty immediately.

So what can organisations do to prepare themselves?

There are at least two steps that can be taken:

  1. Raise awareness within the organisation. In our experience, privacy is already high on the agenda in most departments of an organisation. Nevertheless, the risk of monetary liability ups the ante considerably. So it is important to ensure that relevant people within the organisation are aware of the upcoming changes.
  2. Verify compliance. Compliance starts with mapping data flows, identifying and prioritising data protection risks, and taking measures where necessary. As prior privacy compliance reviews may have been based on a different risk assessment, it is highly recommended to check whether these need to be reviewed in the light of the increased liabilities. And if you’ve never performed such a review, the upcoming penalty powers are an additional reason to start this exercise without delay.

Interested? Read more about our privacy compliance solutions.