Compliance tools

The Dutch DPA promotes self-regulation from organisations that process personal data. The protection of personal data is a responsibility of all organisations which handle personal data. Within this scope, the Dutch Data Protection Authority developed a number of audit products in a joint venture with umbrella organisations of auditors and market parties (audit and consultancy organisations). These are:

  1. Quickscan
  2. Wbp Zelfevaluatie (Data Protection Act Self-evaluation)
  3. Raamwerk Privacy Audit (Privacy Audit Framework)

Using these audit products, organisations can verify the position of the protection of personal data in their organisation. The products - in particular the Data Protection Act Self-evaluation - can also be used in the transition from the WPR to the Wbp.

pdf documentDownload Privacy Audit Framework (150 KB)

Quickscan
The Quickscan is a list with 13 questions regarding privacy protection in the organisation. The questionnaire is chiefly intended to create awareness about privacy protection within an organisation. The results of the Quickscan only give an overall picture of the status of the privacy protection in an organisation. The questionnaire can be completed by every employee in an organisation. The web site contains a detailed explanation to the possible answers for the Quickscan. On the basis of this explanation, the person completing the list can assess what the meaning of the answers given to the questions is and what follow-up actions can be undertaken.

Data Protection Act Self-evaluation
The Data Protection Act Self-evaluation is an instrument for the management of organisations to obtain an opinion about the implementation of and/or compliance with the provisions of the Wbp. The Data Protection Act Self-evaluation should be conducted by officers that are familiar with the Wbp and with the ICT facilities in the organisation. The provisions of the Wbp have been conveniently arranged into nine primary questions. For each primary question, the organisation should determine its ambition level and arrive at a factual assessment. The confrontation of factual assessment and ambition level will then provide an understanding of the status in the domain of protecting personal data within the organisation. The primary questions are supported by dozens of questions that the organisation can use to independently conduct the Data Protection Act Self-evaluation.

If desired, management can decide to have the self-evaluation (independently) reviewed. In this way, the instrument will be more valuable for the organisation. The Data Protection Act Self-evaluation has been set up in accordance with the INK model. The document describes the steps that the organisation can use to effectively and efficiently conduct the Data Protection Act Self-Evaluation.

Privacy Audit Framework
The Privacy Audit Framework has been drawn up so that a privacy audit can be conducted within an organisation by a certified auditor. The Framework also starts from nine clusters of areas of attention. The outcome of a privacy audit will provide the management with a high degree of certainty regarding the status of the protection of the personal data in the organisation. The decision to have a privacy audit conducted should be well considered. Such an audit is rather costly and is only useful if the organisation is ready for this. Early consultation with the company accountant is thus recommended.