Professional Documents
Culture Documents
file144864.M.W. - 291281
file144864.M.W. - 291281
Master
Thesis
Information
Management
Rick
Swinkels
291281
31
July
2017
2
EU
GENERAL
DATA
PROTECTION
REGULATION
COMPLIANCE
a
case
study
focused
on
Dutch
housing
associations
Master’s
Thesis
CoC reader:
Dr.
X.
Ou
Dr.
J.
Hulstijn
Company supervisor:
31 July 2017
3
Management
Summary
The
introduction
of
the
new
legislation
to
protect
the
personal
data
of
individuals
affects
all
organizations
within
the
EU,
including
Dutch
housing
associations
(DHAs).
The
General
Data
Protection
Regulation
(GDPR)
will
come
into
effect
in
less
than
a
year.
Organizations
must
achieve
compliance
to
prevent
data
breaches
and
avoid
severe
sanctions
from
the
supervisory
authority.
The
aim
of
this
research
is
to
determine
what
is
required
from
organizations
to
protect
personal
data
in
order
to
achieve
compliance,
within
the
context
of
the
Dutch
housing
associations
industry.
Based
on
the
literature
review,
the
GDPR
is
analyzed
and
compared
with
the
current
data
protection
legislation.
The
obligations
are
identified
in
order
to
determine
the
required
data
protection
controls
to
satisfy
the
obligations.
Appropriate
implementation
of
data
protection
controls
is
crucial.
Controls
must
be
implemented
on
the
three
organizational
domains
of
information
security
management:
people,
process
and
technology.
Three
cases
are
explored
using
semi-‐structured
interviews.
The
validity
is
maximized
by
involving
one
to
three
respondents
per
case,
with
different
organizational
roles.
Identical
interview
questions
and
method
are
applied
at
each
case
to
maximize
the
external
validity.
A
cross-‐case
analysis
and
comparisons
between
theory
with
findings
have
contributed
to
find
and
match
patterns.
The
results
show
that
DHAs
have
implemented
the
required
controls
insufficiently
to
achieve
compliance.
Traditionally,
DHAs
are
technology-‐
and
process
driven
and
controls
on
these
domains
are
implemented
most.
The
human
element
of
information
security
and
data
protection
has
been
overlook
for
a
long
time,
while
people-‐focused
controls
are
considered
as
most
effective.
The
results
in
combination
with
the
theory
are
used
to
redesign
the
information
management
staircase
of
Merete
Hagen
et
al.
(2008),
which
includes
the
three
controls.
This
model
prioritizes
the
control
domains,
as
it
suggests
that
the
people-‐focused
control
must
be
the
foundation
of
information
security.
With
respect
to
the
controls,
the
implementation
challenges
and
motives
of
the
participating
DHAs
are
identified
to
derive
best
practices
from,
for
any
organization,
in
their
road
towards
compliance.
4
Preface
This
report
contains
the
Thesis
of
my
Master
in
information
Management
in
Tilburg.
I
have
put
my
heart
and
soul
into
the
work
and
the
number
of
pages
fairly
represents
the
time
invested
into
the
writing.
The
process
of
writing
has
been
a
rollercoaster
with
ups
and
downs.
Nonetheless,
the
research
I
conducted
over
the
last
months
has
been
more
than
interesting.
The
subject
of
the
thesis
is
more
relevant
than
ever.
The
news
is
flood
with
items
relating
to
data
breaches,
ransomware-‐
and
phishing
attacks.
To
investigate
this
topic
within
the
unique
industry
of
DHAs
and
to
feel
the
necessity
of
responding
accordingly
to
the
GDPR,
has
made
the
journey
of
doing
research
more
fascinating.
My
master
thesis
supervisor,
dr.
Carol
Ou,
guided
me
through
the
process,
while
challenging
me
to
look
at
my
thesis
with
a
critical
eye.
Her
mentoring
skills
helped
me
to
keep
on
track
and
to
take
the
hardest
hurdles.
Therefore,
I
would
like
to
thank
her
for
her
time
and
effort
in
supervising
me
in
doing
my
master
thesis
research.
My
internship
company,
VVA-‐informatisering,
offered
me
the
opportunity
to
write
my
master
thesis
and
to
explore
the
field
of
information
security,
as
this
is
one
of
the
company’s
services
offered
to
DHAs.
The
combination
of
doing
research
and
working
in
the
field
has
strongly
contributed
to
gain
knowledge
about
the
subject.
The
expert
knowledge
of
my
company
supervisor,
drs.
Martijn
Videler,
helped
me
to
determine
the
direction
and
to
scope
my
research.
His
perspective
on
the
subject
and
experience
with
the
within
the
industry
has
inspired
me.
My
colleague,
Allard
Dolron
Msc,
also
contributed
significantly
to
the
quality
of
my
research
with
his
expert
knowledge
concerning
data
protection
legislation.
Therefore,
I
would
like
to
thank
Martijn
and
Allard
for
guiding
me.
I
want
to
thank
all
other
colleagues
for
their
willingness
to
help.
Finally,
I
want
to
thank
all
my
interview
respondents
for
their
openness
and
having
discussions
with
me
about
a
delicate
issue.
Without
the
contribution
of
all
of
you,
I
would
not
have
been
able
to
finish
this
master
thesis.
Rick
Swinkels
Tilburg,
July
31st,
2017
5
Table
of
contents
MANAGEMENT
SUMMARY
4
PREFACE
5
1.
INTRODUCTION
8
2. LITERATURE STUDY 15
6
2.6.1
ETHICAL
REASONING
39
2.6.2
COST-‐BENEFITS
ANALYSIS
39
2.6.3
AUTHORITY
ENFORCEMENT
40
2.6.4
INTERPRETATION
OF
THE
LEGISLATIVE
TEXTS
40
2.7
LITERATURE
REVIEW
SUMMARY
40
3. RESEARCH METHOD 42
4. RESULTS 46
5.
DISCUSSION
64
6.
CONCLUSION
71
7. BIBLIOGRAPHY 76
7
1. Introduction
Housing
associations
in
the
Netherlands
will
be,
like
any
other
sector
or
industry,
confronted
with
new
legislation
for
privacy
and
information
security.
On
15
December
2015,
the
European
Commission,
Parliament
and
Council
reached
agreement
on
the
new
data
protection
regulation,
the
General
Data
Protection
Regulation
(GDPR).
The
new
regulation
replaces
the
20-‐year-‐old
EU
Data
Protection
Directive
95/46/EC
as
well
as
its
Dutch
version.
The
Directive
was
introduced
in
a
period
that
only
one
percent
of
the
European
citizens
used
the
internet
and
data
collection
hardly
existed.
The
European
Commission
believe
that
the
time
had
come
for
new
and
binding
data
protection
legislation.
A
directive
is
a
non-‐binding
act
that
sets
out
a
goal
that
all
EU
countries
must
achieve,
as
where
a regulation
is
a
binding
legislative
act. Over
the
past
20
years,
the
Members
States
within
the
EU
have
implemented
the
Directive
in
different
ways,
which
means
that
many
versions
of
the
Directive
have
been
in
place
since
then.
One
of
the
versions
is
the
Dutch
Protection
Act,
also
known
as
Wet
Bescherming
Persoonsgegevens
(Wbp).
The
Dutch
version
differs
from
the
Directive,
as
it
is
a
binding
act.
The
GDPR
will
directly
apply
to
all
28
EU
Members
States
to
uniform
data
protection
for
individuals
within
the
EU.
The
Council
adopted
the
GDPR
on
8
April
2016
and
the
regulation
will
be
put
into
effect
on
25
May
2018.
With
less
than
a
year
left
to
the
implementation
date,
Dutch
organizations
have
still
a
long
way
to
go.
A
recent
published
article
from
PwC
reported
that
only
11
percent
of
the
participating
organizations
are
considered
as
being
ready
for
the
new
data
protection
regulation.
One
of
PwC’s
competitors,
BDO,
says
that
the
housing
association
industry
in
the
Netherlands
is
at
risk
concerning
data
protection,
resulting
in
threatening
situations
for
the
privacy
of
tenants.
Only
a
third
of
the
association’s
board
of
directors
have
interest
in
information
security
and
data
or
privacy
protection,
only
24
percent
has
implemented
a
security
policy
and
only
17
percent
of
the
organizations
have
offered
internal
trainings
to
enhance
security
awareness
amongst
staff
members,
which
may
bring
potential
privacy,
organizational
and
compliance
risks.
8
The
GDPR
introduces
a
substantial
number
of
new
rules
and
severe
violation
penalties
for
non-‐compliant
or
data
breaching
organizations.
In
comparison
to
the
Wbp,
the
new
privacy
regulation
saddles
organizations
with
additional
obligations
related
to
the
processing
of
personal
data
and
penalty
fines
may
even
rise
up
to
20
million
euro.
The
major
change
that
comes
with
the
new
legislation
is
not
so
much
the
increased
number
of
rules.
Yet,
the
Regulation
now
forces
organizations
to
actually
react
on
the
rules
in
practice.
Dutch
housing
associations,
hereinafter
referred
to
as
DHAs,
must
undertake
action
in
the
immediate
future
for
timely
compliance.
This
research
study
will
focus
on
the
current
state
of
compliance
of
DHAs
and
their
road
ahead
towards
25
May
2018.
Currently,
the
Regulation
is
a
subject
that
is
vividly
debated
among
academics,
researches,
lawyers
and
auditors.
Two
schools
evolve
from
the
data
protection
research
landscape.
The
first
school
represents
the
juridical
perspective.
This
school
attempts
to
determine
the
impact
of
the
Regulation
in
terms
of
effectiveness:
does
it
protect
personal
data
and
does
it
contribute
to
better
privacy
of
people?
The
school
is
divided
into
two
camps
consisting
of
opponents
and
proponents.
De
Hert
and
Papakonstantinou
(2012,
2016)
are
satisfied
with
the
Regulation.
They
conclude
that
the
release
of
the
Regulation
will
protect
personal
data
of
individuals.
The
choice
of
the
legal
instrument,
a
Regulation
instead
of
a
directive,
has
been
well
received.
Some
new
introduced
principles
are
future-‐oriented,
for
instance
the
right
to
be
forgotten
and
privacy
by
design,
which
contribute
to
EU
data
protection
(De
Hert
&
Papakonstantinou,
2016).
A
counterargument
comes
from
Bert-‐Jaap
Koops
(2014)
as
he
argues
that
the
Regulation
will
not
achieve
better
data
protection,
due
to
an
enormous
disconnection
between
the
law
and
reality.
The
GDPR
has
three
new
objectives,
coming
on
top
of
the
original
Directive
objectives.
The
GDPR
pursues
to:
• Give
individuals
more
control
over
their
data
• Simplify
the
law
by
eliminating
administrative
burden
and
unnecessary
costs
• Establish
a
comprehensive
data
protection
framework
9
Koops
(2014)
concludes
that
the
three
objectives
are
based
on
fallacies.
The
Regulation
will
not
offer
individuals
control
over
their
own
data,
nor
it
simplifies
the
law.
The
increased
number
of
obligations
causes
problems
for
organizations
to
deal
with.
The
increased
complexity
means
more
paperwork
and
higher
costs.
Moreover,
more
law
does
not
result
in
desired
behavior
and
can
be
contradictive.
According
to
Koops,
the
Regulation
desperately
tries
to
cover
all
the
topics
of
the
Directive
plus
new
principles
in
one
statutory
law.
Peter
Traung
(2012)
supports
Koops’
opinion,
as
he
argues
that
the
proposed
GDPR
will
not
achieve
its
objectives.
The
legislation
fails
to
provide
clear
rules
and
simplification.
It
only
adds
administrative
burden
to
organizations.
The
second
school
emerges
from
a
mechanical
perspective.
This
school
approaches
the
Regulation
as
a
given
fact.
Researchers
who
support
this
school
do
not
doubt
the
legislation
nor
the
feasibility
of
its
objectives.
The
researchers
start
working
with
the
legislation
by
interpreting
and
applying
the
provisions.
They
believe
that
the
law
will
be
effective
as
long
as
the
required
controls
are
implemented
adequately.
However,
the
Regulation
has
open-‐norms
and
does
not
provide
guidance
in
how
to
apply
the
objectives
in
the
practical
area.
The
legal
interpretation
and
translation
to
practice
is
what
the
is
discussed
by
the
researchers
of
the
second
school.
A
legal
interpretation
is
needed
when
a
legislation
is
based
on
principles
and
when
there
is
reasonable
uncertainty
or
disagreement
about
meaning
and
implementation
(Lyons,
1999).
This
is
also
known
as
open-‐texture
of
the
language
and
law,
according
to
Hart
(1961).
Rule-‐based
regulation
systems
prescribe
in
detail
what
is
obligated
and
permitted,
being
unambiguous.
(Burgemeestre,
et
al.,
2009).
However,
the
regulation
is
principle-‐based,
as
its
norms
only
point
in
a
certain
direction.
How
principles
must
be
interpreted
and
applied
depends
on
the
context.
The
first
step
to
adopt
the
principles
is
to
identify
control
objectives
and
control
measures
as
implementation
rules
(Burgemeestre
et
al.,
2009).
This
can
be
achieved
by
having
regulatory
conversations,
which
are
interactions
that
occur
between
all
those
involved
in
the
regulatory
space
(Black,
2002).
The
regulatory
conversations
can
be
considered
as
a
process
of
social
negotiations
to
reach
consensus
about
what
counts
as
acceptable.
This
process
is
called
norm
emergence
by
Burgemeestre
et
al.
(2009).
The
Dutch
housing
trade
association
Aedes
has
social
negotiated
with
managers,
IT
specialists,
consultants
and
the
Dutch
data
protection
authority,
Autoriteit
Persoonsgegevens.
Based
on
these
conversations,
Aedes
has
attempted
to
translate
the
Regulation
principles
into
10
comprehensible
guidelines
for
the
housing
association
context:
de
Aedes-‐handreiking
Gegevensbescherming
(2016).
Although
the
schools
rely
on
different
approaches,
the
two
are
mutually
dependent.
The
first
school
tends
to
conduct
a
sentence
about
the
Regulation
based
on
the
practical
knowledge
that
emerges
from
the
control
implementations
by
the
second
school.
On
the
other
hand,
the
second
school
depends
on
the
first
school’s
appeals
and
the
jurisprudential
results
that
may
follow.
Although
both
schools
hold
different
perspective,
they
are
complementing
and
jointly
contribute
to
an
organization’s
compliance
process.
For
many
industries,
and
no
less
for
the
Dutch
housing
associations,
there
is
a
lack
of
knowledge
and
experience
regarding
the
implementation
of
the
Regulation
requirements
into
the
organization.
To
what
extent
the
associations
comply
to
the
GDPR’s
requirements
and
the
reasons
why
they
do
or
not,
is
still
unclear.
While
answers
on
these
questions
offer
insights
into
the
Regulation’s
feasibility
and
effectiveness.
The
GDPR
forces
Dutch
housing
associations
to
implement
controls
to
protect
personal
data
of
individuals.
For
many
industries,
and
no
less
for
the
Dutch
housing
associations,
there
is
a
lack
of
knowledge
regarding
the
implementation
of
such
data
protection
controls
into
the
organizations.
Recent
studies
demonstrated
that
a
significant
number
of
the
housing
associations
do
not
meet
the
Wbp
requirements,
while
the
GDPR
is
even
more
comprehensive
and
complex.
Therefore,
the
question
arises
if
the
DHAs
are
ready
for
the
GDPR.
In
less
than
10
months
the
Regulation
comes
into
effect,
meaning
that
organizations
have
only
a
short-‐
term
to
set
the
course
towards
compliancy.
Housing
associations
process
personal
data
of
tenants
on
a
daily
basis
and
the
amount
of
personal
data
DHAs
possess
is
substantial,
varying
from
name
&
address
details
to
sensitive
medical
data.
The
information
management
of
DHAs
is
getting
more
complex,
while
the
GDPR
puts
new
obligations
to
organizations
regarding
data
protection.
DHAs
have
to
respond
to
the
new
obligations
with
appropriate
controls
to
prevent
data
breaches,
which
potentially
harm
individuals
and
cause
reputational
damage.
11
1.4 Research
objectives
This
research
study
focuses
mainly
on
the
practical
perspective
of
the
second
school.
The
research
aims
for
explaining
the
GDPR
in
terms
of
principles,
objectives
and
obligations
in
comparison
with
the
Wbp.
In
addition,
whether
and
how
controls
to
protect
personal
data
are
implemented
by
DHAs,
including
the
challenges
and
motives
regarding
the
implementation,
provide
new
views
and
findings
relevant
for
other
organizations.
The
research
results
may
contribute
to
the
scientific
knowledge
regarding
data
protection
and
privacy
discipline
and
may
offer
practices
to
DHAs
or
other
organizations
in
their
road
towards
GDPR
compliance.
The
research
question
follows
from
the
problem
statement
and
research
objectives.
In
order
to
gather
knowledge
and
practical
insights
about
the
GDPR
obligations
and
the
process
of
control
implementations
within
the
field
of
Dutch
housing
association
industry,
the
following
main
research
question
is
formulated:
“How
should
Dutch
housing
associations
respond
to
the
General
Data
Protection
Regulation?”
The
sub
questions
contribute
to
the
answer
on
the
main
research
question.
The
sub
questions
encompass
four
elements,
which
answers
result
from
the
literature
review
or
the
case
study.
The
following
four
sub
questions
are
formulated:
1. What
are
the
differences
between
the
Wbp
and
GDPR
in
terms
of
principles,
objectives
and
obligations
to
data
controllers
and
processors?
2. What
data
protection
controls
are
required
to
enable
GDPR
compliance?
3. To
what
extent
are
the
required
controls
implemented
by
the
housing
associations?
4. What
are
the
implementation
challenges
and
motives?
12
1.6
Research
method
The
research
consists
of
two
components:
a
literature
review
and
a
case
study.
A
literature
review
is
conducted
to
find
interesting
literature
and
theories
regarding
information
security,
data
protection,
security
awareness,
and
current
and
new
data
protection
legislation.
The
first
and
second
sub
question
is
answered
based
on
the
literature
review.
The
case
study
result
provides
the
answers
to
the
third
and
fourth
question.
The
case
study
involves
three
housing
associations.
An
identical
method
is
used
for
each
case
to
gather
in-‐
depth
information
regarding
their
response
to
the
GDPR
in
terms
of
the
implementation
of
controls.
1.7 Demarcations
Organizations
have
limited
time
that
is
left
until
to
take
necessary
measures
to
deal
with
the
GDPR.
This
research
attempts
to
address
the
required
controls
and
implementation
challenges
and
motives
of
the
Regulation
of
which
DHAs
have
to
deal
with.
The
results
of
the
13
research
may
be
used
as
practices
for
DHAs
to
implement
data
protection
controls
and
meet
the
GDPR
obligations,
in
order
to
take
steps
towards
compliance.
In
theoretical
sense,
this
research
is
relevant
in
two
ways.
At
first,
a
comprehensive
review
of
the
GDPR,
in
comparison
with
the
Wbp,
contributes
to
the
understanding
of
the
legislation
by
organizations
and
DHAs
in
particular.
Second,
the
research
is
theoretically
relevant,
because
no
empirical
research
to
the
GDPR
within
the
context
of
DHAs
has
been
conducted.
The
case
study
findings
provide
in-‐depth
knowledge
about
the
data
protection
control
implementation,
challenges
and
motives
that
might
be
generalizable
to
other
organizations
or
industries.
The
outcomes
of
the
research
can
also
be
used
to
determine
the
Regulation’s
feasibility
and
effectiveness
in
a
broader
sense.
This
research
combines
theoretical
and
emperical
research
to
contribute
to
the
knowledge
gathering
regarding
information
security,
data
protection
and
compliance.
FIGURE
1:
THESIS
STRUCTURE
14
2. Literature
study
This
chapter
contains
a
review
on
the
literature
with
regard
to
data
protection.
Paragraph
2.1
starts
with
a
brief
overview
of
the
context
of
the
Dutch
housing
association
industry.
Paragraph
2.2
covers
the
concept
of
information
security
and
its
relationship
with
data
protection
legislation.
The
chapter
continues
to
paragraph
2.3
with
a
comparison
between
the
GDPR
and
Wbp
including
definitions,
principles
and
objectives.
Paragraph
2.6
identifies
the
new
GDPR
obligations
and
paragraph
2.7
identifies
the
data
protection
controls.
The
chapter
ends
with
the
discussion
of
four
motives
for
control
implementation
in
paragraph
2.8.
Housing
associations
in
the
Netherlands
are
unique
as
they
are
positioned
between
the
public
and
private
sector
(Veenstra,
Allers,
&
Koolma,
2013).
In
the
19th
century
the
first
DHAs
were
established
as
voluntary
and
non-‐profit
housing
providing
organizations
of
two
different
types:
associations
for
private
interests
by
a
common
need
and
associations
for
public
interests.
The
Housing
Act
of
1901
turned
the
DHAs
into
public
authorized
institutions
enabling
the
associations
to
receive
financial
support
from
the
central
government
as
long
they
served
the
public
interest
(Ouwehands
&
van
Daalen,
2017,
Priemus,
2003).
In
the
second
half
of
the
20th
century
the
subsidies
were
cut,
which
resulted
in
financial
independent
DHAs.
However,
the
government
still
supports
the
associations
by
providing
low-‐interest
loans
(Veenstra
et
al.,
2013).
Nowadays,
there
are
approximately
363
housing
associations
in
the
Netherlands.
Together
they
own
2.4
million
rentable
housing
units,
which
is
the
most
common
way
to
express
the
size
of
DHAs.
DHAs
strongly
differ
in
size,
varying
from
50
to
80.000
and
an
average
from
6600
units
(Rijksoverheid,
2014).
The
primary
target
group
of
DHAs
are
households
with
incomes
below
35.000
euro.
Although
DHAs
perform
a
variety
of
business
processes,
the
administrative
organization
of
the
majority
of
DHAs
are
similar.
Netwit
(2013)
has
translated
the
processes
into
a
reference
architecture
which
is
widely
accepted
among
associations.
Figure
2
and
3
visualize
the
reference
architecture.
15
FIGURE
2:
PRIMARY
BUSINESS
PROCESSES
OF
DUTCH
HOUSING
ASSOCIATIONS
(NETWIT,
2013)
FIGURE
3:
SUPPORTING
PROCESSES
(NETWITT,
2013)
DHAs
are,
to
a
large
extent,
information
processing
organizations.
Performing
the
daily
operational
management
is
impossible
without
the
availability
of
information
systems.
Within
and
between
each
process
information
is
processed.
A
substantial
part
of
these
information
flows
contains
personal
data.
The
fundamental
right
to
protect
individuals
in
the
personal
sphere
and
to
respect
their
privacy,
together
with
protecting
the
business
assets,
are
the
prime
driver
for
the
emergence
of
information
security.
The
objective
of
information
security
is
to
protect
the
information
16
systems
against
threats
by
implementing
a
set
of
controls.
Information,
in
its
widest
sense,
refers
to
public
or
private
information
that
may
be
sensitive
or
confidential.
The
most
relevant
information
to
protect
are
business
secrets
and
other
confidential
information
and
personal
data
of
customers
and
employees.
Information
security
is
part
of
the
integral
risk
management
to
minimize
the
exposure
of
risks
(Overbeek
et
al,
2005).
Effective
information
security
is
built
on
three
pillars:
• People:
employees
need
to
be
aware
of
their
role,
required
behavior
and
skills
• Process:
organizations
activities,
roles
and
documentation
usage
and
adaptation
• Technology:
technical
controls
within
information
systems
and
infrastructure
The
three
pillars
of
information
security
are
visualized
below
in
figure
4.
FIGURE
4:
THREE
PILLARS
OF
INFORMATION
SECURITY
(ISO/IEC
27001)
Information
security
threats
emerge
in
many
varieties,
such
as
software
attacks,
intellectual
property,
equipment
or
information
theft
or
identity
theft.
Threats
can
be
categorized
based
on
the
aspects
of
the
CIA
triad:
• Confidentiality:
protection
of
information
from
disclosure
or
unauthorized
access
• Integrity:
protection
of
information
from
modification
by
unauthorized
parties
to
assure
accuracy
and
completeness
• Availability:
Ensuring
accessibility
of
information
when
required
by
authorized
parties.
2.2.1 Personal
data
protection
Personal
data
are
a
category
of
the
information
managed
by
organizations.
Data
protection
is
part
of
information
security
and
the
three
pillars
of
information
security
are
the
CIA
triad
are
also
applicable
to
personal
data
protection.
Moreover,
without
appropriate
information
security
controls,
data
cannot
be
protected.
To
a
large
extent,
the
quality
of
data
protection
depends
on
the
information
security
controls
implemented
within
organizations.
17
2.2.2 Controls
A
risk
analysis
assists
on
determining
what
security
controls
should
be
implemented
in
order
to
warrant
the
reliability
of
the
information
systems
and
processes,
which
requires
insights
into
the
effects
of
controls
and
relations
between
controls.
The
main
risk
regarding
data
protection
are
data
breaches.
Criminals
might
abuse
leaked
or
stolen
information
through
identity
theft,
which
causes
harm
to
individuals.
Information
security
controls
contribute
to
protecting
the
confidentiality,
integrity
and
availability
of
information
(Overbeek,
et
al,
2005).
The
controls
aim
for
mitigating
the
risks
and
preventing
incidents,
such
as
data
breaches.
Information
security
controls
can
be
categorized
according
to
their
nature
and
the
organizational
implementation
level:
• Procedural
controls
• Technical
controls
• Physical
controls
• Compliance
controls
Procedural
controls
consist
of
approved
written
policies,
procedures,
standards
and
guidelines.
The
procedural
controls
form
the
framework
for
performing
day-‐to-‐day
business
operations.
They
inform
people
on
how
to
work.
Some
examples
of
procedural
controls
are
information
security
policies
and
incident
response
plans.
The
information
security
policy
functions
as
starting
point
for
the
selection
and
implementation
of
technical
and
physical
controls
(Overbeek
et
al,
2005).
Technical
controls
are
programmed
in
the
organizations
systems
and
architecture,
such
as
software
and
data,
to
monitor
and
control
access
to
information.
Examples
of
technical
controls
are
login
authentication
in
operating
systems,
encryption
of
classified
information
and
network
firewalls.
Physical
controls
consists
of
hardware
or
other
material
equipment
that
control
and
monitor
the
environment
and
access
of
the
work
place
and
computing
facilities,
for
instance
doors,
locks,
cameras
and
alarms.
18
Compliance
controls
are
provisions
to
demonstrate
compliance
with
the
legislation
such
as
privacy
statements.
To
evaluate
the
effectiveness
of
the
controls,
organizations
choose
to
conduct
audits.
Auditing
is
used
as
a
safeguard
in
order
to
improve
and
add
value
to
businesses
(Vroom
&
von
Solms,
2004).
IT-‐audits
focus
on
the
information
systems
security
and
involves
independent
evaluation
of
an
organization’s
policies,
procedures,
standards,
measures
and
practices
for
safeguarding
information
loss,
damage,
disclosure
or
availability.
However,
one
aspect
that
auditing
does
not
cover
effectively
is
that
of
the
behavior
of
the
employee,
which
is
crucial
to
any
organization’s
security
(Vroom
&
Von
Solms,
2004).
The
behavior
of
employees
is
difficult
to
measure
and
evaluate.
2.2.3 Information
security
awareness
controls
Research
has
shown
that
the
human
factor
is
considered
as
the
most
vulnerable
element
in
information
security
(Katsikas,
2016).
Many
data
breaches
are
due
to
employee
negligence
or
ignorance
of
security
policies
(Vroom
&
von
Solms,
2004).
To
reduce
risks
and
ensure
information
security,
organizations
often
rely
on
technical
controls.
Although
this
contributes
to
information
security,
it
is
often
not
enough
to
eliminate
the
risk
(Bulgurcu
et
al,
2010).
Traditionally,
information
security
is
concerned
with
technological
and
procedural
aspects
and
less
with
human
aspects.
This
is
also
known
as
the
mechanical
perspective
of
information
security
(Dhillon
and
Backhose,
2001).
The
building
of
robust
systems
and
the
stipulation
of
policies
is
essential,
however
it
is
not
enough
to
ensure
employee’s
compliance.
If
employees
are
not
keen
or
unwilling
to
follow
the
security
policies
or
find
ways
to
by-‐pass
technical
controls,
then
these
efforts
are
of
no
use.
Policies
may
be
detailed
and
crystal
clear
to
employees,
however,
compliance
may
be
lacking
(Vroom
&
von
Solms,
2004).
Employees
may
decide
not
to
comply
with
the
information
security
policies
for
reasons
of
convenience
in
their
day-‐to-‐day
routine,
as
the
essence
of
compliance
is
not
realized
(Herath
&
Rao,
2009).
Albrechtsen
(2007)
argues
that
the
main
problem
for
employees
to
comply,
is
the
lack
of
motivation
and
knowledge
regarding
information
security.
19
Herath
&
Rao
(2009)
identify
in
their
research
to
security
policy
compliance
the
drivers
for
favorable
employee
attitudes
towards
security
policies
and
compliance
intentions.
Understanding
of
the
severity
of
a
threat
affects
the
employee’s
concern
regarding
security
breaches
has
a
positive
effect
on
attitudes
towards
security
policies.
Also,
if
employees
perceive
that
their
actions
regarding
compliance
behaviors
benefit
the
organization
then
attitudes
towards
security
policies
are
affected
positively.
It
is
critical
that
top-‐management
inform
employees
about
the
probability
of
information
security
incidents,
such
as
data
breaches,
and
to
convince
employees
that
their
actions
make
a
difference
in
protecting
information.
This
will
improve
employee’s
compliance
intentions
and
behavior.
In
addition,
the
availability
and
accessibility
of
information
security
policies
and
security
awareness
reading
materials,
positively
affect
intentions
to
comply
with
policies.
The
researchers
found
that
social
influence,
deterrence
and
organizational
commitment
also
play
a
role
in
employee
security
behavior.
Creating
and
maintaining
a
security
climate
by
managers
who
actively
involve
employees
also
improves
compliance
intentions
and
behavior.
This
may
be
achieved
by
enhancing
the
employee’s
perception
of
the
likelihood
getting
caught
if
they
violate
the
security
policies.
However,
penalties
have
a
counter
effect.
Therefore,
a
detection
mechanism
is
favorable
over
sanctioning.
Within
the
context
of
the
information
security,
the
four
traditional
controls
address
the
process-‐
and
technology
pillars.
The
information
security
awareness
actions
act
as
‘controls’
that
address
the
people
pillar.
As
such,
the
different
controls
can
be
categorized
by
the
three
pillars.
Hereinafter,
the
security
awareness
actions
are
referred
to
as
people-‐focused
controls,
procedural
and
compliance
controls
are
referred
as
process-‐based
controls
and
the
technical
controls
and
physical
controls
are
referend
as
technology-‐based
controls.
The
categorization
is
visualized
in
figure
5.
20
FIGURE
5:
INFORMATION
SECURITY
CONTROLS
CATEGORIZED
2.2.4 Assessment
and
implementation
of
information
security
controls
Empirical
research
of
Merete
Hagen,
Albrechtsen
and
Hovden
(2008)
on
the
implementation
and
effectiveness
of
controls
clarifies
how
organizations
assess
the
importance
of
four
main
categories
of
controls:
(1)
security
policies,
(2)
procedures,
(3)
tools
and
methods
and
(4)
awareness
creation.
The
researchers
have
identified
an
inverse
relationship
between
the
implementation
of
information
security
controls
and
how
the
effectiveness
of
the
controls
is
assessed.
To
illustrate,
controls
to
improve
security
awareness
are
assessed
to
be
most
effective
of
all
controls
and
the
technical-‐organizational
controls
are
assessed
to
be
the
least
effective
by
the
participating
organizations.
Meanwhile,
the
participating
organizations
have
widely
implemented
the
technical-‐organizational
controls
and
security
awareness
controls
are
much
less
applied.
Reasons
for
this
can
be
found
in
the
extent
of
resource
demand.
Implementing
technical-‐organizational
controls,
like
formulating
security
policies,
are
less
resource
demanding
compared
to
security
awareness
controls,
like
trainings
and
education
sessions
on
a
regular
basis.
Other
reasons
for
the
lack
of
attention
to
the
people-‐focused
controls
can
be
none
or
little
top-‐management
engagement
and
the
traditional
positioning
of
information
security
at
the
IT
domain,
resulting
in
more
technical
controls
(Merete
Hagen
et
al.,
2008).
The
security
awareness
controls
are
considered
as
a
logical
follow-‐up
to
the
technology-‐based
and
process-‐based
controls.
Organizations
start
to
invest
in
the
human
aspect
after
the
formal
controls
have
been
implemented,
which
functions
as
the
foundation
of
their
information
security
system.
Merete
Hagen
et
al.
(2008)
conclude
that
the
technical,
formal
and
human
controls
only
have
effect
when
these
are
built
in
combination,
like
a
21
staircase.
The
security
controls
are
mutually
depended
on
each
other
(Sundt,
2006).
A
technological
foundation
for
the
information
security
must
be
in
place
to.
Otherwise
the
organizational
controls
would
have
been
useless.
Organizational
(or
process-‐based)
controls,
on
their
turn,
have
no
effect
if
people
are
not
aware
how
to
apply
them
in
their
daily
jobs.
The
information
security
staircase
demonstrate
the
mutually
dependencies
between
the
controls,
which
is
visualized
in
figure
6.
FIGURE
6:
INFORMATION
SECURITY
STAIRCASE
BASED
ON
MERETE
HAGEN
ET
AL.
(2008)
1
PROCESS-‐BASED
CONTROLS
22
ISO
27001
-‐
ISMS
The
ISO
27001
standard
can
be
implemented
as
a
system
to
manage
the
information
security
by
providing
the
requirements
for
initiating,
implementing,
maintaining
and
continuously
improving
of
the
management
system.
The
implementation
of
the
ISMS
is
an
organizational
strategic
choice
affected
by
the
objectives,
security
requirements,
applied
procedures
and
organizational
size-‐
and
structure.
The
ISO
27001
framework
aims
for
the
protection
of
the
confidentiality,
integrity
and
availability
(CIA)
of
information
and
must
be
integrated
organization-‐wide
to
have
effect.
Therefore,
the
ISMS
must
be
embedded
into
all
business
processes,
information
systems
and
controls
of
an
organization.
The
ISMS
require
maintenance,
as
it
is
subjected
to
continual
change.
ISO
27002
–
information
security
code
of
practice
ISO
27002
is
an
information
security
code
of
practice,
which
is
based
on
the
ISO
27001,
attempting
to
protect
the
cyber
environment
of
individuals
and
organizations.
The
best
practice
lists
security
control
objectives
and
recommends
a
range
of
specific
security
controls.
The
ISO
27002
or
Code
of
practice
for
information
security
management
provides
best
practice
recommendations
on
information
security
management
and
the
initiation,
implementation,
maintaining
and
improving
the
ISMS.
Within
each
section
(appendix
1),
information
security
controls
and
the
objectives
are
defined.
The
information
security
controls
are
generally
regarded
as
best
practice
means
of
achieving
those
objectives.
For
each
of
the
controls,
implementation
guidance
is
provided.
The
controls
are
not
merely
technology-‐
based,
but
also
people-‐
and
process-‐based
controls
are
addressed.
ISO
27018
–
data
protection
in
public
clouds
code
of
practice
In
2014
the
ISO
27018
code
of
practice
for
cloud
data
protection
was
introduced.
This
code
consists
of
specific
guidelines,
which
encompasses
the
same
sections
as
ISO
27002.
The
guidelines
provide
detailed
control
objectives
and
controls
for
protecting
personal
data,
addressing
mainly
technology-‐based
and
process-‐based
controls.
The
controls
are
in
accordance
with
the
privacy
principles
from
ISO
29100
standard.
These
privacy
principles
are,
on
its
turn,
in
in
alignment
with
the
GDPR
data
protection
principles.
23
2.2.6 Relation
to
data
protection
Data
protection
legislation
such
as
the
GDPR
aim
for
protecting
personal
data
of
individuals.
In
information
security
terms,
personal
data
can
be
considered
as
critical
information
that
all
organizations
need
to
protect.
Because
of
this,
data
protection
and
information
security
are
interrelated.
Therefore,
information
security
standards
might
be
appreciated
by
data
protection.
According
to
the
analysis
of
Calder
(2006),
the
ISO
27k
standards
enable
organizations
to
implement
appropriate
data
protection
controls
that
address
the
legal
requirements.
A
number
of
the
GDPR
requirements
are
similar
to
or
covered
by
the
ISO
27001
sections,
the
ISO
27018
contributes
to
concretize
the
data
protection
principles
and
GDPR
obligations
and
the
ISO
29100’s
principles
are
based
on
legislation.
In
addition,
the
GDPR
refers
to
implementing
‘appropriate’
controls
for
data
protection.
Without
mentioning
explicitly,
the
Regulation
refers
to
common
information
security
controls
that
give
shape
to
the
appropriateness
of
controls.
ISO
27k
standards,
and
the
ISO
27018
framework
in
particular,
incorporates
controls
that
address
GDPR
obligations
specifically.
Therefore,
the
ISO
27k
standards
enable
organizations
to
implement
appropriate
data
protection
controls
that
address
the
legal
requirements
(Calder,
2006).
The
replacement
of
the
Wbp
by
the
GDPR
forces
organizations
to
rethink
information
security
management
and
data
protection
controls.
Although
a
number
of
the
Wbp
requirements
are
preserved,
the
major
part
is
redefined
or
elaborated
and
new
obligations
are
introduced.
The
changes
affect
both
data
controllers
and
data
processors.
To
address
the
casuistry
of
Dutch
housing
associations
with
regard
to
the
Wbp
and
GDPR,
the
trade
organization
Aedes
has
formulated
a
guideline
in
2016.
The
guideline
contains
an
overview
of
the
requirements,
highlighting
several
controls
and
is
used
to
outline
the
differences
between
the
GDPR
and
Wbp,
addressed
to
DHAs.
This
section
respectively
identifies
the
GDPR
principles,
-‐objectives
and
–obligations,
which
are
compared
with
the
Wbp.
First
the
definitions
of
key
concepts
are
described.
Here,
no
comparison
is
made
since
the
key
concepts
are
defined
similarly
in
both
legislative
texts.
The
section
continues
with
the
principles,
objectives
and
new
obligations.
24
2.3.1 Key
concept
definitions
Four
key
concepts
of
the
GDPR
are
defined,
retrieved
from
the
legislative
text.
This
gives
a
concise
overview
what
the
concepts
mean
and
how
they
are
related
in
general.
2.3.1.1 Personal
Data
and
data
subject
The
Regulation
aims
to
protect
personal
data
of
EU
citizens.
The
regulation
defines
personal
data
in
Article
4
as:
‘’any
information
relating
to
an
identified
or
identifiable
natural
person
(’data
subject’);
an
identifiable
person
is
one
who
can
be
identified,
directly
or
indirectly,
in
particular
by
reference
to
an
identification
number
or
to
one
or
more
factors
specific
to
his
physical,
physiological,
mental,
economic,
cultural
or
social
identity.’’
The
most
common
personal
data
refer
to
nominative
data,
within
private
and
public
IT
systems,
for
instance
public
registration
number
(BSN),
names,
addresses,
health
and
financial
data.
Nowadays,
the
use
of
certain
technology
enables
profiling
and
also
contacting
people
regardless
of
any
normative
information.
At
that
point,
data
processors
do
not
need
to
know
who
is
the
person
behind
such
data
to
identify
that
person.
Costa
and
Poullet
(2012)
clarify:
“it
is
enough
to
know
his
or
her
navigation
habits
through
a
cookie
or
an
Internet
protocol
number,
or
his
or
her
movements
through
a
tag
linked
with
an
object
in
his
or
her
possession.
This
means
that
it
is
possible
to
process
particular,
peculiar
data
about
a
person
without
the
need
to
reveal
his
or
her
nominative
identity.”
The
Commission
has
acknowledged
the
importance
of
broadening
the
definition
of
personal
data,
which
is
done
by
referring
to
‘any
information
relating
to
a
data
subject’.
According
to
the
Regulation,
data
protection
is
applicable
if
someone
can
be
distinguished
by
any
identifier.
From
that
perspective,
the
Regulation
is
already
more
protective
than
the
Directive
was
(Costa
&
Poullet,
2012).
2.3.1.2 Special
personal
data
Some
personal
data
can
be
categorized
as
special.
This
personal
data
is
often
sensitive
to
the
person
and
might
assault
its
privacy.
The
special
categories
of
personal
data
consist
of
racial
25
or
ethnic
origin,
religion
or
philosophical
beliefs
and
political
opinions.
In
addition,
genetic
or
biometric
data
regarding
health
or
sex
life
and
orientation.
These
personal
data
require
stricter
protection
than
‘normal’
personal
data.
Organizations
may
only
process
special
personal
data
if
the
data
subject
has
consented
or
if
there
are
legal
obligations.
For
Dutch
housing
associations
the
copy
of
passport/ID,
are
the
most
common
special
category
personal
data
they
process.
The
Regulation
does
not
longer
consider
the
personal
identification
number,
or
burgerservicenummer
(BSN),
as
a
special
category
of
personal
data.
However,
the
sensitivity
of
the
BSN
is
very
high
and
additional
rules
are
forthcoming.
DHAs
also
may
put
tenants
onto
‘national
black
lists’
if
they
demonstrate
infringing
behavior,
place
a
burden
on
surroundings
or
when
they
are
a
risk
for
society
or
groups.
The
approval
of
the
supervisory
authority
is
required
to
maintain
black
lists.
The
information,
data
or
backgrounds
on
these
lists
about
the
tenants,
including
judicial
and
medical,
are
extremely
sensitive
and
must
therefore
also
be
considered
as
special
categories
of
personal
data
(Aedes,
2016).
2.3.1.3 Processing
data
Organizations
process
personal
data
of
its
customers,
employees
or
other
stakeholders.
The
activity
of
processing
are
operations
performed
upon
personal
data,
such
as
collecting,
recording,
structuring,
storing,
editing,
destructing,
consulting
or
using.
Processing
of
personal
data
is
only
lawful
if
organizations
have
a
legal
ground.
According
to
the
GDPR
there
are
six
variances
of
legal
grounds:
• Consent:
personal
data
may
be
processed
when
the
data
subject
consents.
• Contractual
necessity:
personal
data
may
be
processed
when
it
is
necessary
to
perform
a
contract
with
the
data
subject
• Compliance
with
legal
obligations:
personal
data
may
be
processed
when
the
controller
has
a
legal
obligation
• Vital
interest:
personal
data
may
be
processed
when
it
is
necessary
to
protect
the
‘vital
interest’
of
the
data
subject
(e.g.
life-‐or-‐death
situations)
• Public
interest:
personal
data
may
be
processed
when
it
is
necessary
for
the
performance
of
tasks
carried
out
by
a
public
authority.
26
• Legitimate
interest:
Personal
data
may
be
processed
when
the
controller
has
a
legitimate
interest
in
processing
those
data,
provided
that
such
legitimate
interest
is
not
overridden
by
the
rights
or
freedoms
of
the
affected
data
subjects.
The
most
common
legal
bases
for
housing
associations
are
consent,
contractual
necessity,
compliance
with
legal
obligations
and
legitimate
interest
(Aedes,
2016).
Any
organization
that
processes
personal
data,
or
data
controller,
inherently
bear
the
main
responsibility
for
handling
the
information
in
line
with
the
Regulation.
A
data
controller
is
the
legal
person
or
body,
alone
or
jointly
with
others,
that
determines
the
purposes
and
means
of
the
processing
of
personal
data.
When
the
data
controller
decides
to
involve
third-‐party
for
outsourcing
activities,
a
staff
member
of
the
third-‐party
becomes
a
processor.
A
data
processor
is
a
legal
person
or
body
which
processes
personal
data
on
behalf
of
the
controller.
In
this
case,
the
data
controller
is
still
responsible
for
accurate
processing,
however
they
delegate
responsibility
to
the
third-‐party.
Processing
by
a
processor
must
be
governed
by
a
contract
or
other
legal
act
and
is
bound
to
the
staff
member(s)
specifically
mentioned
in
the
contract
in
order
to
protect
the
data
subject.
2.3.2 Data
protection
principles
and
objectives
The
data
protection
principles
form
the
foundation
of
the
GDPR
obligations
to
organizations.
The
principles
provide
the
norms
of
processing
activities
of
personal
data.
If
an
organization
is
not
able
to
satisfy
the
principles
then
processing
will
be
unlawful.
All
data
protection
principles
addressed
in
the
Wbp
are
also
included
in
the
GDPR,
being:
lawfulness,
fairness
and
transparency,
purpose
limitation,
data
minimization,
accuracy,
retention
limitation,
integrity
and
confidentiality
and
the
accountability
principle.
De
Hert
and
Papakonstantinou
(2016)
state
that
the
transparency
and
accountability
principles
significantly
differ
from
the
Wbp
principles,
since
they
reinforce
the
individual
rights
protection.
At
first,
transparency
is
formulated
as
follows
by
the
researchers:
“transparency
creates
a
personal
data
processing
environment
of
trust
and
enables
any
interested
party
to
enforce
effectively
data
protection
rights
and
obligations,
given
that
personal
data
processing
is
mostly
conducted
behind
closed
doors.”
This
means
that
organizations
are
forced
to
inform
individuals
proactively
about
all
27
relevant
information
regarding
the
processing
activities,
the
implemented
security
controls
and
the
rights
of
individuals.
Accountability
of
data
controllers
and
processors
was
already
endorsed
in
the
Wbp,
however
the
GDPR
stresses
the
principle
in
more
detail.
Under
the
GDPR,
the
controller
is
obliged
to
demonstrate
that
its
processing
activities
are
compliant
with
the
Data
Protection
Principles.
The
accountability
principle
helps
ensure
that
data
controllers
put
in
place
effective
policies
and
mechanisms
to
ensure
data
minimization
and
compliance
with
data
protection
rules
(Alhadeff
et
al,
2012).
This
means
that
any
obligation
of
the
controller
should
be
implemented
and
if
not,
processing
will
be
unlawful
(De
Hert
&
Papakonstantinou,
2016).
The
notification
requirement
for
processing
data
to
the
authority
will
be
removed
and,
therefore
authorities
do
not
need
to
record
the
data
being
processed
anymore,
nor
making
the
list
of
data
controllers
publicly
accessible.
The
accountability
for
recording
all
relevant
information
regarding
data
processing
moves
to
the
data
controller
completely,
which
has
been
a
reason
for
the
Commission
to
strengthen
the
accountability
principle
(De
Hert
&
Papakonstantinou,
2016).
The
primary
objectives
of
both
the
GDPR
and
Wbp
are
1)
protecting
individuals
against
unjustified
collection,
recording,
use
and
dissemination
of
personal
data,
and
2)
enabling
free
flow
of
personal
data
between
Member
States.
The
GDPR
strengthens
the
first
objective
to
give
citizens
back
control
over
their
personal
data
by
introducing
new
rights
to
individuals,
which
raises
the
minimum
standards
for
protecting
personal
data.
A
new
objective
is
to
simplify
the
regulatory
environment
for
international
businesses
by
reducing
fragmentation
and
enhancing
consistency.
This
objective
is
covered
well
since
the
Regulation
applies
to
all
organization
doing
business
within
the
EU,
which
also
contributes
to
the
second
objective.
The
Regulation
has
introduced
significant
changes
to
data
protection
compared
with
the
Wbp.
Data
controllers
and
processors
are
accommodated
with
new
obligations.
Organizations
have
to
adhere
to
the
obligations
in
order
to
comply
with
the
Regulation
and
information
security
controls
must
be
implemented
to
protect
personal
data.
Non-‐compliance
can
lead
to
potential
harm
under
the
GDPR,
for
both
individuals
and
the
organization.
Individuals
can
be
confronted
with
discrimination
or
identify
fraud,
while
organizations
can
be
disadvantaged
economically
28
or
socially,
in
terms
of
financial
loss,
reputational
damage
and
loss
of
confidentiality.
The
following
paragraphs
identify
the
new
obligations
for
data
controllers
and
processors.
2.4.1 Informed
consent
The
mechanism
of
consent
is
a
primary
principle
on
which
legal
acts
are
constituted.
Consent
is
one
of
the
legal
bases
for
processing
of
personal
data.
It
enables
individuals
to
authorize
data
controllers
to
process
their
personal
data
(Schermer
et
al,
2014).
The
Commission
extended
the
individual
consent
requirement
by
redefining
it
to
‘explicit’
consent,
which:
“avoid
confusing
parallelism
with
‘unambiguous’
consent
and
in
order
to
have
one
single
and
consistent
definition
of
consent,
ensuring
the
awareness
of
the
data
subject
that,
and
to
what,
he
or
she
gives
consent”.
Organizations
must
collect
consent
from
individuals,
only
if
the
it
is
distinguishable
presented
in
an
intelligible
and
easily
accessible
form,
using
clear
language.
In
addition,
the
consent
must
not
be
unnecessarily
disruptive
to
the
use
of
the
provided
service.
The
consent
must
also
be
easily
withdrawable
at
any
time.
2.4.2 Records
of
processing
activities
In
de
past,
the
amount
of
data
processed
was
calculable
and
the
supervisory
authority
could
monitor
the
organizations.
At
that
time,
organizations
were
required
notify
their
data
processing
activities
to
the
supervisory
authority.
Due
to
the
enormous
increase
of
data
processed,
the
authorities
are
not
able
to
cope
with
all
the
notifications.
The
GDPR
lies
the
accountability
and
responsibility
for
the
data
housekeeping
with
the
organizations.
Therefore,
the
notification
requirement
to
the
supervisory
authority
regarding
data
processing
is
replaced
by
the
obligation
to
keep
detailed
records
of
processing
activities
for
both
data
controllers
and
processors.
This
new
obligation
is
at
least
applicable
to
organizations
with
more
than
250
employees.
However,
all
organizations
that
collect
data
non-‐occasionally
and
process
special
categories
of
personal
data,
under
which
DHAs,
are
subjected
to
this
obligation.
The
information
that
must
be
recorded
contains
at
least
the
purpose,
categories,
retention
period
and
recipients.
The
introduction
changes
the
obligation
from
an
external
facing
obligation
to
an
internal
obligation
to
keep
records
that
may
be
inspected
by
the
authority
(Kiss
&
Szőke,
2015).
In
addition,
all
data
breaches
must
be
recorded
even
if
notification
to
the
supervisory
authority
is
not
necessary.
The
data
breach
notification
29
requirement
is
another
GDPR
obligation.
However,
the
requirement
was
already
introduced
in
2016
for
organizations
in
the
Netherlands
by
a
separate
act.
2.4.3 Data
protection
impact
assessment
(DPIA)
The
Regulation
prescribes
the
execution
of
a
data
protection
impact
assessment
(DPIA).
A
DPIA
is
used
to
identify
and
analyze
risks
for
individuals
because
of
the
use
of
systems
by
an
organization
and
to
accomplish
compliance
with
the
Regulation.
The
outcome
of
the
DPIA
are
used
to
implement
appropriate
preventative
controls
(Bieker
et
al,
2016).
The
predecessor
of
the
DPIA
is
the
privacy
impact
assessment
(PIA),
which
was
already
covered
by
Wbp.
The
implementation
of
a
DPIA
is
further
embedded
and
is
mandatory
when:
1. Processing
imposes
higher
risks
to
the
rights
and
freedom
of
individuals
2. Personal
data
is
used
for
profiling
or
automated
decision-‐making
3. Special
categories
of
personal
data
are
processed
on
a
large
scale.
4. Public
accessible
areas
are
systematically
monitored
on
a
large
scale.
The
assessment
contains
at
least
a
general
description
of
the
processing
activities,
an
assessment
of
the
risks
to
individuals,
the
security
controls,
and
mechanisms
to
ensure
the
protection
of
personal
data
and
to
demonstrate
compliance
with
the
Regulation.
The
outcomes
of
the
DPIA
can
be
consulted
by
the
authority
for
justification.
2.4.4 Data
protection
by
design
and
by
default
Data
protection
by
design
and
by
design
is
the
principle
to
design
or
build
systems
that
take
data
protection
into
account
and
of
which
the
default
settings
enable
data
protection
(Koops
&
Leenes,
2014).
The
principles
are
not
new,
as
they
are
derived
from
privacy
by
design
and
by
default
concept.
Although
the
concept
are
already
addressed
by
the
Wbp,
the
GDPR
emphasizes
the
importance
by
turning
the
principles
into
an
obligation
for
data
controllers
and
processors.
The
GDPR
forces
data
controllers
“to
implement
appropriate
technical
and
organizational
measures,
which
are
designed
to
implement
data
protection
principles,
in
an
effective
manner
and
to
integrate
the
necessary
safeguards
into
the
processing
in
order
to
meet
the
requirements
of
this
Regulation
and
protect
the
rights
of
data
subjects.”
30
The
controls,
based
on
information
security,
must
ensure
‘by
default’
that
personal
data
is
protected
and
prevented
from
data
breaches.
The
Regulation
gives
five
examples
of
controls:
• minimizing
the
processing
of
personal
data
• Encryption
of
personal
data
if
possible
• transparency
regarding
the
processing
• enabling
the
data
subject
to
monitor
the
processing
• enabling
the
controller
to
create
and
improve
security
features
2.4.5 Data
protection
officer
The
appointment
of
a
Data
Protection
Officer
(DPO)
for
data
controllers
and
processors
is
another
new
obligation.
A
DPO
must
be
appointed
for
all
public
authorities,
and
where
the
processing
operations
of
the
controller
require
“regular
and
systematic
monitoring
of
data
subjects
on
a
large
scale”
or
where
the
controller
core
activities
conduct
large-‐scale
processing
of
special
categories
of
personal
data.
If
an
organization
does
not
fall
into
one
of
the
categories,
appointing
a
DPO
is
not
mandatory,
which
is
currently
the
case
for
DHAs.
However,
considering
privacy
and
data
protection
good
practice,
the
appointment
of
a
DPO
is
encouraged
(Determann,
2016;
Aedes,
2016).
The
draft
version
of
the
GDPR
required
only
organizations
with
more
than
250
employees
to
appoint
a
DPO,
while
in
the
final
version
such
constraints
are
dropped.
Based
on
the
professional
qualities
and
expert
knowledge
of
data
protection
law
and
practices
the
DPO
should
be
appointed.
The
DPO
must
have
an
independent
position
within
the
organization
to
function
as
agent
between
the
organization,
the
supervisory
authority
and
data
subjects.
2.4.1 Agreement
with
data
processors
The
GDPR,
similarly
to
the
Wbp,
obliged
data
controllers
to
close
legal
agreements
with
data
processors.
The
GDPR
data
processor-‐contracts
require
more
detail
than
before.
A
controller
must
only
appoint
processors
if
they
can
demonstrate
to
comply
with
the
GDPR.
The
binding
written
agreement
states
that
the
processor
must,
among
others,
only
act
upon
instructions
of
the
controller,
ensure
confidentiality
and
implement
appropriate
controls.
Also,
data
must
be
returned
or
destructed
at
the
end
of
the
agreement.
31
2.4.2
Extra
obligations
to
data
processors
More
than
the
Wbp,
data
processors
fall
within
the
scope
of
the
GDPR
obligations.
Data
processors
must
implement
similar
controls
to
data
controllers.
To
a
large
extent,
the
accountability
and
responsibility
of
data
protection
has
lied
with
data
controllers.
The
GDPR
requires
data
processors
to
comply
and
individuals
might
take
direct
action
and
claim
damages
against
these
organizations.
Before,
individuals
were
only
able
to
exercise
their
rights
at
the
data
controller.
In
addition,
non-‐compliant
processors
will
be
sanctioned
the
same
as
controllers.
2.4.3 Rights
to
data
subjects
The
GDPR
lists
a
set
of
rights
to
data
subjects.
The
rights
contribute
to
one
of
the
GDPR
objectives
to
give
citizens
back
controls
over
their
personal
data.
This
is
made
explicit
by
offering
rights
that
might
be
exercised.
Rights
to
individuals
are
not
new.
Several
rights
come
from
the
Wbp,
such
as
the
right
to
access,
-‐rectify
and
-‐object.
However,
the
GDPR
introduces
new
rights
and
updates
to
existing
ones.
The
first
right,
the
right
to
be
informed,
diverges
from
others,
as
it
is
rather
a
duty
for
organizations.
This
right
forces
organizations
to
be
transparent
about
their
data
processing
activities
by
publishing
a
privacy
statement.
This
statement
must
at
least
communicate
what
data
is
processed,
for
what
purpose
and
how
and
when
this
is
done.
In
addition,
the
statement
must
mention
the
rights
of
the
data
subjects
and
how
to
exercise
them.
The
privacy
statement
must
be
written
in
clear
and
understandable
language
and
published
on
an
easy
accessible
location.
Other
two
new
rights
can
be
exercised
by
individuals:
the
right
to
be
forgotten
and
the
right
to
data
portability.
The
right
to
be
forgotten
is
a
new
right
to
individuals
introduced
by
the
Regulation,
which
grants
individuals
the
right
to
have
their
personal
information
deleted
by
data
controllers
if
specific
conditions
listed
are
met.
One
of
the
following
grounds
have
to
apply
to
do
so:
• personal
data
is
no
longer
necessary
in
relation
to
the
purpose
• the
data
subject
legitimate
withdraws
consent
and
there
is
no
other
legal
ground
for
processing
32
• the
data
subject
objects
to
the
processing
pursuant
and
there
are
no
overriding
legitimate
grounds
for
processing
• personal
data
have
been
unlawfully
processed
• erasure
is
obligated
for
legal
compliance
• personal
data
have
been
collected
in
relation
to
the
offer
of
information
society
services
The
right
to
data
portability
is
an
internet-‐specific
new
right
afforded
to
individuals
in
the
text
of
the
new
Regulation.
This
right
entails
that
individuals
are
free
to
move
around
their
personal
data
from
controller
to
controller.
The
Regulation
states
that:
‘’the
data
subject
shall
have
the
right
to
receive
the
personal
data
concerning
him
or
her,
which
he
or
she
has
provided
to
a
controller,
in
a
structured
and
commonly
used
and
machine-‐readable
format
and
have
the
right
to
transmit
those
data
to
another
controller
without
hindrance
from
the
controller
to
which
the
data
have
been
provided”.
A
final
right
to
data
subjects
is
the
right
not
to
be
subject
to
a
decision
based
solely
on
automated
processing,
including
profiling,
which
procures
legal
effect
concerning
the
data
subject.
This
right
is
cannot
be
exercised
by
individuals.
Similar
to
the
right
to
be
informed,
it
must
be
performed
by
organizations.
Profiling
is
a
widely
debated
topic:
data
protection
proponents
highlight
its
potential
risks
for
individuals
within
the
automated
decision-‐making
context;
controllers
on
the
other
hand
insist
that
its
merits
by
far
outweigh
its
disadvantages
and
that
in
any
event
it
can
be
brought
under
strict
regulatory
controls
in
order
to
mitigate
risks
(De
Hert
&
Papakonstantinou,
2016).
By
now,
the
new
rules
do
allow
profiling
operations
to
take
place
even
based
on
sensitive
data
under
the
general,
but
not
always
applicable,
condition
that
special
measures
for
the
protection
of
individuals
have
also
been
implemented.
The
Aedes
guideline
(2016)
describes
the
rights
of
data
subjects
in
practice.
Organizations
must
design
a
process,
if
possible
transparent
to
the
data
subject,
for
adequate
settlement
of
the
request
by
taking
the
following
steps
into
account:
(1)
intake,
(2)
self-‐service,
(3)
collaboration
with
third
parties,
(4)
identification,
(5)
complaints
procedure.
33
2.5 Data
protection
controls
To
ensure
data
protection
and
to
assure
compliance
with
the
Regulation
requires
controls
implementation.
The
implementation
of
the
data
protection
controls
assists
data
controllers
and
processors
to
minimize
risks
by
preventing
potential
disruption.
The
GDPR
states
that
data
controllers
and
processors
should
implement
appropriate
technical
and
organizational
controls
to
guarantee
a
security
level
in
line
with
the
potential
risks
concerning
data
processing.
The
‘security
of
processing’
provision
of
the
GDPR
emphasizes
the
necessity
for
information
security
regarding
data
protection
and
defines
four
technical
security
controls
that
should
be
implemented
as
appropriate:
encryption,
the
ability
to
ensure
the
ongoing
information
security
(CIA
triad)
of
processing
systems
and
services,
the
ability
to
restore
the
availability
and
access
to
personal
data
in
a
timely
manner
in
the
event
of
an
incident
and
a
process
of
regularly
testing,
assessing
and
evaluating
the
controls.
Although
four
technical
security
controls
are
examined,
the
Regulation
does
not
describe
the
implementation
of
the
controls
in
detail.
In
addition,
people
and
process-‐based
controls
are
not
addressed.
Organizations
must
determine
which
controls
are
appropriate
and
how
to
implement
the
controls.
According
to
Calder
(2006),
the
ISO
27001
information
security
control
framework
may
assist
organizations
to
meet
legal
information
security
and
data
protection
requirements.
The
ISO
standard
contains
the
implementation
of
technology-‐
based,
organizational-‐based
and,
in
lesser
extent,
people-‐focused
controls.
Little
attention
is
paid
to
the
human
element,
as
the
ISO
27001,
27002
and
also
the
27018
frameworks
mention
only
briefly
the
performance
of
information
security
awareness
education
and
trainings.
Moreover,
little
explanation
regarding
the
implementation
is
provided
and
the
actions
focus
merely
on
security
requirements,
legal
responsibilities,
business
controls
and
trainings
in
correct
use
of
log-‐on
procedures
and
use
of
software
(ISO,
2013)
and
less
on
behavioral
change.
Therefore,
the
theory
of
Herath
and
Rao
(2009)
is
used
to
define
a
more
comprehensive
set
of
people-‐focused
controls
regarding
security
awareness
actions.
The
following
paragraphs
identify
new
controls
that
organizations
must
implement
to
become
compliant.
The
addressed
obligation
or
provision
are
also
identified.
The
controls
are
retrieved
from
ISO
27001
and
ISO
27018
and
Herath
&
Rao’s
theory
and
divided
into
process-‐
based,
technology-‐based
and
people-‐focused
and
categorized
by
the
its
organizational
nature
(figure
7).
34
FIGURE
7:
INFORMATION
SECURITY
CONTROLS
CATEGORIZED
The
people-‐focused
controls
consist
of
a
set
of
security
awareness
actions.
According
to
the
Regulation,
one
of
the
DPO’s
tasks
is
to
create
security
awareness
among
employees.
This
is
the
only
place
the
Regulation
mentions
security
awareness.
Therefore,
there
is
no
explicit
relation
between
the
GDPR
obligations
and
security
awareness.
However,
investing
in
security
awareness
is
a
premise
for
effective
performing
data
protection
and
information
security
(Vroom
&
Von
Solms,
2004;
Merete
Hagen
et
al,
2008).
To
give
shape
to
the
people
element
of
data
protection,
the
security
awareness
actions
identified
by
Herath
and
Rao
(2009)
are
regarded
as
people-‐focused
controls.
The
actions
contribute
to
improve
awareness
and
encourage
compliance
behavior
of
employees
and
consist
of:
• Increase
employee
positive
attitude
towards
policies
• Provide
incentives
for
employees
to
increase
compliance
behavior
• Educate
employees
by
strengthen
their
knowledge
and
motivation
(‘why’-‐question)
• Train
employee
skills,
competences
and
belief
in
self-‐efficacy
(‘how’-‐question)
• Increase
organizational
commitment
• Availability
of
resources
(online
trainings,
policies,
promoting
and
support
mechanisms)
• Express
beliefs
and
desirable
behavior
by
influential
superiors
• Enhance
security
climate
by
(top-‐)
managers
• Detection
mechanisms
when
violating
security
policies
(e.g.
penalties)
2.5.2 Process-‐based
controls
The
process-‐based
controls
are
divided
into
procedural
and
compliance
controls.
In
contrast
with
the
people-‐focused
controls,
the
process-‐controls
are
related
to
several
GDPR
35
obligations.
The
procedural
controls
consist
of
approved
written
policies,
procedures,
standards
and
guidelines,
which
are
available
to
the
internal
organization
for
performing
processes
and
activities.
Compliance
controls
are
provisions
to
demonstrate
compliance
to
the
supervisory
authority.
Each
process-‐based
control
contributes
to
the
achievement
of
an
obligation
for
organizations.
Many
of
the
procedural
controls
are
related
to
the
security
of
processing,
acting
as
a
component
or
condition
for
appropriate
protecting
controls.
The
procedural
controls
are
the
formal
systems
of
the
organization
to
protect
information
and
personal
data
(Merete
Hagen
et
al,
2008).
The
formal
systems
are
needed
to
secure
the
processing
activities.
The
control
to
appoint
a
DPO,
to
conduct
a
DPIA
and
to
formulate
a
procedure
for
data
access
requests
address
the
alike
named
obligations.
Table
1
lists
all
procedural
controls
together
with
the
related
obligation
or
provision.
Process-‐based
controls
Procedural
control
Related
obligation
or
provision
Appointment
of
DPO
Data
Protection
Officer
Process
for
identifying
the
need,
Data
Protection
Impact
Assessment
conducting
and
documenting
DPIA’s
Information
security
policy
and
plan
Security
of
processing
provision
Formal
procedures
to
allow
personal
data
Security
of
processing
provision
to
be
erased
and
blocked
Incident
response
plan
Security
of
processing
provision
Individual’s
data
access,
rectification
or
Right
of
access
by
the
data
subject
erasure
request
process
and
procedure
Test
procedures
for
security
controls
Security
of
processing
provision
Data
archiving
and
destruction
procedures
Security
of
processing
provision
Data
retention
policies
Security
of
processing
provision
Authorization
and
access
policies
and
lists
Security
of
processing
provision
Business
continuity
and
data
recovery
Security
of
processing
provision
plan
TABLE
1:
PROCEDURAL
CONTROLS
36
The
compliance
controls
aim
for
demonstrating
compliance
and
transparency
towards
data
subjects.
The
controls
enabling
demonstrating
compliance
are:
recording
all
relevant
information
of
processing
activities,
maintaining
a
data
breach
register,
notifying
data
breaches
to
the
authority
and
agreements
with
data
processors
and
external
audits.
Applying
consenting
correctly
and
informing
individuals
of
the
data
processing
are
the
controls
to
enable
transparency.
Table
2
lists
all
compliance
controls
along
with
the
related
obligation
or
provision.
Process-‐based
controls
Compliance
control
Related
obligation
or
provision
Consent
collection
is
distinguishable
Informed
consent
presented
in
an
intelligible,
easily
accessible
and
undisruptive
form,
using
clear
and
plain
language.
Collection
is
given
by
a
clear
affirmative
Informed
consent
act
Notify
or
inform
individuals
of
processing
Right
to
be
informed
Publish
an
easily
accessible
and
Right
to
be
informed
understandable
privacy
statement
Inform
individuals
about
their
right
to
Right
to
be
informed
demand
erasure
of
their
personal
data
Include
all
(new)
stipulated
terms
in
Agreement
with
processors
processor
contracts
Maintain
data
processing
records
Records
of
processing
activities
Maintain
data
breach
records
Records
of
data
breaches
Report
data
breaches
Notification
of
data
breach
to
authority
(and
data
subject)
External
audits
Security
of
processing
provision
TABLE
2:
COMPLIANCE
CONTROLS
37
2.5.3 Technology-‐based
controls
The
technical
controls
are
programmed
into
the
organizations
systems
and
architecture,
such
as
software
and
data,
to
monitor
and
control
access
to
information.
The
majority
of
the
technical
controls
address
the
organization’s
obligation
to
protect
data
by
design-‐
an
default
and
to
implement
appropriate
controls
for
the
security
of
processing.
Table
3
lists
all
technical
controls
together
with
the
related
obligation
or
provision.
Technology-‐based
controls
Technical
control
Related
obligation
or
provision
Data
protection
by
design
and
–default
• Data
protection
by
design
and
-‐default
strategies
and
patterns
Direct
data
encryption
or
anonymization
if
• Data
protection
by
design
–
and
default
possible
• Security
of
processing
provision
Archiving
data
• Security
of
processing
provision
Measures
to
block
or
erase
data
• Data
protection
by
design
–
and
default
systematically
• Security
of
processing
provision
Access
control
Security
of
processing
Allocate
authorizations
Security
of
processing
Separation
of
data
Security
of
processing
Register
of
processing
activities
records
Records
of
processing
activities
Cloud
storage
or
DMS
Security
of
processing
Store
data
in
a
structured
and
machine-‐ Right
to
data
portability
readable
format
Internal
audits
Security
of
processing
TABLE
3:
TECHNOLOGY-‐BASED
CONTROLS
38
Organizations
may
invest
in
data
protection
controls
for
(1)
ethical
reasons,
or
(2)
benefits
are
weighed
alongside
the
costs.
Also,
(3)
the
extent
to
what
the
enforcement
of
the
supervisory
authority
is
adequate
and
consistent,
and
(4)
the
interpretation
of
ambiguous
legal
texts
may
influence
the
decision-‐making.
2.6.1 Ethical
reasoning
Ethical
reasoning
is
based
on
the
moral
responsibilities
of
organizations,
according
to
Culnan
and
Williams
(2009).
Organizations
are
ought
to
do
no
harm
in
the
treatment
of
their
customers’
personal
data,
since
they
are
vulnerable.
A
manager
must
often
balance
between
the
customer
privacy
and
business
interests.
Customers
give
up
control
of
the
subsequent
use
of
their
data
in
exchange
of
a
product
of
service.
They
want
to
trust
the
organization
the
data
remains
private.
Misused
information
can
easily
result
into
harm
to
the
customer.
Therefore,
organizations
have
the
moral
responsibility
to
invest
in
information
security
controls
to
protect
data
and
prevent
data
breaches
that
cause
potential
harm.
Organizations
have
also
business
reasons
to
protect
personal
data.
Problems
occuring
from
a
data
breach
can
lead
to
bad
publicity
and
reputational
damage.
In
addition,
the
fines
and
other
costs
to
respond
to
the
breach
have
consequences
for
the
business
performance.
The
negative
impacts
may
threaten
the
shareholders
fiduciary
relationship
with
the
organization.
Ultimately,
organization
that
recognizes
and
act
upon
their
moral
responsibilities
are
better
able
to
acquire
resources.
Therefore,
avoiding
harm
by
protecting
personal
data
is
both
ethical
and
economic
sustainable
(Culnan
&
Williams,
2009).
2.6.2 Cost-‐benefits
analysis
A
cost-‐benefit
analysis
estimates
the
benefits
and
costs
resulting
from
an
event
or
undertaking.
The
analysis
may
be
a
guidance
for
organizations
to
choose
among
alternatives
by
weighing
the
benefits
alongside
the
costs.
The
use
of
the
analysis
to
invest
in
data
protection
controls
can
be
problematic,
due
to
its
assumptions
(King
&
Schrems,
1978).
The
cost-‐benefit
analysis
assumes
that
organizations
know
how
to
assign
all
costs
and
identify
all
benefits.
Often
the
costs
are
underestimated
and
benefits
are
overestimated.
Organizations
have
difficulties
with
controlling
the
project
costs
and
achieving
the
benefits.
In
addition,
the
analysis
assumes
that
organizations
are
able
to
identify
the
complete
set
of
alternatives,
which
39
often
is
not
possible.
Other
disturbers
are
social
and
political
situations,
such
as
misunderstandings,
conflicting
interests
and
coercion
(King
&
Schrems,
1978).
2.6.3 Authority
enforcement
The
authority
enforcement
motive
is
closely
related
to
the
motive
based
on
a
cost-‐benefit
analysis.
Proactive
approach
of
a
supervisory
authority
may
enforce
organizations
to
make
compliance
decisions.
When
enforcement
lacks,
organizations
weigh
their
benefit
to
neglect
and
their
costs
of
detection
regarding
the
control
implementation.
In
this
situation,
increasing
the
likelihood
and
costs
of
detection
by
monitoring
and
sanctioning
are
the
best
means
to
enforce
compliance
and
make
non-‐compliance
less
attractive
(Tallberg,
2002).
2.6.4 Interpretation
of
the
legislative
texts
The
GDPR
is
principle-‐based
and
consists
of
open
norms.
The
Regulation
imposes
requirements
that
are
unclear,
resulting
in
difficulties
for
organizations
to
comply
with
(Culnan
&
Williams,
2009).
Jurisprudence
is
lacking,
since
the
GDPR
is
not
yet
operative.
Legislative
systems
may
be
classified
as
principle-‐based
or
rule-‐based,
according
to
Burgemeestre
et
al.
(2009).
The
GDPR
corresponds
with
a
principle-‐based
legislation
more
than
the
rule-‐based
approach.
The
boundaries
of
the
obligations
are
not
settled
yet,
the
requirements
are
universal
and
abstract
and
the
Regulation
gives
space
for
interpretation.
The
GDPR
is
clear
about
what
organizations
must
do
to
become
compliant.
However,
how
this
may
be
achieved
has
not
been
formulated.
More
practical
knowledge
about
the
Regulation
is
required
to
implement
the
controls
adequately.
Social
negotiations
between
organizations,
trade
associations
and
regulators
are
useful
to
standardize
norms
in
an
understandable
language
(Burgemeestre
et
al,
2009).
This
may
contribute
to
more
straight-‐forward
interpretation
and
implementation
of
the
GDPR
for
organizations.
40
technology.
The
GDPR
introduces
new
data
protection
principles,
measures
and
objectives
into
the
Regulation.
The
control
framework
from
the
ISO
27001/2
and
27018
standards
are
deemed
to
be
useful
for
implementing
the
required
technology-‐based
and
process-‐based
controls
to
comply
with
the
GDPR.
Implementing
process-‐
or
technology-‐based
controls
assist
to
achieve
compliance,
although
this
will
not
be
sufficient.
The
process-‐
and
technology-‐based
controls
have
no
effect
when
people-‐focused
controls
are
neglected
and
when
employees
are
unaware
and
fail
to
demonstrate
desired
behavior.
(Vroom
&
von
Solms,
2004).
The
actions
identified
by
Herath
&
Rao
(2009)
contribute
to
improve
security
awareness
of
employees.
Furthermore,
whether
controls
are
implemented
may
be
driven
by
different
motives.
The
primary
motive
and
most
common
voiced
by
organization,
is
based
on
ethical
reasoning.
However,
organizations
might
have
other
motives,
such
as
a
cost-‐benefit
analysis,
(lack
of)
supervisory
authority
enforcement
and
(issues
with)
interpretation
of
the
legislative
text.
41
3. Research
method
This
chapter
explains
the
applied
research
method.
The
first
paragraph
describes
the
selected
method.
The
second
paragraph
describes
the
research
design,
of
which
the
quality
is
discussed
in
the
third
paragraph.
The
fourth
paragraph
describes
the
method
of
data
collection
and,
at
last,
the
data
analysis
procedure
is
explained.
Yin
(2009)
describes
five
research
methods,
which
must
be
selected
based
on
three
conditions.
The
conditions
are:
1) type
of
the
research
question
2) the
extent
of
control
the
researcher
has
over
actual
behavioral
events
3) the
degree
of
focus
on
contemporary
as
opposed
to
historical
events
The
type
of
research
question
is
a
“how”-‐question.
This
type
of
question
is
more
justifiable
for
explanatory
research,
dealing
with
operational
links
needing
to
be
traced
over
time
and
being
an
appropriate
motivation
for
a
case
study
research.
The
researcher
has
no
control
over
actual
behavioral
events
and
the
focus
is
on
contemporary
events.
The
combination
of
the
three
conditions
indicate
that
a
case
study
fits
best
as
the
research
method.
The
research
design
contains
four
components:
(1)
research
questions,
(2)
units
of
analysis,
(3)
the
analytic
technique
and
(4)
the
criteria
of
interpreting
the
findings.
Paragraph
1.4
describes
the
research
questions
and
the
unit
of
analysis
consists
of
three
Dutch
housing
associations.
Pattern
matching
by
cross-‐case
synthesis
is
used
to
analyze
the
cases.
The
quality
of
the
research
design
can
be
judged
by
three
logical
tests
based
on
certain
criteria,
listed
in
table
4.
A
research
design
is
chosen
to
contribute
to
find
evidence
that
addresses
the
42
research
question.
In
order
to
test
the
research
design
on
each
criterion,
several
tactics
are
applicable
in
each
phase.
To
increase
construct
validity,
multiple
sources
of
evidence
are
used.
The
study
involves
three
housing
associations.
If
practicable,
interviews
are
done
with
two
or
three
participants
with
different
organizational
roles.
The
case
protocol
and
interview
questions
(appendix
2)
reviewed
by
key
informants.
The
external
validity
deals
with
the
generalization
of
a
research
beyond
the
case
study,
which
is
maximized
by
using
replication
logic.
The
evidence
from
multiple-‐case
studies
is
often
considered
as
more
compelling,
and
being
more
robust
(Herriot
&
Firestone,
1983).
The
designed
research
protocol
enables
the
researcher
to
repeat
process
for
each
case
study,
which
contributes
to
uniformity,
validity
and
generalizability,
and,
improved
reliability.
The
goal
of
reliability
is
to
minimize
errors
and
biases
in
the
study.
A
later
researcher
should
arrive
at
the
same
results
and
findings
as
an
earlier
researcher,
if
followed
the
same
procedures.
43
3.4 Data
collection
Several
sources
of
data
are
used
to
conduct
this
study.
For
theory
development
both
scientific
and
branch
literature
was
used.
The
semi
structured
interviews
form
the
main
data
source
for
the
case
study.
Three
housing
associations
are
involved.
The
GDPR
is
applicable
to
all
EU
organizations.
Therefore,
a
sample
of
three
housing
associations
that
represent
the
industry
has
been
selected.
All
participating
organizations
have
formulated
an
information
security
policy,
assuring
that
the
respondents
have
certain
knowledge
level
regarding
information
security
controls.
This
will
contribute
more
to
find
interesting
practices.
The
classification
of
the
industry
is
based
on
the
organizational
size.
The
size
is
retrieved
from
the
number
or
units
that
is
rented
out
by
housing
associations.
Table
5
visualizes
the
size
classification,
selected
sample
of
DHAs
and
the
roles
of
the
respondents.
Appendix
3
contains
the
interview
agenda.
Size
Rentable
units
DHA
Roles
The
semi-‐structured
interviews
contribute
to
put
the
findings
in
a
preliminary
order.
The
findings
from
interviews
are
put
into
a
matrix
of
categories
based
on
the
a
priori
coding.
The
control
implementation
status
is
checked
through
assigning
colors.
A
status
can
have
the
color
green
(V),
yellow
(!)
or
red
(X).
The
green
color
is
assigned
to
controls
that
are
fully
implemented,
the
yellow
color
is
assigned
to
controls
that
are
partially
implemented
and
the
red
color
is
assigned
to
controls
that
are
not
implemented.
The
observed
patterns
within
cases
44
will
be
compared
in
a
cross-‐case
analysis
to
find
similarities
and
differences
when
data
is
viewed
from
different
perspectives.
Overlapping
patterns
indicate
the
strength
of
support,
thus
possible
generalization.
The
three
domains
of
information
security
(people-‐,
process-‐,
technology
aspect)
are
used
for
analyzing
the
control
implementation.
A
cross-‐case
analysis
is
executed
on
each
domain
separately.
The
implementation
status
on
each
control
contributes
to
tabulate
the
frequency
of
events
and
the
findings
contribute
to
find
patterns
and
explanations
on
the
events.
45
4. Results
This
chapter
describes
the
case
study
findings
per
case
and
the
analysis
of
the
findings.
The
first
section
describes
the
findings
on
each
case
regarding
the
control
implementation
on
the
three
information
security
domains
(people,
process,
technology),
including
the
implementation
challenges
and
motives.
Section
4.2
consist
of
the
data
analysis
by
comparing
the
cases
side
by
side.
Furthermore,
the
Wbp
is
compared
with
the
GDPR
and
a
comparison
between
the
theory
and
findings
is
made.
The
interview
data
is
presented
in
appendix
4,5
and
6.
The
findings
per
case
are
analyzed
separately,
based
on
the
three
domains
of
information
security:
people,
process,
technology.
The
implementation
challenges
and
motives
regarding
the
control
implementation
are
analyzed
jointly.
First
the
case
of
Woongoed
Middelburg
is
analyzed,
followed
by
Wonen
Zuid
and
AlleeWonen.
Each
case
analysis
starts
with
a
brief
introduction
of
the
organization.
4.1.1 Case
1:
Woongoed
Middelburg
The
origin
of
Woongoed
Middelburg
dates
back
to
1919
and
was
a
continuation
of
Woningbouwvereniging
Middelburg.
Woningbouwvereniging
Middelburg
had
emerged
from
a
merger
of
three
DHAs.
Woongoed
owns
6.323
rentable
units
and
this
number
has
been
stable
since
2012.
The
workforce
counts
39
fte.
VVA-‐informatisering
was
chosen
to
guide
the
information
security
policy
and
plan
development.
People-‐focused
controls
Woongoed
Middelburg
considers
the
people
element
as
most
important
factor
to
become
GDPR
compliant.
The
organization
has
no
official
DPO
and
has
no
intention
to
appoint
one.
Woongoed
believes
in
the
professionality
of
its
employees
and
the
responsibility
of
the
managers.
The
organization
is
based
on
trust
and
employees
must
be
able
to
consult
all
personal
data
of
tenants
available,
enabling
optimal
customer
service.
The
non-‐disclosure
46
agreements
between
the
organization
and
the
employees
should
assurance
careful
handling
of
personal
data.
The
GDPR
is
a
topic
of
high
interest
for
the
top-‐management.
Woongoed
invests
in
security
awareness
in
terms
of
training
and
educating
employees,
which
is
regarded
as
effective.
However,
data
protection
will
always
be
a
side
issue
along
the
employee’s
daily
jobs.
Although
the
organization
considers
their
employees
as
not-‐yet-‐ready
for
the
GDPR,
they
are
confident
to
be
on
time.
Process-‐based
controls
The
process-‐based
controls
are
partially
implemented.
Woongoed
wants
to
minimize
paperwork
and
bureaucracy.
The
more
plans
and
procedures,
the
more
frequent
updates
of
these
documents
are
required.
Instead
of
formulating
plans
and
procedures,
managers
and
employee
must
know
their
responsibilities
by
mind
and
respond
to
incidents
using
common
sense
and
in
consultation
with
colleagues.
Although
the
organization
has
no
experience
with
conducting
DPIAs
and
defers
such
assessment
until
a
data
breach
has
occurred,
the
organization
weighs
the
in
concerns
and
risks
of
data
processing
for
tenants
and
the
organization.
The
organization
addresses
the
data
protection
principles
by
redesigning
the
business
processes
in
order
to
minimize
data
and
apply
purpose
limitation.
In
addition,
Woongoed
is
currently
developing
a
register
for
recording
data
processing
activities.
In
the
past
the
organization
collected
as
much
as
possible,
without
a
clear
purpose.
Now
the
organization
aims
for
collecting
the
least
possible
and
storing
as
brief
as
possible.
The
organization
has
formulated
information
security
policy
and
plans.
In
addition,
Woongoed
has
formulated
a
data
breach
procedure
and
authorization-‐
and
access
policies.
A
procedure
for
data
archiving
and
destruction
has
been
formulated
partially
and
a
work
process
for
personal
data
access
request
of
individuals
lacks.
Regarding
an
incident
response
plan
and
a
business
continuity
and
data
recovery
plan
the
organization
trusts
on
their
outsourcing
parties.
Less
attention
is
paid
to
the
transparency
towards
tenants
about
data
processing
activities.
No
privacy
statement
has
been
formulated
yet.
Tenants
are
informed
only
briefly
about
Woongoed’s
data
processing
activities
when
signing
a
rental
agreement.
Woongoed
demonstrates
compliance
to
the
authority
through
recording
and
notifying
data
breaches
and
47
agreements
with
processors
will
be
revised
soon.
External
audits
will
be
considered
after
control
implementation
completion.
Technology-‐based
controls
Data
protection
by
design
and
by
default
principles
have
been
a
source
of
conflict
for
Woongoed.
Data
protection
by
design
and
default
are
not
in
line
with
the
trust-‐based
organization
of
Woongoed.
If
systems
are
installed
with
the
highest
protection
configuration,
employees
will
feel
hindered
resulting
in
a
less
adequate
customer
service.
The
information
systems
contribute
to
data
protection
through
access
controls
and
authorizations.
Due
to
the
trust-‐based
organization
of
Woongoed,
controls
to
encrypt
or
to
separate
data
are
not
desired.
On
the
contrary,
controls
to
erase
data
and
block
modifications
are
implemented.
Furthermore,
the
respondent
(information
manager)
added
an
interesting
point
of
view.
Traditionally,
DHAs
are
technological-‐
and
process
oriented.
The
human
element
has
been
overlooked
for
a
long
time.
The
technological
developments
of
the
past
decade
assisted
DHAs
in
digitizing
their
business
processes.
At
the
same
time,
this
development
has
affected
the
risk
and
probability
of
data
breaches
increasingly.
People
are
unaware,
as
they
were
not
involved
with
information
security
or
data
protection.
Implementation
challenges
and
motives
Woongoed
puts
most
effort
in
the
people-‐focused
controls.
The
organization
believes
that
security
awareness
and
encouraging
desired
behavior
is
most
important
to
become
GDPR
compliant.
At
the
same
time,
maintaining
the
awareness
and
alertness
on
such
a
level
that
employees
keep
demonstrate
compliance
behavior
is
regarded
as
a
major
challenge.
Regarding
the
process-‐based
controls,
the
amount
of
time
required
to
formulate
plans,
procedures,
policies
and
a
privacy
statement
has
been
the
most
challenging
for
Woongoed.
In
addition,
data
protection
is
often
considered
as
a
side
issue
by
employees.
Another
challenge
is
to
limit
the
technical
controls
to
what
is
really
necessary.
The
organization
wants
to
stay
away
from
investing
too
much
in
technical
controls,
which
effectiveness
is
doubtful.
Systems
with
high
data
protection
levels
only
hinder
employees
and
may
be
counterproductive.
Woongoed
tries
to
solve
security
issues
first
with
people-‐focused
controls
and
followed
by
procedural
controls.
The
technology
should
have
a
supportive
role.
48
The
introduction
of
the
GDPR
is
a
trigger
for
Woongoed
to
invest
in
data
protection.
The
organization
implements
controls
to
prevent
data
breaches
and
avoid
bad
publicity.
The
moral
responsibility
has
been
the
motivator
for
most
of
the
security
control
implementation.
However,
not
all
required
controls
are
implemented
or
planned.
One
reason
for
that
can
be
found
in
the
trust-‐based
organization.
Woongoed
deliberately
chooses
not
to
diminish
this
approach
and
to
have
faith
in
their
employees’
professionality
and
confidentiality.
In
addition,
processes
must
remain
workable
after
control
implementation.
The
organization
tries
to
find
the
balance
between
operational
and
compliance.
The
interpretation
of
the
legislative
texts
has
also
been
a
motive
for
Woongoed
not
to
implement
certain
controls.
The
Regulation
is
conflicting
with
other
laws
and
the
open-‐norms
are
not
straight-‐forward.
The
organizations
waits
for
definite
answers
from
the
authority
and
jurisprudence.
The
last
motive
to
implement
controls
not
exactly
as
required,
can
be
found
in
the
perceived
tolerance
of
the
supervisory
authority.
As
long
as
control
implementation
decisions
can
be
explained
and
justified,
Woongoed
believes
that
the
authority
will
enforce
less
strict.
4.1.2 Case
2:
Wonen
Zuid
Wonen
Zuid
is
a
housing
association
in
the
region
central-‐
and
south
Limburg
and
owns
13.777
rentable
units.
Wonen
Zuid
was
founded
in
2002
after
a
merger
with
five
housing
associations
from
that
same
region.
The
association
has
an
office
in
Roermond
and
Heerlen
and
counts
150
fte.
People-‐focused
controls
Wonen
Zuid
acknowledges
the
importance
of
implementing
people-‐focused
controls.
Although,
improving
security
awareness
of
the
employees
has
received
limited
attention
so
far.
The
organization
has
implemented
several
controls
to
protect
information
and
personal
data
of
tenants,
mostly
technology-‐
and
process-‐based.
The
implementation
of
people-‐
focused
controls
are
planned.
Currently,
employee
interest
regarding
data
protection
is
low.
Data
protection
and
the
GDPR
are
not
in
the
people’s
minds
yet
and
a
security
awareness
climate
lacks.
The
organization
regards
the
GDPR
as
yet
another
law
to
comply
with
and
difficult
to
manage.
Nonetheless,
the
management
has
started
to
identify
the
GDPR
49
obligations,
since
they
feel
the
necessity.
The
organization
assesses
their
employees
to
be
“incompetent
aware”.
To
improve
the
security
awareness
the
organization
has
planned
to
introduce
a
chatbot,
functioning
as
the
body
of
knowledge.
Employees
can
ask
questions
related
to
data
protection.
Wonen
Zuid
has
no
DPO
appointed
yet,
since
this
is
not
required.
The
organization
expects
a
DPO
will
be
mandatory
for
housing
association
soon.
For
now,
the
DPO’s
tasks
lie
with
the
information
manager.
Process-‐based
controls
To
identify
the
categories,
owner
and
location
of
personal
data
within
the
business
processes,
a
classification
is
under
construction.
The
classification
will
contribute
to
minimize
the
data
collection,
limit
the
purpose
of
the
processing
and
limit
retention.
However,
Wonen
Zuid
possesses
personal
data
in
their
business
processes,
of
which
the
organization
is
not
allowed
to
have.
This
is
due
to
the
legacy
of
the
systems.
The
organization
attempts
to
comply
with
the
mandatory
retention
period
and
has
planned
a
clean
out
of
personal
data
in
all
documenting
systems,
both
logical
and
physical.
However,
the
organization
realizes
that
the
organization
will
not
completely
free
of
unlawful
personal
data
in
their
systems
at
the
GDPR
implementation
date.
Wonen
Zuid
has
implemented
several
procedural
controls
concerning
information
security
and
data
protection,
such
as
an
information
security
policy,
incident
response
plans
and
several
procedures.
A
data
breach
procedure
awaits
for
the
top-‐management’s
approval.
Although
the
organization
has
implemented
several
procedural
controls,
the
importance
is
not
communicated
throughout.
Most
employees
do
not
understand
the
necessity
of
certain
controls,
except
of
the
IT
department.
The
development
of
the
organization’s
privacy
statement
to
inform
their
tenants
about
the
processing
activities
is
almost
ready
to
publish.
Wonen
Zuid
places
transparency
on
a
high
value.
The
transparency
has
been
reflected
by
the
notification
of
a
data
breach
to
the
supervisory
authority,
while
the
breach
was
not
considered
as
required
for
notification.
Controls
for
the
purpose
of
demonstrating
compliance
to
the
supervisory
authority
have
been
developed
less.
Although
the
organization
keeps
records
of
data
breaches,
a
register
of
all
processing
activities
and
contracts
with
processors
containing
the
new
stipulated
terms
have
been
missing.
50
Technology-‐based
controls
Traditionally,
Wonen
Zuid
has
attached
great
importance
to
technology.
The
technical
controls
within
the
self-‐managed
systems
are
close
to
the
optimal
level.
The
access
controls
and
authorization
are
stringent
and
the
organization
has
planned
to
narrow
the
authorizations
even
further.
Wonen
Zuid
actively
controls
and
evaluates
the
authorization
of
each
employee
on
a
regular
basis
in
order
to
prevent
unnecessary
access
to
data.
However,
the
organization
also
makes
use
of
supplied
IT
systems.
The
systems
hardly
ever
meet
the
new
GDPR
requirements.
Therefore,
Wonen
Zuid
collaborates
with
other
housing
associations
to
formulate
data
protection
by
design
and
default
strategies.
The
data
protection
by
design
and
default
strategies
form
the
new
requirements
for
the
supplied
IT
systems.
The
requirements
consist
of
data
encryption
and
data
archiving,
blocking
and
erasure.
Implementation
challenges
and
motives
Wonen
Zuid
considers
the
improvement
of
security
awareness
as
a
major
challenge.
The
organization
realizes
implementing
people-‐focused
control
will
be
crucial
to
become
protect
personal
data
in
accordance
with
the
GDPR.
Until
recently,
the
organization
relied
mainly
on
technical
controls.
Only
the
IT
department
was
concerned
with
data
protection,
while
the
remaining
organization
was
and
still
is
not
aware.
Although
the
process-‐based
and
technical
controls
are
well-‐developed
in
comparison
with
the
people-‐focused
controls,
the
organization
must
implement
extra
controls
to
comply
with
the
GDPR.
The
amount
of
work
and
time
the
required
procedural
and
compliance
control
bring
are
considered
as
most
problematic.
The
legacy
of
the
collected
data
and
the
way
it
is
stored
in
all
systems
creates
problems
today.
The
legacy
hinders
the
data
minimization
and
Wonen
Zuid
will
not
be
able
to
limit
their
data
processing
to
what
is
urgently
necessary
for
performing
the
processes
on
25
May
2018.
In
addition,
the
supplied
systems
do
not
yet
comply
with
the
new
requirements.
To
update
the
systems
in
order
to
incorporate
the
GDPR
requirements
at
short
notice
will
also
be
a
challenge
for
Wonen
Zuid.
The
moral
responsibility
of
Wonen
Zuid
towards
its
tenants
and
employees
is
the
main
motives
for
implementing
data
protection
controls.
The
organization
places
the
privacy
of
individuals
on
a
high
place
wants
to
avoid
bad
publicity.
Nonetheless,
Wonen
Zuid
assumes
51
that
enforcement
of
the
supervisory
authority
will
be
less
likely,
since
the
authority
has
too
little
capacity
for
proactive
inspections.
Moreover,
Wonen
Zuid
believes
that
the
authority
will
be
satisfied
if
the
organization
is
able
to
show
progress
without
being
compliant.
Another
motive
of
control
implementation
can
be
found
in
the
ambiguity
of
the
legislative
texts.
Wonen
Zuid
criticizes
the
GDPR
on
his
practicability
and
the
lack
of
guidance
provided.
AlleeWonen
is
a
housing
association
in
Roosendaal
and
Breda
and
owns
19.766
rentable
units.
The
origin
from
the
association
dates
back
to
1916.
AlleeWonen
has
emerged
from
a
number
of
mergers.
In
2004
Arwon
and
WSJ
beheer,
both
from
Roosendaal,
started
collaborating.
The
new
association
was
called
Aramis.
Three
years
Aramis
merged
with
Singelveste
Breda
and
AlleeWonen
was
founded.
The
association
nowadays
is
located
both
in
Roosendaal
and
Breda
and
the
workfoce
has
186
fte.
VVA-‐informatisering
was
chosen
to
guide
the
information
security
policy
and
plan
development.
People-‐focused
controls
AlleeWonen
puts
high
value
on
security
awareness.
The
organization
invests
in
people-‐
focused
controls
to
gain
widespread
support
and
to
encourage
desired
behavior.
A
security
awareness-‐team
has
been
composed
with
members
from
all
different
organizational
layers.
The
team
stimulates
employees
to
think
and
act
as
they
should
and
to
protect
data
of
tenants
and
employees.
In
addition,
trainings
and
an
educational
road
show
have
been
offered.
The
security
team
also
rewards
employees
if
they
detect
and
report
a
potential
data
breach.
The
actions
have
been
effective
for
almost
all
departments.
Although
the
organization
invests
in
a
security
team,
support
from
top-‐management
is
not
unanimous.
Some
managers
call
decisions
from
the
security
team
or
privacy
officer
in
doubt.
The
middle
layer
of
the
organization
is
the
driver
to
bring
the
attention
of
the
GDPR
and
data
protection
among
employees.
AlleeWonen
did
not
appoint
a
DPO.
The
organization
beliefs
that
a
privacy
officer
will
be
sufficient
as
long
as
a
DPO
is
not
mandatory.
52
Process-‐based
controls
AlleeWonen
attempts
to
weigh
the
risks
and
concerns
of
the
data
subjects
and
the
organization
thoughtfully.
The
organization
pays
much
attention
to
avoid
bad
publicity.
Therefore,
the
organization
evaluates
for
each
process
what
data
is
really
needed
and
what
the
purpose
is
in
order
to
justify
their
data
processing.
The
organization
has
not
yet
find
a
solution
to
reduce
copying
and
storing
data
on
multiple
locations.
DPIA’s
are
not
conducted
by
AlleeWonen.
The
assessments
are
planned
to
execute
after
the
control
implementation
is
completed.
The
organization
does
feel
the
necessity
to
implement
all
required
controls
as
soon
as
possible.
AlleeWonen
does
not
consider
themselves
as
data
protection
pioneers.
The
organization
follows
carefully
the
mainstream
and
adapts
to
the
GDPR
step
by
step.
Always
seeking
for
the
balance
between
the
legislative
framework
and
organizational
certainties.
Processes
must
be
maintained
practicable
for
the
employees
who
perform
the
tasks.
AlleeWonen’s
information
security
policy
and
plan
was
formulated
in
2016.
The
organization
is
putting
effort
in
realizing
all
the
plans.
Other
process-‐based
controls
that
the
organization
has
implemented
are:
data
breach
procedure,
procedure
for
data
archiving
and
destruction,
access
and
authorization
policy,
partially
test
procedures
and
data
archiving
procedure.
In
addition,
the
organization
has
incident
response
plans.
The
business
continuity
and
data
recovery
plan
has
been
covered
by
the
outsourcing
party.
As
an
extra,
AlleeWonen
has
a
protocol
to
protect
their
customer
service
employees
for
unjustified
recording
and
the
organization
has
a
camera
protocol.
The
organization
thrives
to
be
transparent
about
their
processing
activities
towards
tenants
and
other
subjects.
A
privacy
statement
will
be
published
soon.
AlleeWonen
demonstrates
accountability
and
compliance
through
a
register
of
data
processing
records
and
updated
agreements
with
processors
according
to
the
new
stipulated
terms.
Although
data
breaches
are
recorded
in
together
in
maps,
a
register
lacks.
External
audits
will
be
considered
after
evaluating
the
results
from
the
DPIA
and
jurisprudence.
Technology-‐based
controls
AlleeWonen
appreciates
the
importance
of
data
protection
by
design
and
by
default.
So
far,
the
organization
has
no
strategy
formulated.
However,
there
are
plans
to
standardize
and
to
select
future
suppliers
by
using
the
standards.
The
organization
has
implemented
several
53
technical
controls.
A
new
archiving
system
has
been
launched
and
the
register
for
data
processing
activities
has
been
finished.
The
organization
performs
several
tests
to
evaluate
controls.
However,
the
organization
wants
to
perform
tests
and
internal
audits
more
frequent.
The
organization
does
not
separate
or
encrypt
data.
AlleeWonen
waits
for
their
IT
suppliers
to
introduce
these
kind
of
features.
Implementation
challenges
and
motives
AlleeWonen
considers
the
employee
involvement
in
the
data
protection
activities
and
to
enhance
their
security
awareness
as
most
important
to
become
GDPR
compliant.
To
keep
employees
aware
and
to
avoid
easing
regarding
their
compliance
behavior
will
be
a
challenging
task.
In
general,
there
is
organizational-‐wide
interest.
However,
some
departments
are
lagging.
AlleeWonen
must
be
persuasive
to
encourage
desired
behavior
at
all
departments.
Regarding
the
process-‐based
controls
the
organization
finds
it
challenging
to
standardize
all
processes
and
procedures
throughout
the
organization.
In
addition,
there
are
no
or
little
tools
available
on
the
market
to
simplify
the
processes
or
procedures.
The
organization
has
also
trouble
with
data
storage
procedures.
A
clear
overview
of
where
data
is
stored,
such
as
local
devices
or
mailboxes,
is
lacking.
To
regain
oversight
will
be
a
major
task
for
the
organization.
In
the
end
the
implementation
of
process-‐based
controls
take
a
lot
of
time
and
effort
of
the
organization,
which
makes
it
difficult
to
prioritize
and
manage.
Not
all
technical
controls
are
implemented
into
the
organization
of
AlleeWonen.
The
challenge
for
them
is
to
have
all
the
technology
in
place
that
suits
the
GDPR
requirements.
Too
often
existing
systems
do
not
take
into
account
the
new
requirements.
Although
the
organization
is
confident
that
the
technology
will
incorporate
the
required
controls
soon,
AlleeWonen
does
not
want
to
overinvest
in
technical
controls.
Malicious
people
will
always
find
the
flaws
in
systems,
not
matter
the
protection
level.
The
organization
believes
that
investing
too
much
in
technical
controls
will
frustrate
their
employees,
who
will
seek
for
ways
to
by-‐pass
the
security
controls.
This
will
have
a
counterproductive
effect.
Taking
away
responsibilities
from
employees
and
putting
all
security
controls
onto
the
systems
will
make
people
lazy.
In
that
case,
technical
controls
will
undermine
the
security
awareness
and
compliance
behavior
of
employees.
Therefore,
AlleeWonen
believes
that
the
most
essential
aspect
to
invest
in
are
the
people-‐focused
controls.
54
AlleeWonen
puts
high
value
on
ethical
behavior.
The
organization
will
take
its
moral
responsibility
to
avoid
harm
and
a
damaged
reputation
by
protecting
personal
data
of
subjects.
Ethical
reasoning
is
the
prime
motive
for
data
protection
implementations.
Not
all
controls
are
implemented
at
this
moment,
due
to
the
fact
that
the
organization
follows
the
mainstream.
The
organization
prioritizes
controls
on
necessity.
In
addition,
the
interpretation
of
the
Regulation
has
been
difficult.
AlleeWonen
prefers
to
wait
for
more
practical
guidelines
and
jurisprudence
instead
of
starting
to
implement
controls
incorrectly.
The
organization
works
closely
together
with
lawyers
and
other
experts
to
gain
more
knowledge
about
the
GDPR,
in
order
to
become
compliant.
Another
control
implementation
motive
emerges
from
the
assumption
that
the
supervisory
authority
will
be
tolerant
if
controls
are
not
yet
implemented.
In
the
data
analysis
the
three
cases
are
compared
to
each
other
in
the
cross-‐case
analysis
(table
6),
to
find
similarities
that
can
be
generalized
to
the
context
of
the
Dutch
housing
associations
industry.
Based
on
the
findings
a
comparison
between
the
Wbp-‐
and
the
GDPR-‐
compliance
of
DHAs
is
made.
Also,
the
findings
are
compared
with
the
theory
to
find
similarities
and
differences.
4.2.1 Cross-‐case
comparison
The
three
cases
are
compared
side
by
side
to
find
similarities
and
differences.
The
similarities
and
differences
may
form
patterns
that
can
be
generalized
to
a
broader
context.
Table
6
visualizes
the
cross-‐case
analysis,
including
the
implementation
status
of
each
control.
Several
similarities
and
differences
across
the
cases
are
found.
The
similarities
with
regard
to
the
55
implementation
and
challenges
are
categorized
per
control
domain,
followed
by
the
identification
of
the
motives.
Similarities
At
first,
all
three
organizations
are
traditionally
technology-‐
and
process
driven.
There
has
been
less
focus
on
the
human
element.
As
a
result
that,
the
technology-‐
and
process-‐based
controls
are
the
most
developed.
All
three
housing
associations
have
invested
in
technical
controls
(measures
in
table)
to
build
an
imaginable
protective
wall
between
the
internal
organization
and
external
environment,
such
as
authorizations
and
access
control.
However,
the
organizations
are
dependent
on
the
IT
suppliers
for
including
the
new
data
protection
requirements
into
the
systems.
Nonetheless,
the
organizations
wants
to
prevent
data
breaches
that
may
do
harm
to
tenants
and
employees
and
cause
reputational
damage.
The
organizations
feel
that
they
have
a
moral
responsibility
to
protect
personal
data
of
individuals.
56
have
full
oversight
of
where
data
is
stored
digitally,
such
as
mailboxes
or
local
devices
and
physically,
such
as
paperwork.
This
is
difficult
to
examine.
The
data
classification
can
be
considered
as
the
starting
point
of
the
register
of
data
processing
activities
obligation.
AlleeWonen
has
already
completed
the
development
of
such
register.
Woongoed
and
Wonen
Zuid
are
still
developing,
while
Woongoed
has
already
started
to
redefine
their
business
processes
in
order
to
minimize
data
collection.
Nonetheless,
the
organizations
are
confident
to
complete
the
classification
before
the
launch
of
the
Regulation,
but
if
all
business
processes
are
redefined
and
free
of
unnecessary
data
collection
by
then
is
questionable.
Regarding
the
implementation
of
controls
to
demonstrate
compliance
to
the
supervisory
authority,
the
organizations
made
similar
progress.
If
occurred,
the
organizations
have
notified
data
breaches
and
records
are
kept.
The
organizations
are
working
on
updating
the
agreements
with
processors.
Third,
several
similarities
are
found
regarding
the
people
control
domain.
The
people-‐
focused
controls
are
considered
as
most
important
to
become
compliant
and
at
the
same
time
these
controls
are
the
least
implemented.
The
organization
consider
their
employees
as
not
ready
for
the
GDPR
at
this
moment.
Nonetheless,
in
the
meantime
all
organizations
have
planned
or
started
security
awareness
actions
and
the
supporting
sources
for
employees
to
consult
are
readily-‐available.
All
three
organizations
conclude
that
improving
and
maintaining
the
security
awareness
and
compliance
behavior
of
employees
will
be
the
most
challenging
and
require
most
effort,
followed
by
the
process-‐based
controls.
Another
similarity
is
the
absence
of
a
DPO.
However,
appointing
one
is
not
obligated
yet.
Fourth,
several
similarities
regarding
the
motives
whether
to
implement
controls
are
identified.
The
interpretation
of
the
GDPR
has
been
troublesome
for
the
organizations.
The
open
norms
can
be
ambiguous
and
sometimes
contradictive
with
other
legislations,
complicating
the
implementation
of
required
controls.
The
organizations
hope
for
corrective
amendments
or
jurisprudence
to
provide
better
guidance.
In
addition,
the
organizations
assume
that
the
supervisory
authority
will
be
tolerant
if
not
all
required
controls
are
implemented
at
the
early
stage.
As
long
as
they
can
explain
their
decisions
and
show
progress
regarding
the
implementation
of
data
protection
controls,
the
organizations
believe
sanctions
will
be
mild
or
stay
out.
The
organizations
try
to
optimize
their
control
implementation
level.
The
organizations
are
seeking
for
a
balance
between
compliance
and
a
workable
situation
for
57
employees.
These
considerations
were
decisive
to
determine
the
appropriateness
of
the
technical
controls
at
all
organizations,
which
they
have
done
thoughtful.
Although
weighing
cost
and
benefits
in
this
perspective
could
be
helpful
as
a
motive
for
implementation,
none
of
the
organizations
has
actually
performed
cost-‐benefit
analyses.
Differences
The
housing
associations
differ
to
each
other
on
several
aspects.
Regarding
the
people-‐
focused
controls
the
differences
on
top-‐management
interest
between
the
organizations
is
remarkable.
The
engagement
from
top-‐management
at
AlleeWonen
is
considered
as
not
optimal.
The
top-‐management
does
not
show
more
interest
in
data
protection
than
the
employees
and
some
top-‐managers
do
not
fully
support
control
implementations,
since
they
think
to
know
better
or
for
political
reasons.
Wonen
Zuid
has
not
started
with
security
awareness
actions.
Although
top-‐management
realizes
the
need
for
responding
to
the
GDPR
and
potential
actions
have
been
discussed,
practical
plans
have
not
been
made
yet.
The
top-‐
management
of
Woongoed
is
considered
as
most
engaged
of
all
organizations,
since
the
managers
are
provided
with
responsibilities
regarding
data
protection.
The
data
protection
tasks
are
divided
among
the
managers,
getting
them
easily
involved
with
the
GDPR.
Also,
Woongoed’s
employees
are
considered
as
most
engaged,
followed
by
AlleeWonen.
The
latter
has
difficulties
with
involving
one
department.
However,
the
overall
employee
interest
of
AlleeWonen
is
considered
as
good.
Wonen
Zuid
has
concluded
data
protection
is
not
in
the
mind
of
their
employees
yet.
Nonetheless,
the
employees
are
showing
signs
of
better
interest.
Different
approaches
to
improve
security
awareness
have
been
encountered.
Woongoed
and
AlleeWonen
have
similar
approaches.
They
organize
sessions
with
employees
for
trainings
and
education
and
attempt
to
create
a
security
awareness
climate.
Wonen
Zuid
embraces
a
more
technical
approach,
focusing
on
individuals.
The
organization
uses
a
software
tool
(chatbot)
to
get
employees
involved
with
the
GDPR
and
data
protection.
Although
the
chatbot
might
contribute
less
to
the
creation
of
a
security
awareness
climate,
the
sources
and
means
employees
may
use
to
gain
knowledge
about
data
protection,
are
available
at
any
time
on
a
central
location.
Wonen
Zuid
has
historically
invested
most
in
technical
solutions.
The
organization
put
high
trust
on
technology,
like
the
use
of
a
chatbot,
also
for
changing
people’s
behavior.
Woongoed
and
AlleeWonen
believe
that
the
technology
58
should
have
a
supporting
role.
Woongoed
tries
to
find
the
solution
first
in
people-‐
and
process-‐
based
controls,
instead
of
introducing
technical
solutions.
The
organization
trusts
its
employees
to
do
what
is
best
concerning
protecting
data
of
tenants
and
wants
to
put
less
restrictions
to
the
employee’s
jobs.
AlleeWonen
believes
that
too
much
focus
on
technology
will
undermine
the
security
awareness
of
employees,
since
the
technical-‐based
solutions
will
take
over
the
responsibilities
of
employees
regarding
data
protection.
Consequently,
employees
will
become
less
conscious
and
less
alert.
Other
differences
have
been
found
in
the
way
procedural
controls
are
implemented.
Woongoed
does
not
believe
in
the
effect
of
documenting
everything
or
writing
plans
and
procedures
for
each
process,
while
the
other
organizations
have
planned
to
formulate
processes
in
detail.
Woongoed
foresees
no
problems
with
not
having
formulated
plans
and
procedures
for
performing
processes,
since
they
consider
their
employees
as
self-‐sufficient
and
competent
to
fulfill
their
tasks.
4.2.2 Comparison
between
Wbp
and
GDPR
The
GDPR
can
be
considered
as
a
major
upgrade
of
the
Wbp.
Organizations
are
faced
with
much
more
obligations,
which
requires
new
controls
to
implement.
The
GDPR
objectives
are
not
too
different
from
the
Wbp
objectives.
Both
legislations
aim
for
better
data
protection
and
privacy
for
individuals.
However,
the
Regulation
attempts
to
give
individuals
more
control
to
protect
their
own
personal
data
by
providing
them
more
rights.
The
introduction
of
the
Wbp
dates
back
to
2001.
For
16
years
the
Wbp
has
been
applicable
to
all
organizations
located
in
the
Netherlands,
which
means
that
also
DHAs
must
comply
with
the
law.
The
findings
from
the
case
study
research
show
results
that
none
of
the
cases
actually
complies
with
the
Wbp.
Similar
to
the
objectives,
the
data
protection
principles
of
the
Wbp
are
taken
over
to
the
GDPR.
This
means
that
organizations
already
have
to
address
principles
like
purpose
limitation,
data
minimization
and
retention
limitation.
None
of
the
three
DHAs
has
acted
in
accordance
with
the
principles.
The
organizations
have
often
collected
as
much
data
as
possible,
since
it
may
be
convenient
for
their
customer
service.
Purpose
limitation
and
data
minimization
have
been
neglected.
In
addition,
all
of
the
organizations
have
stored
personal
data
too
long
without
considering
the
legal
retention
period.
Apparently,
the
introduction
of
the
GDPR
has
forced
the
organization
to
rethink
their
data
processing
activities
much
more
59
than
the
Wbp
did,
while
the
Wbp
had
similar
requirements.
In
that
sense,
the
GDPR
has
already
been
effective.
4.2.3 Comparison
between
theory
and
findings
The
comparison
between
the
theory
and
findings
is
performed
on
four
aspects.
The
similarities
and
differences
between
the
theory
and
findings
contribute
to
the
shaping
of
new
perspectives
to
the
theories
of
the
privacy
and
data
protection
discipline.
The
four
aspects
are:
(1)
mechanical
approach
to
information
security,
(2)
security
awareness,
(3)
implementation
motives.
Mechanical
approach
to
information
security
The
findings
from
the
case
study
are
similar
to
the
findings
from
the
empirical
research
from
Merete
Hagen
et
al.
(2008),
regarding
the
implementation
of
information
security
controls.
The
inverse
relationship,
between
the
implementation
of
information
security
controls
and
how
the
effectiveness
of
the
controls
is
assessed,
has
been
observed
at
the
three
housing
associations.
The
technology-‐based
controls
are
implemented
most,
followed
by
the
process-‐
based
controls,
while
the
people-‐focused
controls
are
the
least
implemented
at
the
three
housing
associations.
At
the
same
time,
the
organizations
believe
the
people-‐focused
controls
are
most
effective
to
become
GDPR
compliant.
The
focus
on
technology-‐
and
process-‐based
controls
above
the
people-‐focused
controls
is
also
known
as
the
mechanical
approach
to
information
security.
Merete
Hagen
et
al.
(2008)
suggest
three
reasons
for
the
lack
of
people-‐focused
controls
in
organizations:
(1)
resources
demand,
(2)
positioning
of
information
security,
(3)
top-‐management
engagement.
The
findings
at
Wonen
Zuid
demonstrate
that
the
high
demand
of
resources
for
implementing
people-‐focused
controls
has
been
a
constraint
for
the
organization.
The
organization
has
not
managed
to
organize
security
awareness
trainings
or
educations
together
with
a
group
of
employees,
while
has
had
no
problems
to
manage.
Wonen
Zuid
was
not
able
to
set
up
such
gathering,
due
to
limited
time
and
other
priorities.
The
IT-‐domain
has
traditionally
been
occupied
with
information
security,
which
might
be
another
reason
for
a
lack
of
people-‐focused
controls.
Until
recently,
this
was
the
case
at
all
three
housing
associations,
as
the
IT-‐professionals
were
the
only
employees
concerned
with
60
information
security
and
data
protection.
Wonen
Zuid
seems
to
stick
with
this
more
than
the
other
organizations,
as
they
introduce
a
technical
solution
to
improve
security
awareness
(chatbot).
In
addition,
the
importance
and
benefit
of
a
recently
implemented
control
was
not
communicated
to
all
employees
at
Wonen
Zuid,
being
understood
only
by
the
IT
department.
The
fact
that
the
organizations
have
positioned
information
security
at
the
IT
department
for
a
long
time,
can
be
a
reason
for
immature
security
awareness
of
employees
today.
The
absence
of
people-‐focused
controls
might
also
result
from
the
lack
of
top-‐management
engagement.
However,
this
was
not
supported
in
the
case
of
AlleeWonen.
Their
top-‐
management
engagement
was
considered
as
not
optimal,
while
the
organization
has
implemented
the
most
comprehensive
security
awareness
actions
of
all.
Nonetheless,
top-‐
management
engagement
is
considered
as
an
important
factor
for
security
awareness
creation.
Based
on
the
researchers’
empirical
findings,
Merete
Hagen
et
al.
(2008)
have
developed
a
staircase
of
information
security,
visualized
in
figure
8.
The
staircase
encompasses
the
three
essential
domains
to
be
addressed
for
information
security
and
data
protection,
including
people-‐focused
controls,
and
is
considered
as
a
response
to
the
mechanical
approach
on
information
security.
Although
the
staircase
involves
people-‐focused
controls,
the
order
of
the
stairs
still
indicate
a
mechanical
approach
at
the
first
two
steps:
the
technical
controls
form
the
foundation
on
which
the
organizational
or
process-‐based
controls
are
built
(mechanical).
The
security
awareness
controls
are
important
for
motivating
people
to
act
in
accordance
with
the
organizational
or
process-‐based
controls
and
understand
the
benefit
and
necessity
of
technical
controls.
The
people-‐focused
controls
add
a
new
element
after
the
mechanical
approach
is
applied
at
the
first
two
steps,
making
the
staircase
approach
less
mechanical.
FIGURE
8:
INTERPRETATION
OF
THE
INFORMATION
SECURITY
STAIRCASE
(METERE
HAGEN
ET
AL.,
2008)
1
PROCESS-‐BASED
CONTROLS
61
Based
on
the
findings
of
Merete
Hagen
(2008)
and
the
case
study
results
a
pattern
on
the
participating
organizations
has
been
identified.
The
observed
organizations
traditionally
come
from
a
mechanical
approach.
This
was
the
case
for
the
sample
of
Merete
Hagen
et
al.
and
for
the
three
DHAs
participating
in
this
case
study
research.
The
reasons
for
this
approach
and
the
lack
of
people-‐focused
controls
are
also
related
to
the
mechanical
approach.
The
positioning
of
information
security
at
the
IT-‐department
in
particular.
In
fact,
the
organizations
have
followed
the
steps
of
the
staircase
in
their
past.
However,
the
findings
of
both
case
studies
demonstrate
that
the
organizations
fall
too
short
regarding
security
awareness
and
educated
employees.
Now,
the
organizations
have
to
make
a
major
catch-‐up
effort.
New
organizations
that
want
to
implement
controls
for
information
security
and
data
protection
purposes,
and
follow
the
steps
on
the
staircase,
will
be
confronted
with
similar
problems
as
the
case
study’s
participating
organizations.
Meaning
that
the
staircase
does
not
break
the
pattern
of
the
mechanical
approach
identified
from
both
case
studies.
The
security
awareness
controls
will
be
implemented
only
after
the
implementation
of
the
mechanical
controls,
which
requires
a
catch-‐up
effort
from
these
organizations,
while
knowing
that
the
security
awareness
controls
are
most
resource
demanding.
Therefore,
the
staircase
has
shortcomings
to
overcome,
as
it
does
not
solve
the
problems
of
the
mechanical
approach
sufficiently.
Security
awareness
Humans
play
a
significant
role
in
information
security.
Their
role
has
been
assessed
to
be
most
important
for
adequate
data
protection.
Herath
and
Rao
(2009)
have
identified
a
complete
set
of
security
awareness
actions.
The
housing
associations
have
performed
several
of
these
actions,
such
as
trainings,
education
and
security
awareness
climate
creation.
AlleeWonen
has
performed
most
of
the
actions,
followed
by
Woongoed.
Wonen
Zuid
has
an
approach
that
differs
from
Herath
&
Rao’s
actions.
The
organization
starts
using
a
chatbot
to
educate
and
train
their
employees.
A
chatbot
provides
a
solution
to
the
availability
of
resources.
Instead
of
searching
for
answers
to
data
protection
issues
in
multiple
documenting
system,
employees
can
ask
their
question
directly
to
the
chatbot
and
start
a
conversation.
Apart
from
the
diversity
of
the
security
actions
applied
by
the
three
organizations,
the
effectiveness
of
actions
have
been
considered
similarly.
The
organizations
believe
that
62
creating
security
awareness
is
most
effective
through
experiential
learning.
Employees
are
more
willing
to
adjust
their
behavior
when
they
are
emotionally
involved.
Therefore,
the
experiential
learning
approach
can
be
complementing
the
education
and
training
actions
mentioned
by
Herath
&
Rao
(2009).
Implementation
motives
Four
motives
for
implementing
controls
have
been
identified
in
different
theories:
(1)
ethical
reasoning,
(2)
cost-‐benefit
analysis,
(3)
authority
enforcement
and
(4)
interpretation
of
the
legislative
texts.
All
three
housing
associations
have
indicated
to
implement
controls
for
ethical
reasons.
They
state
that
their
moral
responsibility
towards
individuals
is
the
main
driver
for
becoming
GDPR
compliant.
The
lack
of
authority
enforcement
or
the
believe
in
authority
tolerance
and
having
issues
with
the
interpretation
of
the
Regulation
are
motives
to
desist
from
implementation
so
far
for
the
housing
associations.
At
all
three
cases
those
three
motives
have
been
observed.
None
of
the
housing
associations
has
conducted
a
cost-‐benefit
analysis.
Although
some
implementation
did
require
careful
considerations,
no
serious
cost-‐
benefit
analysis
were
conducted.
4.2.4 Summary
of
results
The
case
study
findings
offer
valuable
insights
regarding
the
data
protection
control
implementation
of
DHAs,
useful
for
best
practices.
The
cross-‐case
analysis
identifies
several
similarities
and
differences
among
the
cases.
One
clear
pattern
has
been
observed.
The
organizations
originate
from
a
mechanical
approach
on
information
management,
as
they
traditionally
are
process-‐
and
technology-‐oriented.
People-‐focused
controls
are
overlook
for
a
long
time.
The
findings
are
in
accordance
with
the
theory
of
Merete
Hagen
et
al.
(2008).
At
the
same
time,
the
findings
also
provide
new
perspectives
to
the
same
theory,
which
is
discussed
in
chapter
5.
63
5. Discussion
This
chapter
discusses
the
results
from
the
previous
chapter
to
formulate
answers
to
the
sub
questions
and
the
main
research
question
with
the
aim
to
deduce
the
aspects
that
must
be
taken
into
account
by
DHAs
responding
to
the
GDPR.
The
response
to
the
GDPR
must
be
interpreted
in
terms
of
implementing
data
protection
controls
to
address
the
legal
obligations.
The
first
sub
question
identifies
in
broad
terms
what
the
GDPR
is
about
and
why
organizations,
and
DHAs
in
particular,
have
to
comply
with
the
legislation.
The
second
and
third
sub
question
move
on
to
‘what’
controls
should
be
implemented
and
‘how’,
for
DHAs
specific.
The
fourth
sub
question
addresses
the
practical
challenges
and
motives
of
DHAs
with
regard
to
their
control
implementation.
This
may
other
DHA
assist
to
anticipate
to
similar
issues
related
to
data
protection.
1.
What
are
the
differences
between
the
Wbp
and
GDPR
in
terms
of
principles,
objectives
and
obligations
to
data
controllers
and
processors?
The
GDPR
replaces
the
Wbp
on
25
May
2018.
The
GDPR
builds
on
the
Wbp
and
introduces
new
obligations
or
adds
extra
requirements
on
existing
obligations
for
data
controllers
and
processors.
The
GDPR
principles
are
drawn
from
the
Wbp,
of
which
the
principles
were
based
on
the
Directive
95/46/EC.
Two
principles
have
been
made
more
explicit
and
are
strongly
emphasized.
Many
of
the
new
obligations
are
based
on
these
two
principles,
being
transparency
and
accountability.
These
principles
contribute
to
one
of
the
objectives
of
the
Regulation,
which
aims
for
strenghtening
data
protection
rights
by
giving
individuals
more
control
over
their
personal
data.
This
objective
and
the
objective
to
unify
the
regulatory
system
for
all
EU
organizations
and
citizens
are
new
in
comparison
with
the
Wbp.
The
Wbp
objectives
to
protect
individuals
against
unjustified
collection,
recording,
use
and
dissemination
of
personal
data,
and
to
enable
free
flow
of
personal
data
between
Member
States
have
remain
unchanged
in
the
GDPR.
The
GDPR
introduces
a
set
of
new
obligations
to
data
controllers
and
data
processors.
These
obligations
mainly
aim
for
increased
accountability
of
organizations
regarding
their
processing
64
activities
and
to
enable
more
transparency
towards
data
subjects,
which
applies
to
both
data
controllers
and
data
processors.
At
the
same
time
the
data
subjects
are
provided
with
more
rights
to
protect
their
own
personal
data
processed
by
these
organizations.
To
address
the
accountability
principle,
organizations
must
maintain
a
register
with
all
information
about
their
data
processing
activities.
Which
is
a
new
GDPR
obligation.
Other
new
obligations
that
reinforce
the
accountability
of
organizations
are
the
appointment
of
a
DPO
and
the
execution
of
a
DPIA.
However,
these
obligations
are
only
applicable
to
organizations
that
meet
specific
conditions.
To
encourage
more
transparency
towards
individuals
about
data
processing
activities,
the
GDPR
obliged
organizations
to
inform
individuals
about
their
data
processing
activities
through
a
privacy
statement.
When
for
any
processing
activity
the
mechanism
of
consent
functions
as
the
legal
ground,
individuals
must
be
well-‐informed
in
clear
language.
To
address
the
objective
to
give
individuals
control
over
their
personal
data,
several
new
rights
are
introduced.
Rights
to
individuals
are
not
new
with
the
introduction
of
the
GDPR.
Existing
rights
to
individuals,
such
as
the
right
to
access,
-‐rectify
and
-‐object,
remain
almost
the
same
except
of
some
details.
New
rights
are
the
right
to
be
forgotten,
which
must
ensure
personal
data
will
be
destructed
after
a
valid
request,
and
the
right
to
data
portability,
enabling
free
movement
of
an
individual’s
customer
data
from
organization
to
organization.
2.
What
data
protection
controls
are
required
to
enable
GDPR
compliance?
To
address
the
GDPR
obligations
and
to
protect
personal
data
of
individuals
controls
must
be
implemented
on
three
domains:
technology,
processes
and
people.
The
technology-‐based
controls
consist
of
physical
and
technical
controls.
The
process-‐based
controls
consist
of
procedural
and
compliance
controls
and
the
people-‐focused
controls
consists
of
security
awareness
actions.
The
identified
technology-‐
and
process-‐based
controls
are
derived
from
the
ISO
27001-‐2
and
27018
information
security
standards
(paragraph
2.7.2
and
2.7.3).
The
identified
people-‐focused
controls
are
based
on
the
security
awareness
framework
of
Herath
and
Rao
(paragraph
2.7.1).
The
effectiveness
of
the
controls
is
related
to
the
mutually
dependencies
of
the
three
control
domains.
According
to
the
staircase
of
Merete
Hagen
et
al.
(2008),
the
technology-‐based
controls
form
the
first
step
as
being
the
foundation
of
information
security.
The
process-‐based
controls
–
step
2
–
are
built
upon
the
technology-‐
65
based
controls
and
give
shape
to
the
formal
systems,
while
the
people-‐focused
controls
enable
the
execution
of
the
process-‐
and
technical-‐based
controls
as
intended.
Withal,
the
people,
as
step
3,
give
life
to
the
process-‐based
controls.
The
staircase
was
developed
to
challenge
the
mechanical
approach
on
information
security.
However,
the
staircase
is
still
based
on
the
mechanical
approach,
since
the
first
two
steps
are
mechanical
controls.
To
discourage
organizations
from
regarding
information
security
as
an
IT
matter
and
to
prevent
them
from
resource
demanding
catch-‐up
investments
to
brush
up
the
security
awareness
and
knowledge
of
employees,
the
staircase
must
be
reconsidered.
Figure
9
visualizes
the
adjusted
staircase.
FIGURE
9:
ADJUSTED
INFORMATION
SECURITY
AWARENESS
STAIRCASE
OF
METERE
HAGEN
ET
AL.
(2008)
Instead
of
the
technology-‐based
controls,
the
people-‐focused
controls
are
considered
as
the
foundation
for
information
security,
hence
data
protection.
Involving
all
employees
will
take
away
data
protection
from
the
IT
domain.
Explaining
why
data
protection
is
important
and
informing
employees
what
the
benefits
of
technology-‐
and
process-‐based
controls
are,
at
the
earliest
implementation
stage
possible,
saves
organizations
to
make
major
catch-‐up
efforts.
Moreover,
the
knowledge
of
employees
might
be
used
for
contributing
to
the
development
and
implementation
of
controls,
which
is
illustrated
by
the
arrows
in
the
figure.
The
organizations
create
employee
awareness
and
understanding
and
might
gather
valuable
knowledge
from
those
employees
at
the
same
time.
To
implement
the
controls
according
the
adjusted
staircase,
it
is
assumable
that
several
requirements
must
be
met,
which
are
derived
from
Herath
and
Rao’s
theory
(2009).
Top-‐management
engagement
supposes
to
be
crucial
for
two
reasons.
First,
the
resources
such
as
time,
locations
and
tools
must
be
made
available.
66
Second,
the
creation
of
a
security
awareness
climate
relies
on
top-‐management
engagement.
Such
security
awareness
climate
is
considered
as
a
condition
for
the
success
of
the
people-‐
focuses
controls
as
foundation
of
data
protection.
Other
requirements
are
effective
trainings
and
education
methods
and
readily-‐accessible
sources
for
studying.
3.
To
what
extent
are
the
required
controls
implemented
by
the
housing
associations?
Based
on
the
case
study
findings
the
overall
implementation
of
the
data
protection
controls
is
at
the
initial
phase.
The
findings
indicated
that
several
controls
required
to
achieve
compliance
with
the
Wbp
have
not
been
implemented
at
the
organizations.
This
is
demonstrated
by
the
fact
that
the
organizations
have
been
collecting
and
processing
personal
data
without
a
clear
purpose.
Until
recently,
the
organizations
traditionally
have
a
mechanical
approach
to
information
security,
focusing
on
technical
and
formal
systems
rather
than
the
human
element.
The
technology-‐based
controls
are
developed
most
by
the
three
participating
organizations.
The
internal
organizations
are
shielded
from
the
external
environment
and
security
obstacles
are
set
for
to
prevent
data
breaches.
The
process-‐based
are
less
developed
than
the
technology-‐based
controls,
due
to
the
demand
of
time
and
effort
and
some
are
new
and
not
yet
implemented.
All
organizations
have
formulated
an
information
security
policy
and
several
procedures
and
plans.
However,
the
required
controls
to
become
compliant
are
not
sufficiently
implemented.
The
people-‐focused
controls
haven
been
overlooked
for
a
long
time.
Although
the
organizations
appreciate
security
awareness
actions
more
than
the
other
controls,
implementation
has
fallen
too
short
for
a
long
time.
The
introduction
of
the
GDPR
has
forced
organizations
to
start
with
security
awareness
actions
to
involve
employees
and
to
encourage
compliance
behavior.
Today
the
people-‐focused
controls
gain
more
attention,
since
they
have
moved
away
from
their
mechanical
approach
to
information
security.
The
DHAs
have
planned
or
implemented
several
controls
to
increase
security
awareness.
4.
What
are
the
implementation
challenges
and
motives?
The
findings
from
the
case
study
imply
that
the
housing
associations
are
faced
with
implementation
challenges
on
each
control
domain.
However,
the
major
challenge
comes
67
with
the
people-‐focused
controls.
It
will
take
much
effort
to
get
all
employees
involved
with
data
protection
and
to
improve
their
security
awareness.
However,
improving
knowledge
about
the
risks
and
changing
people’s
behavior
Is
essential
for
protecting
data
of
individuals.
The
organizations
consider
the
improvement
and
maintenance
of
the
security
awareness
among
employees
as
the
most
challenging
task.
Challenges
regarding
the
process-‐based
controls
are
the
time
and
effort
to
put
in
formulating
the
policies,
procedures,
plans
and
protocols
and
to
identify
and
classify
the
data
in
each
business
process.
The
identification
and
classification
is
required
to
address
the
principles
of
purpose
limitation,
data
minimization
and
retention
limitation,
which
are
not
or
little
taken
into
account
at
the
DHAs.
The
technology-‐
based
control
implementation
challenges
are
related
to
the
dependence
of
third-‐parties.
The
IT
suppliers
must
update
their
systems
with
new
features
enabling
data
protection
according
to
the
GDPR
obligations
and
the
DHAs
are
concerned
if
this
will
be
executed
adequately
and
on
time.
Another
challenge
regarding
the
technology-‐based
controls
is
related
to
the
balance
between
compliance
and
workability.
The
organizations
want
to
comply
with
the
legislation
through
control
implementation,
realizing
they
have
a
moral
responsibility
to
protect
the
data
of
tenants
and
employees.
However,
this
must
not
hinder
the
day
to
day
jobs
of
employees
too
much.
This
will
frustrate
them
or
even
undermine
their
security
awareness
and
willingness
to
behave
properly
in
accordance
with
the
GDPR.
As
suggested,
the
main
motive
for
the
DHAs
to
implement
controls
are
based
on
ethical
reasons.
However,
one
might
decide
not
to
implement
controls
motivated
by
the
expected
severity
of
supervisory
authority
enforcement.
The
organizations
believe
that
the
authority
will
be
tolerant
if
not
all
required
controls
are
implemented,
as
long
as
the
organizations
are
able
to
show
progress
regarding
data
protection.
In
addition,
the
open
norms
of
the
Regulation
might
be
ambiguous
and
contractive
with
other
legislations.
Because
of
this,
the
lack
of
guidance
from
the
Regulation
might
be
perceived
as
a
problem,
being
a
motive
not
to
implement
controls
yet.
68
Main
research
question:
“How
should
Dutch
housing
associations
respond
to
the
General
Data
Protection
Regulation?”
The
combination
of
answers
on
the
sub
questions
provide
the
answer
on
the
main
research
question.
The
answer
on
the
first
sub
question
provides
a
broad
explanation
of
the
GDPR
in
comparison
with
the
Wbp,
addressing
principles,
objectives
and
the
obligations
that
must
be
accomplished.
This
contributes
to
the
understanding
of
the
legislation,
to
know
what
is
asked
from
DHAs
regarding
data
protection.
Based
on
the
obligations,
the
required
data
protection
controls
are
identified
and
observed
at
three
DHAs,
which
has
resulted
in
an
adjusted
staircase
to
implement
data
protection
controls.
Together
this
provides
the
answers
to
sub
question
2
and
3.
The
fourth
sub
question,
which
addresses
the
challenges
and
motives
may
assist
DHAs
to
anticipate
to
issues
related
to
data
protection.
The
research
has
identified
the
GDPR
principles,
objectives
and
obligation
to
organizations
and
DHAs
in
particular.
In
addition,
a
control
list
is
identified
that
encompasses
the
three
control
domains
that
must
be
implemented
for
protecting
personal
data.
DHAs
will
most
likely
achieve
compliance
when
the
required
controls
are
implemented.
Yet,
data
protection
controls
must
be
implemented
adequately.
In
order
to
do
so,
DHAs
must
implement
all
three
control
domains
of
information
security,
including
people,
and
leave
the
mechanical
approach
as
being
technology-‐
and
process
driven.
The
three
domains
are
mutually
dependent
and
have
only
effect
when
all
three
control
domains
are
implemented.
This
research
suggests
that
the
implementation
of
mechanical
data
protection
controls,
being
the
technology-‐
and
process-‐
based
controls,
must
be
in
coherence
with
people-‐focused
controls
(figure
10).
This
control
domain
is
regarded
as
most
effective
to
protect
personal
data
of
individuals
by
the
DHAs
and
other
case
studies.
The
people-‐focused
controls
must
function
as
the
foundation
of
the
controls
in
order
to
involve
employees
at
the
earliest
stages
to
create
security
awareness
and
understanding.
At
the
same
time,
the
employees’
thoughts
and
knowledge
can
be
used
as
input
for
the
development
and
implementation
of
technology-‐
and
process-‐based
controls.
69
FIGURE
10:
ADJUSTED
INFORMATION
SECURITY
AWARENESS
STAIRCASE
OF
METERE
HAGEN
ET
AL.
(2008)
To
gain
employee
involvement
to
data
protection
and
to
improve
their
security
awareness
on
a
continual
basis
is
considered
as
most
challenging.
Security
awareness
requires
resources,
engagement
from
top-‐management
and
maintenance.
If
the
staircase
is
implemented
as
suggested
by
the
adjusted
staircase,
a
security
awareness
strategy
must
be
formulated
in
order
to
launch
a
successful
campaign.
70
6. Conclusion
In
conclusion,
the
research
explored
how
DHAs
should
respond
to
the
GDPR.
The
results
of
the
research
are
threefold.
First,
a
list
of
required
controls
is
identified
by
the
means
of
a
literature
review.
The
list
contains
a
comprehensive
set
of
controls
on
the
three
domains,
people,
process,
technology,
that
must
be
addressed
to
achieve
compliance.
Second,
the
status
of
control
implementations,
the
challenges
and
motives
from
the
field
of
the
Dutch
housing
association
industry
are
identified
by
conducting
case
study
research.
The
overall
control
implementation
status
is
at
the
initial
phase
and
substantial
progress
has
to
be
made
for
GDPR
compliance.
The
DHAs
are
moved
away
from
their
traditional
technology-‐
and
process
driven
organizations.
However,
the
people-‐focused
controls
are
still
immature.
The
main
challenge
comes
with
the
implementation
of
those
people-‐focused
controls
enabling
improving
security
awareness
of
employees.
Nevertheless,
the
DHAs
have
demonstrated
their
willingness
to
invest
in
the
control
implementation
to
become
GDPR
compliant.
They
are
motivated
by
their
moral
responsibility.
However,
the
perceived
lack
of
supervisory
authority
enforcement
and
the
ambiguity
of
the
legislative
texts
might
undermine
the
data
protection
control
implementation.
Finally,
the
research
has
contributed
to
the
extension
of
the
information
security
staircase
of
Merete
Hagen
et
al.
(2008)
by
emphasizing
the
importance
of
the
human
aspect
of
the
organization
regarding
the
protection
of
personal
data
and
information
security.
The
original
staircase
of
Merete
Hagen
et
al.
(2008)
was
developed
to
challenge
the
mechanical
approach
to
information
security.
However,
foundation
of
the
original
staircase
consists
of
technology-‐
based
controls,
still
being
rather
mechanical.
Therefore,
an
adjusted
staircase
with
people-‐
focused
controls
as
foundation
on
which
the
technology-‐
and
process-‐based
controls
are
built
has
been
proposed.
71
6.1 Academic
value
The
research
adds
value
to
both
schools
of
the
data
protection-‐
and
privacy
principle.
However,
the
main
contribution
is
made
to
the
second
school.
The
principles
and
open
norms
of
the
Regulation
are
interpreted,
in
comparison
with
the
Wbp,
to
identify
the
data
protection
controls
addressing
the
obligations.
The
interpretation
has
resulted
in
the
identification
of
a
comprehensive
list
of
controls,
addressing
the
three
control
domains.
Both
the
comparison
between
the
Wbp
and
GDPR
as
the
control
list
might
be
useful
for
future
research.
The
research
contributes
also
to
the
first
school.
The
first
school
attempts
to
judge
the
GDPR
on
its
effectiveness.
In
order
to
do
so,
they
are
dependent
on
the
practical
research
from
the
second
school.
The
first
school
is
only
able
to
assess
the
effectiveness
by
comparing
the
GDPR
control
implementation
of
organizations
against
the
number
of
data
breaches
and
the
perceived
privacy
of
individuals.
The
amount
of
evidence
of
research
regarding
the
control
implementation
of
organizations
conducted
by
the
second
school
are,
therefore,
essential.
This
research
contributes
to
the
creation
of
that
evidence.
Furthermore,
the
research
add
value
to
the
academic
domain
by
extending
the
theory
of
Merete
Hagen
et
al.
(2008).
The
staircase
of
information
security
has
been
adjusted,
based
on
the
case
study
findings,
to
stronger
emphasize
the
importance
of
the
human
element
regarding
information
security
and
data
protection
and
to
move
away
from
the
mechanical
approach
on
information
security.
The
adjusted
staircase
replaces
the
technology-‐based
control
foundation
from
the
original
staircase
with
a
people-‐focused
control
foundation,
which
has
been
assessed
as
the
most
effective
control
domain.
At
first,
the
research
focuses
on
the
Dutch
housing
association
industry.
Most
results
and
conclusions
from
the
research
only
applies
to
that
industry.
However,
the
outcomes,
or
parts
of
it,
can
be
of
value
for
other
organizations
to
implement
data
protection
controls.
Eventually,
all
organizations
established
in
the
EU
have
to
comply
with
the
GDPR.
The
three
72
control
domains
require
investments
to
protect
personal
data
properly
domains,
being
present
and
relevant
for
almost
all
organizations.
In
particular,
the
people-‐focused
controls
are
advised
to
act
as
the
foundation
of
data
protection.
A
second
practical
recommendation
addresses
the
appliance
of
the
proposed
adjusted
staircase
for
organizations
to
implement
information
security
and
data
protection
controls.
If
organizations
decide
to
adopt
the
adjusted
staircase,
this
will
still
demand
substantial
resources.
One
might
suggest
that
there
are
no
differences
between
the
original
and
the
adjusted
staircase,
regarding
resources
demand.
Where
before
the
resources
were
invested
in
catch-‐up
efforts
to
blush
up
the
security
awareness
of
employees,
these
resources
investments
are
now
moved
forward.
This
can
be
the
truth.
However,
the
learning
curve
of
employees
during
the
control
implementation
projects
might
lower
the
need
for
security
awareness
actions
over
time,
which
saves
resources
at
the
end.
Nonetheless,
to
implement
people-‐focused
controls
as
suggested
by
the
adjusted
staircase
a
security
awareness
strategy
is
needed
to
launch
a
successful
campaign,
where
change
management
practices
might
be
helpful.
Furthermore,
to
give
shape
to
the
process-‐based
controls
the
implementation
of
an
ISMS
based
on
the
ISO
27k
standards
might
be
helpful.
The
literature
review
has
demonstrated
that
the
controls
of
the
standard
contribute
to
a
substantial
number
of
GDPR
obligations.
To
implement
technology-‐based
controls
the
formulation
of
a
data
protection
by
design
and
by
default
strategy
is
recommended
as
a
starting
point,
also
for
requirement
specification
towards
suppliers.
A
third
practical
recommendation
addresses
the
IT
audit
discipline.
The
data
protection
controls
are
retrieved
from
the
ISO
27k
standards.
Although
the
framework
provides
a
comprehensive
set
of
controls
that
contribute
to
data
protection,
it
does
not
address
the
three
control
domains
sufficiently.
People-‐focused
controls
are
mentioned
too
briefly.
When
audits
on
data
protection
and
GDPR
compliance
are
conducted,
the
certifiable
ISO
27001
works
well
for
assessing
the
technology-‐
and
process-‐based
controls.
For
the
assessment
of
the
people-‐
focused
controls,
additional
actions
must
be
undertaken.
The
actions
might
involve
social
engineering,
such
as
phishing
mails,
phone
calls
or
company
visit
to
get
unauthorized
access
73
to
someone’s
personal
data.
Assessing
the
security
awareness
and
desirable
behavior
by
testing
employees
in
their
own
entrusted
environment
can
be
a
powerful
tool.
A
fourth
practical
recommendation
applies
to
the
internship
company
VVA-‐informatisering
and
other
consultancy
firms.
The
case
study
demonstrated
the
demand
for
guidance
to
implement
the
required
controls
on
the
people-‐focused
and
process-‐based
controls
and
less
on
the
technical-‐based
controls.
VVA-‐informatisering
already
helps
organizations
to
formulate
information
security
policies
and
plans.
However,
VVA-‐informatisering
might
be
of
value
for
the
DHAs
when
offering
advice
regarding
the
improvement
of
security
awareness
of
employees
or
guidance
regarding
the
interpretation
of
the
GDPR.
Potential
services
to
offer
might
be
a
set
of
security
awareness
actions,
such
as
social
engineering
(phishing
or
company
visits
and
phone
calls
by
mystery
guests),
data
breach
simulation,
optimizing
password
workshops
or
the
arrangement
a
complete
security
awareness
campaign.
VVA-‐informatisering
could
also
offer
a
course,
including
workshops,
for
DHAs
or
other
organizations
to
guide
them
towards
GDPR
compliance.
6.3 Limitations
The
research
has
several
limitations,
because
of
time
and
resources
constraints.
A
first
limitation
is
that
the
case
study
only
involved
three
organizations.
Because
of
this,
the
generalization
of
findings
might
not
apply
to
all
other
Dutch
housing
associations
or
to
organizations
from
other
industries.
A
second
limitation
arises
from
the
empirical
research,
which
only
consists
of
conducting
interviews.
The
findings
are
based
on
the
answers
provided
by
the
respondents.
The
topic
of
data
protection
and
privacy
might
be
perceived
as
sensitive
to
the
respondent
or
organization.
The
respondent
could
feel
uncomfortable
in
answering
freely.
Although
triangulation
was
applied
by
conducting
interviews
with
different
people
from
the
same
organization,
the
subjectivity
and
knowledge
of
the
respondents
could
have
result
in
incomplete,
overstated
or
understated
answers
regarding
certain
topics.
Finally,
this
research
was
conducted
by
one
researcher.
His
interpretation
may
be
subjective
and
findings
may
differ
when
the
research
is
done
by
other
researchers.
74
6.4 Directions
for
future
research
This
research
mainly
contributes
to
the
second
school
of
the
data
protection
and
privacy
discipline.
The
assumption
is
made
that
correct
implementation
of
the
GDPR
controls
will
automatically
result
in
the
protection
of
personal
data
of
individuals.
To
address
the
first
school,
the
effectiveness
of
the
GDPR
could
be
assessed
based
on
the
list
of
the
required
technology-‐based,
process-‐based
and
people-‐focused
controls.
The
following
research
questions
might
be
asked:
does
the
implementation
of
GDPR
controls
result
in
better
protection
of
personal
data
of
individuals?
Or
in
broader
sense:
Does
the
GDPR
actually
achieve
its
objective
to
protect
personal
data
of
individuals
and
their
privacy?
Are
there
shortcomings
or
does
it
go
way
beyond
its
objectives?
Future
research
might
also
involve
the
testing
of
the
proposed
adjusted
staircase
of
information
security
on
its
effectiveness
or
feasibility
on
a
larger
sample,
possibly
in
a
comparative
research.
Another
direction
for
future
research
is
to
apply
this
research’
case
study
to
a
larger
sample
to
validate
the
effectiveness
and
to
overcome
shortcomings,
also
in
relation
with
the
adjusted
staircase.
In
addition,
organizations
not
having
formulated
an
information
security
policy
yet
could
be
researched.
Furthermore,
the
research
could
be
conducted
in
other
industries
to
find
out
how
organizations
respond
to
the
GDPR,
which
might
be
used
for
comparative
research.
75
7. Bibliography
76
Law
and
Security
Review.
De
Hert,
P.,
&
Papakonstantinou,
V.
(2016).
The
new
General
Data
Protection
Regulation:
Still
a
sound
system
for
the
protection
of
individuals?
Computer
Law
and
Security
Review,
32(2),
179–194.
Dhillon,
G.,
&
Backhouse,
J.
(2001).
Current
directions
in
IS
security
research:
towards
socio-‐
organizational
perspectives.
Information
Systems
Journal,
11(2),
127-‐153.
European
Commission.
(2010).
A
comprehensive
approach
on
personal
data
protection
in
the
European
Union.
Communication.
Retrieved
from
http://ec.europa.eu/health/data_collection/docs/com_2010_0609_en.pdf
on
20
April
2017
General
Data
Protection
Regulation
2016.
(2016,
27
April).
Consulted
on
21
March
2017,
from
http://eur-‐lex.europa.eu/legal-‐content/NL/TXT/?uri=CELEX%3A32016R0679
Herath,
T.,
&
Rao,
H.
R.
(2009).
Protection
motivation
and
deterrence:
a
framework
for
security
policy
compliance
in
organisations.
European
Journal
of
Information
Systems,
18(2),
106-‐125.
Herriott,
R.
E.,
&
Firestone,
W.
A.
(1983).
Multisite
qualitative
policy
research:
Optimizing
description
and
generalizability.
Educational
researcher,
12(2),
14-‐19.
ISO/IEC,
(2013).
ISO/IEC
27001:2013
Information
technology.
Security
techniques.
Specification
for
an
Information
Security
Management
System.
Geneva,
Switzerland:
ISO/IEC.
ISO/IEC,
(2013).
ISO/IEC
27002:2013
Information
technology.
Security
techniques.
Code
of
practice
for
information
security
management
-‐
essentially
a
detailed
catalog
of
information
security
controls
that
might
be
managed
through
the
ISMS
Geneva,
Switzerland:
ISO/IEC.
SO/IEC,
(2014).
ISO/IEC
27018:2014
Information
technology.
Security
techniques.
Code
of
practice
for
protection
of
PII
in
public
clouds
as
PII
processors.
Geneva,
Switzerland:
ISO/IEC.
King,
J.
L.,
&
Schrems,
E.
L.
(1978).
Cost-‐benefit
analysis
in
information
systems
development
and
operation.
ACM
Computing
Surveys
(CSUR),
10(1),
19-‐34.
Koops,
B.-‐J.
(2014).
The
trouble
with
European
data
protection
law.
International
Data
Privacy
Law
,
4(4),
250–261.
77
Koops,
B.-‐J.,
&
Leenes,
R.
(2014).
Privacy
regulation
cannot
be
hardcoded.
A
critical
comment
on
the
“privacy
by
design”
provision
in
data-‐protection
law.
International
Review
of
Law,
Computers
&
Technology,
28(2),
159–171.
Lyons,
D.
(1999).
Open
Texture
and
the
Possibility
of
Legal
Interpretation.
Law
and
Philosophy,
18(3),
297.
Merete
Hagen,
J.,
Albrechtsen,
E.,
&
Hovden,
J.
(2008).
Implementation
and
effectiveness
of
organizational
information
security
measures.
Information
Management
&
Computer
Security,
16(4),
377-‐397.
PwC
Netherlands
(2017,
January).
Privacy
Governance
onderzoek
Volwassenheid
van
privacybeheersing
binnen
Nederlandse
organisaties
.
Consulted
on
10
March
2017,
from
https://www.pwc.nl/nl/assets/documents/pwc-‐privacy-‐governance-‐onderzoek-‐
2017.pdf
Schermer,
B.
W.,
Custers,
B.,
&
van
der
Hof,
S.
(2014).
The
crisis
of
consent:
How
stronger
legal
protection
may
lead
to
weaker
consent
in
data
protection.
Ethics
and
Information
Technology,
16(2),
171–182.
Sundt,
C.
(2006).
Information
security
and
the
law.
Information
Security
Technical
Report,
11(1),
2-‐9.
Tallberg,
J.
(2002).
Paths
to
compliance:
Enforcement,
management,
and
the
European
Union.
International
Organization,
56(3),
609-‐643.
Veenstra,
J.,
Allers,
M.
A.,
&
Koolma,
H.
M.
(2013).
Grote
verschillen
in
doelmatigheid
woningcorporaties.
Economisch
Statistische
Berichten,
98(4668),
4.
Vroom,
C.,
&
Von
Solms,
R.
(2004).
Towards
information
security
behavioural
compliance.
Computers
&
Security,
23(3),
191-‐198.
Wet
bescherming
persoonsgegevens
2000.
(2000,
6
July).
Consulted
on
21
March
2017,
from
http://wetten.overheid.nl/BWBR0011468/2017-‐07-‐01
Yin,
R.
K.
(2009).
Case
study
research:
Design
and
methods.
Sage
publications.
78
7.1 List
of
figures
and
tables
79
Appendix
1:
NEN-‐ISO/IEC
27002
sections
Section Contents
This
protocol
is
used
to
guide
the
case
study
investigator
through
data
Introduction
collection
and
analysis.
The
protocol
is
a
standardized
agenda
and
contributes
to
the
reliability
of
the
research.
General An exploratory case study consisting three DHAs is used by the research.
The
sample
consists
of
three
cases,
selection
has
been
based
on
size.
The
sample
is
selected
as
representative
for
the
industry,
being
the
unit
of
Procedures
analysis.
The
Regulation
provisions
are
applicable
to
all
organizations
active
within
EU.
Therefore,
a
sample
that
involves
small,
medium
and
large
housing
associations
are
selected
for
collecting
evidence,
which
80
contributes
to
more
robust
results.
Different
organizational
roles
are
interviewed:
privacy
officer,
information
manager
and/or
controller.
The
case
protocol
is
applied
to
all
cases
to
uniform
the
interviews
and
findings.
Triangulation
is
applied
by
involving
different
roles
from
the
same
Data
analysis
organization.
Data
analysis
is
executed
by
a
cross-‐case
analysis
and
guidelines
comparison
between
legislations
and
theory
and
findings
to
look
for
patterns.
Sources
of
data
are
scientific
literature,
DHA
industry
references
and
interview
data.
The
semi-‐structured
interview
consists
of
open-‐ended
questions.
The
supplementary
‘how-‐
questions’
after
each
question
are
not
formulated.
The
open
questions
are
asked
in
such
a
way
that
the
interviewee
is
stimulated
to
answer
the
question
himself,
without
giving
away
too
much
details
by
the
investigator.
Several
questions
contain
checklists,
which
helps
the
investigator
to
address
all
relevant
topics
and
to
guide
the
answers
if
necessary.
0
Introduction
What
is
your
role
in
data
protection
and
information
security?
What
is
your
opinion
about
the
GDPR
introduction?
Does
the
organization
make
demands
regarding
certification
to
suppliers?
What
special
categories
of
personal
data
are
processed?
What
are
the
organization’s
high-‐risk
information
sources?
A
People-‐based
controls
1
Did
the
organization
appoint
a
DPO?
Is
he
approved
by
the
authority?
A1
2
To
what
extent
is
data
protection
a
topic
of
interest
for
top-‐management?
A2
81
3
To
what
extent
is
data
protection
a
topic
of
interest
for
employees?
A3
4
To
what
extent
are
employees
ready
for
the
GDPR?
A4
5
How
does
the
organization
undertake
actions
to
improve/maintain
employee
A5
compliance
behavior?
Education
(why)
Skills
trainings
(how)
Organization
security
climate
(activities,
promotion)
Incentives
or
disincentives
6
Are
resources
(online
trainings,
policies,
procedures,
promoting
and
A6
supporting
mechanisms)
available
and
easily
accessible
to
employees?
7
What
are
the
challenges
for
the
organization
to
increase
awareness?
A7
8
What
are
the
motives
for
the
control
implementation?
A8
If
implementation
lacks:
Unawareness/ignorance
Cost/benefit/risk
analysis
Authority
enforcement/tolerance
B
Process-‐based
controls
9
How
does
the
organization
weigh
risks
for-‐
and
interests
of
tenants
and
the
B1
organization
regarding
personal
data
processing?
10
Does
the
organization
conduct
data
protection
impact
assessments
(DPIA)?
B2
Why
or
why
not?
11
How
does
the
organization
address
the
GDPR
principles?
B3
Purpose
limitation
Data
minimization
Retention
limitation
12
To
what
extent
has
the
organization
formulated
information
security
policies,
B4
procedures
and
guidelines?
Information
security
policy
and
plan
Data
breach
procedure
and
guidance
(when/what/how
to
report?)
Personal
data
access
request
process
and
procedures
82
Test
procedures
for
security
controls
Data
archiving
and
destruction
procedures
Data
retention
policies
Authorization
and
access
policies
and
lists
Incident
response
plan
Business
continuity
and
data
recovery
plan
13
How
does
the
organization
inform
tenants
about
the
data
processing
B5
activities?
Privacy
statement
Direct
notification
Consent
mechanisms
(affirmative
act)
14
How
does
the
organization
demonstrate
compliance
to
supervisory
B6
authority?
Maintain
data
processing
Maintain
data
breach
records
Report
data
breaches
(also
to
data
subject)
Conclude
contracts
with
data
processors
including
new
stipulated
terms
External
audits
15
What
are
the
challenges
for
the
organization
to
implement
the
process-‐based
B7
controls?
16
What
are
the
motives
for
control
implementations?
B8
If
implementation
lacks:
Unawareness/ignorance
Interpretation
of
open
norms
ambiguity
Cost/benefit/risk
analysis
Authority
enforcement/tolerance
C
Technical-‐based
controls
17
To
what
extent
has
the
organization
formulated
Privacy
by
design-‐
and
default
C1
strategies
and
patterns?
83
18
To
what
extent
are
technical
measures
implemented?
C2
Pseudonymization
/
anonymization
Archiving
data
Measures
to
block
or
erase
data
systematically
Access/authorization
blocks
Separation
of
data
Record
including
all
relevant
information
about
the
processing
Cloud
storage
or
DMS
(instead
of
local
storage
and
e-‐mail
exchange)
Store
data
in
a
structured,
machine-‐readable
format
Regularly
testing,
assessing,
evaluating
controls
Internal
audit
19
How
does
the
organization
determine
the
appropriateness
of
controls?
C3
20
What
are
the
challenges
for
the
organization
to
implement
the
technology-‐ C4
based
controls?
21
What
are
the
motives
for
control
implementations?
C5
If
implementation
lacks:
Unawareness/ignorance
Interpretation
of
open
norms
ambiguity
Cost/benefit/risk
analysis
Authority
enforcement/tolerance
84
07-‐07-‐2017
Frans
van
der
Ploeg
Woongoed
Middelburg
Middelburg
(information
manager)
20-‐07-‐2017
Albert
van
Heugten
Wonen
Zuid
Roermond
(Information
manager)
20-‐07-‐2017
Ruud
van
der
Borgh
Wonen
Zuid
Roermond
(controller)
• Permission
to
voice-‐recording
the
interviews
was
given
by
all
respondents.
• Anonymization
of
the
interview
data
was
not
required.
Woongoed
Middelburg
Frans
van
der
Ploeg
A.
People-‐based
controls
Code
Question
Answer
Outcome
No
DPO
appointed
according
GDPR.
However,
we
have
tried
to
assign
the
DPO
tasks
to
different
roles
into
our
organization.
Since
we
are
all
responsible
and
have
our
accountability.
We
as
Woongoed
always
assure
that
we
are
able
to
explain
and
clarify
our
legislative
intepretations
and
decisions,
such
as
control
implementations.
As
long
as
we
can
explain
what,
why
and
how
we
took
measures,
the
authority
will
be
A1
DPO
more
tolerant,
we
believe.
X
Managers
are
responsible
for
their
process.
These
responsibilities
forces
managers
to
take
data
protection
seriously.
Managers
are
concerned
with
what
is
allowed
and
what
is
not?
We
always
discuss
with
all
managers
what
and
why
are
actions
been
undertaken?
Also,
actions
are
approved
by
and
A2
Management
interest
reported
to
the
board.
V
There
is.
The
employees
pay
more
and
more
attention
to
data
protection
and
are
asking
what
is
permitted
and
what
not?
They
have
discussions
with
each
other
and
ask
questions
to
me
(information
manager)
if
their
behavior
A3
Employee
interest
is
compliant
V
85
Not
ready
yet.
However,
we
try
to
make
our
employees
alert
on
an
atrractive
manner
and
step
by
step.
I
think
we
A4
Employee
readiness
made
serious
progress.
X
Security
awareness
A5
actions
I
believe
in
learning
through
experience.
Employees
are
not
interested
in
legal
texts.
That
is
why
we
organize
phishingmails
and
interactive
sessions
to
Education
increase
awareness
V
Trainings
Phishingmail
was
a
big
success
V
We
try
to
keep
up
the
awareness
and
desired
behavior.
This
is
achieved
by
sharing
experiences
and
lately
employees
became
active
in
detecting
data
breaches
or
unjust
requests
of
Security
climate
personal
data
from
other
parties.
!
Incentives
and
disincentives
X
Yes,
central
storage
of
data
protection
tooling.
Such
as
what
are
categories
of
data
(normal,
special,
sensitive)
and
are
we
allowed
to
process?
Also,
employees
can
come
to
me
for
support
or
other
A6
Souces
availability
issues
related
to
data
protection.
V
Implementation
A7
challenges
To
keep
all
employees
alert
and
aware.
Over
the
last
years
people
realize
that
housing
assoctiations
is
a
company
that
is
based
on
IT,
which
has
some
weak
spots.
Woongoed
does
not
want
to
have
bad
publicity.
The
GDPR
is
a
trigger
for
us
to
really
invest
in
data
protection,
organization-‐wide
and
not
technically.
Our
organization
is
transforming
its
IT
landscape.
Therefore,
we
try
to
implement
controls
step
by
step
without
confusing
employees'
daily
tasks.
Otherwise
it
is
too
much
at
the
same
A8
Rationale
of
investment
time.
B.
Process-‐based
controls
In
the
past,
we
had
the
belief
to
collect
as
much
data
as
we
could,
since
it
could
be
useful
once.
Now
we've
started
to
ask
ourselves
what
do
we
really
need?
Only
collect,
store
and
process
what
we
really
need.
All
data
we
do
not
need
and
still
collect,
brings
unwanted
risks
and
even
requires
storage
space.
We
save
money
B1
Weighing
risks
not
to
collect
more
data
then
needed.
V
86
We
do
not
conduct
DPIA's.
We
are
not
ready
for
a
DPIA,
since
we
are
still
drawing
up
our
data
processing
register
including
all
partners
we
share
data
with.
It
is
hardly
possible
to
conduct
a
DPIA
for
all
data
sources
and
combinations
of
data
that
could
be
leaked.
Therefore,
we
will
conduct
a
DPIA
when
we
will
be
confronted
with
B2
DPIA
data
breach(es).
X
B3
Principles
We
pay
attention
to
all
of
them.
We
always
define
the
legal
ground
and
Purpose
limitation
purpose
of
the
processing
We
minimalize
data
by
collecting
the
Data
minimalization
least
possible
Where
possible,
we
retain
our
data
Retention
limitation
limited
If
you
plan
everything
and
formulate
procedures
for
all
processes,
possible
incidents
etcetera,
you
have
to
update
the
documents
regularly.
Woongoed
does
not
believe
in
documenting
everything.
Keep
it
simple,
have
clear
responsibilities
and
always
respond
Policies,
procedures,
based
on
common
sense
and
in
B4
guidelines
consultation
with
colleagues
Infosecurity
policy
and
plan
We
have
both.
V
Work
process
and
procedure
for
data
breaches,
also
a
incident-‐teams
based
Data
breach
procedure
on
responsibilities
V
Request
process
Not
yet.
X
We
do
not
have
test
procedures
or
protocols
how
to
test
our
systems.
However,
we
do
tests
only
in
practice
Test
procedures
based
on
common
sense.
X
We
made
arrangement
what
do
we
Archriving
and
collect
and
in
what
digital
folders
and
for
destruction
how
long
and
when
to
erase.
!
No
policy,
however
we
apply
the
Awr
Data
retention
policies
legislation
for
our
data
retention
!
Yes.
Employees
are
related
to
roles.
Roles
are
related
to
an
authorization
Authorization
and
level.
Also
we
use
personal
tags
for
access
lists
building
access.
V
No,
we
trust
our
IT
partners
to
have
incident
response
plans
if
systems
are
Incident
response
plan
down
X
We
have
outsourced
this
to
our
network
partner.
They
make
back-‐ups
on
BC&DR
different
levels
X
B5
Information
provision
Privacy
statement
We
do
not
have
one.
X
87
No,
we
only
have
direct
contact
if
there
would
be
a
data
breach
that
must
be
Direct
notification
communicated
X
We
include
our
processing
activities
in
the
agreements
with
tenants.
Therefore,
Consent
they
are
consenting.
!
B6
Compliance
Register
of
processing
Drawing
up
the
register
!
Register
of
data
We
record
our
data
breaches
in
a
breaches
register
V
Report
data
breaches
1
data
breach
notified
to
authority
V
Contracts
with
Working
on
it.
Not
all
conform
with
the
processors
GDPR
!
Not
yet.
This
can
wait
until
we
have
External
audits
implemented
all
controls.
X
It
takes
a
lot
of
time.
Data
protection
will
always
be
a
side
issue
that
exists
next
to
Implementation
the
daily
jobs
of
employees,
since
it
is
B7
challenges
not
core
business.
Costs/benefit/risk
analysis:
If
it
takes
too
much
time
to
implement
controls
and
when
it
can
be
done
on
differently
than
the
GDPR
subsribes,
we
may
decide
B8
Rationale
of
investment
not
to
be
fully
compliant.
C.
Technical-‐based
controls
No
we
do
not
have.
Privacy
by
design/default
is
a
source
of
conflict
for
our
organization.
We
always
have
based
our
organization
on
trust.
All
employees
have
been
allowed
to
consult
all
personal
data
of
tenants
for
optimal
customer
service.
Each
employee
must
sign
a
confidentiality
agreement
and
we
believe
that
they
are
professionals.
We
place
a
high
value
on
customer
service
and
trust.
Therefore,
we
did
not
have
privacy
by
design/default
strategies
and
patterns.
However,
we
always
take
privacy
and
data
protection
into
account
regarding
our
processes.
Ask
always
the
question:
do
we
need
this
data?
In
practice
we
apply
privacy
by
design
and
Privacy
by
design
by
default,
but
there
are
no
strategies
C1
strategy
formulated.
X
C2
Technical
measures
None
of
them.
What
is
the
added
value?
When
a
tenant
has
a
complaint,
all
employees
must
be
able
to
help
them.
Therefore
we
do
not
pseudonymize
data.
Only
for
statistical
research
we
Ano/Pseudonymization
anonymize
data.
X
We
start
working
with
a
new
archiving
Archiving
data
system
soon.
!
88
Yes
we
do.
Also
employee
data
erasure
takes
place
within
2
days
after
deemployment.
Some
fields
are
blocked
for
edit
or
erasure.
Also
some
data
sets
Block/erase
data
are
assigned
to
authorization
levels
and
systematically
are
therfore
blocked
V
Access
control
V
Authorizations
V
Seperation
of
data
Personal
data
is
stored
in
1
data
base.
X
Register
of
processing
activities
Working
on
it
!
Cloud
storage
No
cloud,
only
server
!
Data
store
in
structured
format
No
X
Regularly
testing/evaluating
controls
No
not
yet
X
No,
will
start
do
that
after
completing
Internal
audits
implementation
X
Appropriateness
of
C3
measures
V
To
limit
the
technical
controls
to
what
really
is
neceassary.
You
can
invest
in
very
high
technical
security
measures
against
big
costs.
Also,
if
employees
cannot
work
with
the
system
or
the
security
levels
are
an
obstacle,
the
controls
will
have
counterproductive
Implementation
effects.
Technology
should
be
C4
challenges
supportive.
Try
to
find
the
solution
on
the
people
and
organisational
side
first
and
then
C5
Rationale
of
investment
move
to
technology.
89
management
for
implementing
the
controls
adequately
90
We
feel
the
urgency
to
comply
with
the
law.
The
moral
responsbility
is
our
main
driver.
Furthermore,
many
decisions
regarding
data
protection
still
have
to
been
made.
The
decision-‐making
of
the
control
implementation
lies
with
the
middle-‐management.
The
approval
of
plans,
procedures
and
policies
lies
with
the
top-‐management.
We
assume
that
the
authority
will
be
satisfied
and
tolerant
when
the
organization
is
able
to
demonstrate
progress
in
becoming
compliant,
such
as
procedures,
assigned
responsibilities
and
other
controls
and
being
transarent
about
A8
Rationale
of
investment
processing
activities.
B.
Process-‐based
controls
First
the
organization
will
classify
the
data
in
our
processes.
Based
on
the
classification
we
will
identify
the
risks
for
individuals
and
the
B1
Weighing
risks
organization.
!
Not
yet.
This
will
be
a
logical
follow-‐
up
to
our
data
classification
process
for
evaluating.
However,
not
ready
B2
DPIA
for.
X
B3
Principles
In
progress
Limiting
the
collecting
of
data
we
do
not
need
for
a
certain
process
and
make
sure
to
know
for
each
piece
of
data
why
we
need
it.
Our
data
Purpose
limitation
classification
will
assist
to
this.
Minimize
the
data
to
the
least
form
Data
minimalization
possible.
We
have
to
start
to
clean
up
our
history
of
personal
data
that
has
Retention
limitation
expired
the
retention.
Policies,
procedures,
B4
guidelines
Infosecurity
policy
and
plan
V
Data
breach
procedure
Waiting
for
approval
board
!
Request
process
X
Test
procedures
V
Only
for
information
management
Archriving
and
destruction
system
!
Only
for
information
management
Data
retention
policies
system
!
Authorization
and
access
lists
Both
physical
as
logical
V
Incident
response
plan
Data
breach
procedure
V
BC&DR
V
91
B5
Information
provision
Drawing-‐up
a
new
one
conform
the
Privacy
statement
AVG
!
Direct
notification
X
Consent
X
B6
Compliance
Register
of
processing
Started
with
the
data
classification
!
Register
of
data
breaches
V
One
data
breach.
Although
not
required,
the
organization
has
Report
data
breaches
notified
the
authority
and
detector.
V
Contracts
with
processors
Not
yet
X
External
audits
X
B7
Implementation
challenges
A
lot
of
work
and
time.
The
GDPR
does
not
provide
clear
B8
Rationale
of
investment
guidelines,
sometimes
to
abstract.
C.
Technical-‐
based
controls
Not
yet.
The
organization
has
started
conversations
with
our
ERP
and
DMS
supplier
to
upgrade
the
systems
in
order
to
meet
the
data
C1
Privacy
by
design
strategy
protection
requirements.
C2
Technical
measures
Ano/Pseudonymization
New
requirements
for
systems
!
Archiving
data
New
requirements
for
systems
(ERP)
!
We
are
looking
for
solution
to
block
bsn-‐numbers.
Also
systematically
Block/erase
data
destruction
of
data
will
be
a
new
systematically
requirement
for
system
!
More
strict
access
controls
planned.
2control-‐tool
to
control
and
Access
control
evaluate
authorizations
V
Clear
authorizations
both
technical
Authorizations
and
logical
(VPN
from
home)
V
Seperation
of
data
No,
ERP
system
has
only
1
database.
X
Register
of
processing
Not
yet,
after
we
have
classified
our
activities
data
and
listed
processors.
X
Server
storage,
disencourage
local
Cloud
storage
storage
!
Data
store
in
structured
format
PDF
formats
V
Not
under
discussion
yet.
Only
for
Regularly
testing/evaluating
our
information
security,
not
data
controls
protection
in
specific
!
Audit
plan
has
been
made
for
our
IT
processes,
not
yet
data
protection
in
Internal
audits
specific
!
Appropriate
measures
are
focused
C3
Appropriateness
of
measures
on
compliance
92
The
organization
is
dependent
on
suppliers.
If
they
supply
the
systems
with
the
required
data
protection
C4
Implementation
challenges
levels
on
time
is
challenging.
Our
focus
now
is
on
the
people-‐
based
controls.
The
effectiveness
of
information
security
is
mainly
based
on
the
awareness
of
people
rather
than
the
technical
aspect.
Wonen
Zuid
historically
invested
most
in
technical
controls
and
we
are
close
C5
Rationale
of
investment
to
the
optimimal
level.
93
H:
Present.
However,
the
drive
comes
from
the
middle-‐layer
of
the
organization
and
No
more
than
regular
especially
our
employees.
The
awareness
team.
management
should
P:The
team
consists
express
their
interest
of
members
from
all
more
to
influence
organizational
employees.
In
fact,
disciplines:
there
is
more
management,
resistance
from
technical,
management
than
communication,
A2
Management
interest
regular
employees.
X
juridical,
control.
!
H:
There
is
organizational
wide
interest,
among
employees
from
all
Some
departments
different
do
have
interest
and
departments.
are
active
to
adjust
Everyone
is
very
their
behavior,
some
consicous
and
we
have
less
(such
as
keep
each
other
HR).
Which
is
alert.
Employees
alarming,
since
they
report
suspiscous
process
personal
data
emails
directly,
for
A3
Employee
interest
of
all
employees
!
instance.
V
Not
yet,
however
there
is
willingness
from
major
part
of
the
employees
to
adjust
their
behavior
Not
ready.
H:
Only
and
become
for
the
current
compliant
before
25
Wbp,
not
for
the
A4
Employee
readiness
may
X
GDPR.
X
Security
awareness
A5
actions
Roadshows
for
all
employees,
using
videos.
Regularly
communicating
about
why
actions
are
undertaken.
Such
as
the
communicating
the
importance
of
the
H:
A
45
minute
introduced
presentation
confidentiality
(roadshow)
and
a
Education
agreement.
V
speaker
V
Phishingmail
to
test
employees
and
train
H:
Phishingmail
and
them
how
to
how
to
recognize
Trainings
recognize
V
them.
V
94
H:
Awareness-‐team
and
we
created
a
organization-‐wide
security
climate
or
atmosphere
that
Awareness-‐team
for
encourages
actions,
promoting
employees
to
keep
and
notification
the
awareness
in
Security
climate
(breaches
or
losses)
V
their
mind.
V
Incentive
for
employees
that
notify
H:
Incentive
for
losses
or
potential
employees
that
Incentives
and
breaches
notify
potential
data
disincentives
(encouraging)
V
breaches.
V
Good
availability
of
the
sources.
However,
people
must
have
self-‐ H:
Yes,
the
sources
interest.
are
available
to
Nevertheless,
the
everyone
and
the
association
does
offer
information
is
enough
sources
to
stored
in
a
special
improve
interest
and
map,
including
a
A6
Souces
availability
behavior
V
FAQ&A.
V
How
to
execute
actions
to
enforce
H:
To
keep
everyone
desire
behavior.
How
'aware'
and
to
avoid
to
trigger
each
easing
of
employees
department
(different
regarding
their
Implementation
interests)
to
improve
compliance
A7
challenges
awareness.
behavior.
Tolerance
of
authority.
Some
controls
not
implemented
yet,
because
the
organization
believes
that
the
authority
does
not
pay
H:
Our
focus
so
far
attention
too
much
has
been
on
the
on
the
lack
of
these
human
perspective.
controls.
AlleeWonen
realizes
Benefits/cost/risk-‐ that
we
have
to
analysis.
High
fee
comply
and
to
(investment)
for
improve
our
data
security
awareness
protection
and
that
speaker.
Effectiveness
the
adjustment
of
is
difficult
to
our
employees'
Rationale
of
measure,
which
has
behavior
has
our
A8
investment
been
a
risk.
priority.
B.
Process-‐
based
controls
95
P:
With
everything
we
do,
we
comply
We
want
no
bad
with
the
legislative
publicity.
The
frameworks.
We
organization
pays
make
much
attention
to
considerations
this.
For
each
about
what
is
the
processing
activity
justification
for
has
been
evaluated
collecting
and
what
data
is
needed
processing
personal
and
for
what
goal
and
data?
H:
We
try
to
how
long
do
we
need
find
the
balance
this?
The
black
list
we
between
our
use
is
not
approved
organizational
by
the
authority.
certainties
and
the
However,
we
still
use
data
protection
the
list.
We
will
use
it
legislation.
How
do
as
long
as
complaints
we
keep
it
workable
B1
Weighing
risks
fail
to
happen.
V
according
the
law?
V
Not
yet,
we
want
to
do
it
when
we
have
Not
yet
according
to
implemented
more
or
the
GDPR.
We
do
less
all
(basic)
our
assessment
controls
to
evaluate
regarding
data
or
processing
protection,
activities
and
governance
and
B2
DPIA
controls.
!
audits
X
We
did
not
adopt
the
principles
so
far.
Only
for
the
BSN
we
try
to
minimize
and
apply
the
purpose
limitation.
Other
data
is
not
subject
Pay
attention
to
all
of
to
each
of
the
B3
Principles
them
principles
yet.
For
BSN
we
are
For
each
data
we
aware
that
we
do
decide
if
we
really
no
longer
have
a
need
it
and
for
what
legal
ground
to
Purpose
limitation
purpose
collect
them.
We
have
planned
a
No
longer
collection
clean-‐up
of
our
e-‐
of
data
that
is
content
system
to
convenient
to
have
in
get
rid
of
all
BSN's
place.
We
try
not
to
and
other
data
we
copy,
however
many
do
not
longer
need
copies
are
send
by
or
of
which
the
mail
and
stored
on
rention
period
has
Data
minimalization
different
places.
expired.
Difficult,
since
we
store
data
on
Technical
not
different
places.
How
achievable
yet,
also
to
make
sure
data
is
planned
but
not
yet
Retention
limitation
deleted,
after
done.
96
expiring,
everywhere
it
is
stored?
Policies,
procedures,
B4
guidelines
Dates
from
2016,
we
are
working
on
it
to
execute
all
planned
actions.
Infosecurity
policy
and
However
we
have
plan
V
set
the
bar
high.
V
Data
breach
procedure
V
V
No
work
process
for
Request
process
X
the
KCC-‐employees
X
Test
procedures
!
Fragmentated.
!
Archriving
and
destruction
Needs
improvement
!
We
are
on
it
now.
!
We
have
a
policy
regarding
our
DMS
system,
but
what
is
stored
local
or
on
the
servers
is
not
Data
retention
policies
Needs
improvement
!
mapped.
!
On
all
systems.
This
is
done
well.
We
evaluate
the
need
for
authorization
of
each
role/function
and
narrow
down
Authorization
and
the
accessibility
if
access
lists
V
necessary
V
We
putted
some
efforts
in
these
ones,
including
data
breach
response
Incident
response
plan
Needs
improvement
!
plans.
V
This
is
included
in
our
partners
and
BC&DR
V
our
sourcing
party
V
Camera
protocol
V
Recording
protocol
for
customer
service
employees
V
B5
Information
provision
Privacy
statement
Not
yet,
in
progress
!
!
Direct
notification
X
X
Yes,
for
internal
purposes.
Planned
for
tenants
when
updating
their
own
web
portal
account,
not
sure
yet
how
to
Consent
implement
this
due
to
X
97
the
diversity.
For
each
action/adjustment
consenting?
B6
Compliance
Developed
to
identify
all
processors
and
Register
of
processing
data
processed
V
V
No
suitable
software
for
developing
such
Register
of
data
registers.
Therefore
breaches
not
yet
implemented
!
!
No
notifiable
data
breaches
so
far.
Internal
analysis
Report
data
breaches
reporting
All
done
and
AVG-‐
proof.
All
processors
receive
the
new
contracts
for
signing
soon.
If
contracts
are
rejected,
the
partner/supplier's
director
has
to
sign
for
the
fact
that
there
Contracts
with
is
not
contract
in
processors
place.
V
V
Not
yet,
we
wait
for
implementation,
jurisprudence
and
our
External
audits
DPIA
X
X
Measures
to
block
data
automatically.
To
standardize
all
processes
and
Implementation
procedures
B7
challenges
organizaitonal-‐wide
It
is
a
lot
of
work.
There
is
awareness
and
a
clear
foundation
for
There
is
a
necessity
investing
in
our
data
to
comply
with
the
protection.
Feeling
GDPR.
We
do
not
the
urgency
to
want
to
have
a
comply
based
on
the
damaged
GDPR
and
ethical.
We
reputation.
There
decide
ourselves
has
not
been
any
what
is
appropriate
discussion
or
a
lack
to
implement,
also
of
focus
on
the
Rationale
of
based
on
tolerance
of
requirements
for
B8
investment
the
authority
our
organization.
C.
Technical-‐
based
controls
98
Not
yet
formulated.
We
know
that
we
Privacy
by
design
No
strategies
or
must
standardize
C1
strategy
patterns
formulated
this.
C2
Technical
measures
Not
yet
and
not
planned.
We
wait
for
our
suppliers
to
take
countermeasures
Ano/Pseudonymization
Should
be
better
X
and
we
follow
this
X
New
system
for
New
system,
workin
Archiving
data
archiving
V
on
it
!
Only
manually.
Yes,
some
data
is
Some
data
is
Block/erase
data
blocked
to
change
or
blocked
to
change
systematically
fill-‐in
V
or
fill-‐in
V
Physical
control
not
sufficient,
since
anyone
can
enter
and
walk
through
the
building.
The
receptionists
are
not
Access
control
competent
V
V
Very
strong
new
authorizations
for
data
access.
Which
may
be
annoying
for
employees
if
unattainable
data
is
required
to
fullfil
tasks.
We've
decided
to
start
with
a
strict
authorization
level
and
after
evaluating
we
can
decide
to
loosen-‐up
the
authorizations.
We
think
it
is
best
to
start
with
a
strict
level
and
to
lower
the
severity
over
Could
not
answer
the
time,
instead
of
the
Authorizations
question
other
way
around.
V
Could
not
answer
the
Seperation
of
data
question
X
Register
of
processing
activities
V
V
Not
in
the
cloud,
only
on
premise.
In
fact
is
everything
cloud
or
local
since
Cloud
storage
Use
of
SharePoint
V
it
is
on
a
server
X
99
Not
done,
however
Data
store
in
it
is
simple.
No
structured
format
V
export
available
V
Authorization
yes,
internal
audits
not
active
enough.
After
implemented
the
set
of
controls,
we
Regularly
will
plan
tests
and
testing/evaluating
evaluations
as
well
controls
V
as
internal
audits
!
Not
yet,
will
be
Not
yet,
will
be
done
done
more
often
more
often
later
on
later
on
after
after
implementing
implementing
Internal
audits
controls
X
controls
X
Always
take
care
of
the
GDPR
principles
before
any
activity
of
data
processing
takes
place
is
our
way
to
implement
Contextual
and
appropriate
situational.
First
we
measures.
determine
what
is
Minimalizing
your
required
at
the
risks,
so
less
data,
less
moment
and
then
storage
and
clear
we
make
a
decision
Appropriateness
of
purposes
and
align
to
implement
C3
measures
controls
to
this.
controls.
To
find
the
manpower
and
time
to
execute
actions
and
implement
controls.
Also
a
lack
of
urgency,
since
as
long
we
do
not
comply
nothing
happens
(until
the
authority
starts
investigating).
How
to
share
However,
the
documents
safely?
To
instruments
are
have
all
the
available
to
take
all
technology
in
place
countermeasures
that
suits
the
GDPR
that
are
required.
requirements,
for
The
main
challenge
Implementation
instance
a
register
for
is
to
prevent
human
C4
challenges
data
breaches
records
flaws.
100
This
is
interesting,
since
each
implemented
tecnical
control
Toleranance
of
subverts
the
human
authority.
Evaluate
awareness
and
the
risks
and
the
increases
the
GDPR
requirements
laziness.
Also,
if
as
rationale
of
your
employees
are
decisions.
Also
malicious
and
want
benefits/costs/risks,
to
do
harm
to
the
is
it
necesseray
to
organizations
or
implement
it
at
this
data
subjects
they
moment
or
can
it
be
always
find
their
done
later?
Such
as
way
to
steal
data
breach
organizational
insurrance.
What
are
information.
Major
the
benefits
investments
in
compared
to
the
technical
controls
costs?
Do
we
really
are
not
effective
on
need
it,
how
big
is
the
that
account.
risk?
Decided
not
to
Putting
efforts
on
take
such
insurrances,
increasing
because
we
think
it
is
awareness
and
not
necessary
at
this
compliance
moment
compared
to
behavior
among
the
costs.
Also
the
employees
all
the
interpretation
of
the
more.
Also
if
the
norms.
The
legislation
technical
measures
is
still
changing,
are
considered
as
therefore
we
wait-‐ annoying
and
the
and-‐see.
We
look
to
systems
take
over
the
GDPR
as
the
responsibilities
guidelines
and
we
of
employees,
this
implement
our
will
have
a
Rationale
of
controls
as
good
as
counterproductive
C5
investment
we
can.
effect.
101