file144864.M.W. - 291281

EU GENERAL DATA PROTECTION REGULATION COMPLIANCE

C ASE S TUDY R ESEARCH F OCUSED ON D UTCH H OUSING A SSOCIATIONS

Master Thesis Information Management

Rick Swinkels
291281
31 July 2017

2
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE
a case study focused on Dutch housing associations
Master of Information Management

School of Economics and Management
Tilburg University
Company: VVA-‐informatisering
Student: R.M.W. Swinkels

ANR: 291281
Master’s Thesis
CoC reader: Dr. X. Ou
Dr. J. Hulstijn
Company supervisor:
Drs. M.P.L. Videler

Date:
31 July 2017
3

Management Summary
The introduction of the new legislation to protect the personal data of individuals affects all
organizations within the EU, including Dutch housing associations (DHAs). The General Data
Protection Regulation (GDPR) will come into effect in less than a year. Organizations must
achieve compliance to prevent data breaches and avoid severe sanctions from the supervisory
authority. The aim of this research is to determine what is required from organizations to
protect personal data in order to achieve compliance, within the context of the Dutch housing
associations industry.
Based on the literature review, the GDPR is analyzed and compared with the current
data protection legislation. The obligations are identified in order to determine the required
data protection controls to satisfy the obligations. Appropriate implementation of data
protection controls is crucial. Controls must be implemented on the three organizational
domains of information security management: people, process and technology.
Three cases are explored using semi-‐structured interviews. The validity is maximized
by involving one to three respondents per case, with different organizational roles. Identical
interview questions and method are applied at each case to maximize the external validity. A
cross-‐case analysis and comparisons between theory with findings have contributed to find
and match patterns.
The results show that DHAs have implemented the required controls insufficiently to
achieve compliance. Traditionally, DHAs are technology-‐ and process driven and controls on
these domains are implemented most. The human element of information security and data
protection has been overlook for a long time, while people-‐focused controls are considered
as most effective. The results in combination with the theory are used to redesign the
information management staircase of Merete Hagen et al. (2008), which includes the three
controls. This model prioritizes the control domains, as it suggests that the people-‐focused
control must be the foundation of information security. With respect to the controls, the
implementation challenges and motives of the participating DHAs are identified to derive best
practices from, for any organization, in their road towards compliance.

4

Preface
This report contains the Thesis of my Master in information Management in Tilburg. I have
put my heart and soul into the work and the number of pages fairly represents the time
invested into the writing. The process of writing has been a rollercoaster with ups and downs.
Nonetheless, the research I conducted over the last months has been more than interesting.
The subject of the thesis is more relevant than ever. The news is flood with items relating to
data breaches, ransomware-‐ and phishing attacks. To investigate this topic within the unique
industry of DHAs and to feel the necessity of responding accordingly to the GDPR, has made
the journey of doing research more fascinating.
My master thesis supervisor, dr. Carol Ou, guided me through the process, while
challenging me to look at my thesis with a critical eye. Her mentoring skills helped me to keep
on track and to take the hardest hurdles. Therefore, I would like to thank her for her time and
effort in supervising me in doing my master thesis research.
My internship company, VVA-‐informatisering, offered me the opportunity to write my
master thesis and to explore the field of information security, as this is one of the company’s
services offered to DHAs. The combination of doing research and working in the field has
strongly contributed to gain knowledge about the subject. The expert knowledge of my
company supervisor, drs. Martijn Videler, helped me to determine the direction and to scope
my research. His perspective on the subject and experience with the within the industry has
inspired me. My colleague, Allard Dolron Msc, also contributed significantly to the quality of
my research with his expert knowledge concerning data protection legislation. Therefore, I
would like to thank Martijn and Allard for guiding me. I want to thank all other colleagues for
their willingness to help.
Finally, I want to thank all my interview respondents for their openness and having
discussions with me about a delicate issue.

Without the contribution of all of you, I would not have been able to finish this master thesis.

Rick Swinkels
Tilburg, July 31st, 2017
5

Table of contents
MANAGEMENT SUMMARY 4
PREFACE 5
1. INTRODUCTION 8
1.1 PROBLEM INDICATION 8

1.2 RESEARCH STATUS 9
1.3 PROBLEM STATEMENT 11
1.4 RESEARCH OBJECTIVES 12
1.5 RESEARCH QUESTION 12
1.6 RESEARCH METHOD 13
1.7 DEMARCATIONS 13
1.8 PRACTICAL AND THEORETICAL RELEVANCE 13
1.9 THESIS STRUCTURE 14
2. LITERATURE STUDY 15
2.1 DUTCH HOUSING ASSOCIATIONS 15

2.2 INFORMATION SECURITY 16
2.2.1 PERSONAL DATA PROTECTION 17
2.2.2 CONTROLS 18
2.2.3 INFORMATION SECURITY AWARENESS CONTROLS 19
2.2.4 ASSESSMENT AND IMPLEMENTATION OF INFORMATION SECURITY CONTROLS 21
2.2.5 INFORMATION SECURITY AND DATA PROTECTION STANDARDS 22
2.2.6 RELATION TO DATA PROTECTION 24
2.3 GDPR PRINCIPLES, -‐OBJECTIVES AND -‐OBLIGATIONS 24
2.3.1 KEY CONCEPT DEFINITIONS 25
2.3.2 DATA PROTECTION PRINCIPLES AND OBJECTIVES 27
2.4 NEW OBLIGATIONS 28
2.4.1 INFORMED CONSENT 29
2.4.2 RECORDS OF PROCESSING ACTIVITIES 29
2.4.3 DATA PROTECTION IMPACT ASSESSMENT (DPIA) 30
2.4.4 DATA PROTECTION BY DESIGN AND BY DEFAULT 30
2.4.5 DATA PROTECTION OFFICER 31
2.4.1 AGREEMENT WITH DATA PROCESSORS 31
2.4.2 EXTRA OBLIGATIONS TO DATA PROCESSORS 32
2.4.3 RIGHTS TO DATA SUBJECTS 32
2.5 DATA PROTECTION CONTROLS 34
2.5.1 PEOPLE-‐FOCUSED CONTROLS 35
2.5.2 PROCESS-‐BASED CONTROLS 35
2.5.3 TECHNOLOGY-‐BASED CONTROLS 38
2.6 MOTIVES FOR CONTROL IMPLEMENTATION 38
6

2.6.1 ETHICAL REASONING 39
2.6.2 COST-‐BENEFITS ANALYSIS 39
2.6.3 AUTHORITY ENFORCEMENT 40
2.6.4 INTERPRETATION OF THE LEGISLATIVE TEXTS 40
2.7 LITERATURE REVIEW SUMMARY 40
3. RESEARCH METHOD 42
3.1 METHOD SELECTION 42

3.2 RESEARCH DESIGN 42
3.3 QUALITY OF THE RESEARCH DESIGN 42
3.4 DATA COLLECTION 44
3.5 DATA ANALYSIS 44
4. RESULTS 46
4.1 CASE STUDY FINDINGS 46

4.1.1 CASE 1: WOONGOED MIDDELBURG 46
4.1.2 CASE 2: WONEN ZUID 49
4.1.3 CASE 3: ALLEEWONEN 52
4.2 DATA ANALYSIS 55
4.2.1 CROSS-‐CASE COMPARISON 55
4.2.2 COMPARISON BETWEEN WBP AND GDPR 59
4.2.3 COMPARISON BETWEEN THEORY AND FINDINGS 60
4.2.4 SUMMARY OF RESULTS 63
5. DISCUSSION 64
6. CONCLUSION 71
6.1 ACADEMIC VALUE 72

6.2 PRACTICAL RECOMMENDATIONS 72
6.3 LIMITATIONS 74
6.4 DIRECTIONS FOR FUTURE RESEARCH 75
7. BIBLIOGRAPHY 76
7.1 LIST OF FIGURES AND TABLES 79

APPENDIX 1: NEN-‐ISO/IEC 27002 SECTIONS 80
APPENDIX 2: CASE PROTOCOL AND INTERVIEW QUESTIONS 80
APPENDIX 3: INTERVIEW AGENDA 84
APPENDIX 4: INTERVIEW DATA WOONGOED MIDDELBURG 85
APPENDIX 5: INTERVIEW DATA WONEN ZUID 89
APPENDIX 6: INTERVIEW DATA ALLEEWONEN 93

7

1. Introduction
1.1 Problem indication
Housing associations in the Netherlands will be, like any other sector or industry, confronted
with new legislation for privacy and information security. On 15 December 2015, the European
Commission, Parliament and Council reached agreement on the new data protection
regulation, the General Data Protection Regulation (GDPR). The new regulation replaces the
20-‐year-‐old EU Data Protection Directive 95/46/EC as well as its Dutch version. The Directive
was introduced in a period that only one percent of the European citizens used the internet
and data collection hardly existed. The European Commission believe that the time had come
for new and binding data protection legislation.
A directive is a non-‐binding act that sets out a goal that all EU countries must achieve,
as where a regulation is a binding legislative act. Over the past 20 years, the Members States
within the EU have implemented the Directive in different ways, which means that many
versions of the Directive have been in place since then. One of the versions is the Dutch
Protection Act, also known as Wet Bescherming Persoonsgegevens (Wbp). The Dutch version
differs from the Directive, as it is a binding act. The GDPR will directly apply to all 28 EU
Members States to uniform data protection for individuals within the EU. The Council adopted
the GDPR on 8 April 2016 and the regulation will be put into effect on 25 May 2018.
With less than a year left to the implementation date, Dutch organizations have still a
long way to go. A recent published article from PwC reported that only 11 percent of the
participating organizations are considered as being ready for the new data protection
regulation. One of PwC’s competitors, BDO, says that the housing association industry in the
Netherlands is at risk concerning data protection, resulting in threatening situations for the
privacy of tenants. Only a third of the association’s board of directors have interest in
information security and data or privacy protection, only 24 percent has implemented a
security policy and only 17 percent of the organizations have offered internal trainings to
enhance security awareness amongst staff members, which may bring potential privacy,
organizational and compliance risks.

8

The GDPR introduces a substantial number of new rules and severe violation penalties for
non-‐compliant or data breaching organizations. In comparison to the Wbp, the new privacy
regulation saddles organizations with additional obligations related to the processing of
personal data and penalty fines may even rise up to 20 million euro. The major change that
comes with the new legislation is not so much the increased number of rules. Yet, the
Regulation now forces organizations to actually react on the rules in practice. Dutch housing
associations, hereinafter referred to as DHAs, must undertake action in the immediate future
for timely compliance. This research study will focus on the current state of compliance of
DHAs and their road ahead towards 25 May 2018.

1.2 Research status
Currently, the Regulation is a subject that is vividly debated among academics, researches,
lawyers and auditors. Two schools evolve from the data protection research landscape. The
first school represents the juridical perspective. This school attempts to determine the impact
of the Regulation in terms of effectiveness: does it protect personal data and does it
contribute to better privacy of people? The school is divided into two camps consisting of
opponents and proponents. De Hert and Papakonstantinou (2012, 2016) are satisfied with the
Regulation. They conclude that the release of the Regulation will protect personal data of
individuals. The choice of the legal instrument, a Regulation instead of a directive, has been
well received. Some new introduced principles are future-‐oriented, for instance the right to
be forgotten and privacy by design, which contribute to EU data protection (De Hert &
Papakonstantinou, 2016).
A counterargument comes from Bert-‐Jaap Koops (2014) as he argues that the
Regulation will not achieve better data protection, due to an enormous disconnection
between the law and reality. The GDPR has three new objectives, coming on top of the original
Directive objectives. The GDPR pursues to:
• Give individuals more control over their data
• Simplify the law by eliminating administrative burden and unnecessary costs
• Establish a comprehensive data protection framework

9

Koops (2014) concludes that the three objectives are based on fallacies. The Regulation will
not offer individuals control over their own data, nor it simplifies the law. The increased
number of obligations causes problems for organizations to deal with. The increased
complexity means more paperwork and higher costs. Moreover, more law does not result in
desired behavior and can be contradictive. According to Koops, the Regulation desperately
tries to cover all the topics of the Directive plus new principles in one statutory law. Peter
Traung (2012) supports Koops’ opinion, as he argues that the proposed GDPR will not achieve
its objectives. The legislation fails to provide clear rules and simplification. It only adds
administrative burden to organizations.
The second school emerges from a mechanical perspective. This school approaches
the Regulation as a given fact. Researchers who support this school do not doubt the
legislation nor the feasibility of its objectives. The researchers start working with the
legislation by interpreting and applying the provisions. They believe that the law will be
effective as long as the required controls are implemented adequately. However, the
Regulation has open-‐norms and does not provide guidance in how to apply the objectives in
the practical area. The legal interpretation and translation to practice is what the is discussed
by the researchers of the second school. A legal interpretation is needed when a legislation is
based on principles and when there is reasonable uncertainty or disagreement about meaning
and implementation (Lyons, 1999). This is also known as open-‐texture of the language and
law, according to Hart (1961). Rule-‐based regulation systems prescribe in detail what is
obligated and permitted, being unambiguous. (Burgemeestre, et al., 2009). However, the
regulation is principle-‐based, as its norms only point in a certain direction. How principles must
be interpreted and applied depends on the context. The first step to adopt the principles is to
identify control objectives and control measures as implementation rules (Burgemeestre et
al., 2009). This can be achieved by having regulatory conversations, which are interactions
that occur between all those involved in the regulatory space (Black, 2002). The regulatory
conversations can be considered as a process of social negotiations to reach consensus about
what counts as acceptable. This process is called norm emergence by Burgemeestre et al.
(2009). The Dutch housing trade association Aedes has social negotiated with managers, IT
specialists, consultants and the Dutch data protection authority, Autoriteit Persoonsgegevens.
Based on these conversations, Aedes has attempted to translate the Regulation principles into
10

comprehensible guidelines for the housing association context: de Aedes-‐handreiking
Gegevensbescherming (2016).
Although the schools rely on different approaches, the two are mutually dependent.
The first school tends to conduct a sentence about the Regulation based on the practical
knowledge that emerges from the control implementations by the second school. On the
other hand, the second school depends on the first school’s appeals and the jurisprudential
results that may follow. Although both schools hold different perspective, they are
complementing and jointly contribute to an organization’s compliance process.
For many industries, and no less for the Dutch housing associations, there is a lack of
knowledge and experience regarding the implementation of the Regulation requirements into
the organization. To what extent the associations comply to the GDPR’s requirements and the
reasons why they do or not, is still unclear. While answers on these questions offer insights
into the Regulation’s feasibility and effectiveness.

1.3 Problem statement
The GDPR forces Dutch housing associations to implement controls to protect personal data
of individuals. For many industries, and no less for the Dutch housing associations, there is a
lack of knowledge regarding the implementation of such data protection controls into the
organizations. Recent studies demonstrated that a significant number of the housing
associations do not meet the Wbp requirements, while the GDPR is even more comprehensive
and complex. Therefore, the question arises if the DHAs are ready for the GDPR. In less than
10 months the Regulation comes into effect, meaning that organizations have only a short-‐
term to set the course towards compliancy. Housing associations process personal data of
tenants on a daily basis and the amount of personal data DHAs possess is substantial, varying
from name & address details to sensitive medical data. The information management of DHAs
is getting more complex, while the GDPR puts new obligations to organizations regarding data
protection. DHAs have to respond to the new obligations with appropriate controls to prevent
data breaches, which potentially harm individuals and cause reputational damage.

11

1.4 Research objectives
This research study focuses mainly on the practical perspective of the second school. The
research aims for explaining the GDPR in terms of principles, objectives and obligations in
comparison with the Wbp. In addition, whether and how controls to protect personal data are
implemented by DHAs, including the challenges and motives regarding the implementation,
provide new views and findings relevant for other organizations. The research results may
contribute to the scientific knowledge regarding data protection and privacy discipline and
may offer practices to DHAs or other organizations in their road towards GDPR compliance.

1.5 Research question
The research question follows from the problem statement and research objectives. In order
to gather knowledge and practical insights about the GDPR obligations and the process of
control implementations within the field of Dutch housing association industry, the following
main research question is formulated:

“How should Dutch housing associations respond to the General Data Protection Regulation?”

The sub questions contribute to the answer on the main research question. The sub questions
encompass four elements, which answers result from the literature review or the case study.
The following four sub questions are formulated:

1. What are the differences between the Wbp and GDPR in terms of principles, objectives
and obligations to data controllers and processors?
2. What data protection controls are required to enable GDPR compliance?
3. To what extent are the required controls implemented by the housing associations?
4. What are the implementation challenges and motives?

12

1.6 Research method
The research consists of two components: a literature review and a case study. A literature
review is conducted to find interesting literature and theories regarding information
security, data protection, security awareness, and current and new data protection
legislation. The first and second sub question is answered based on the literature review.
The case study result provides the answers to the third and fourth question. The case study
involves three housing associations. An identical method is used for each case to gather in-‐
depth information regarding their response to the GDPR in terms of the implementation of
controls.

1.7 Demarcations
The following demarcations apply to this research:

§ Subject of analysis: Three DHAs varying in size (small, middle, large)
§ Unit of analysis: DHA and inter-‐DHA level
§ Research focus: Technology, process, people
§ Boundaries: Geographical: the Netherlands

The case study involves three DHAs, that vary in size and have formulated an information
security policy. The sample consists of a small, middle and large organization that is
representative for the industry. The GDPR is applicable to all EU organizations. Therefore, a
sample that represents the industry is selected, where size is the only constraint.
Organizations, such as very small ones, not having an information security policy are less
interesting, because have often less knowledge of their limit knowledge regarding information
security and data protection.

1.8 Practical and theoretical relevance
Organizations have limited time that is left until to take necessary measures to deal with the
GDPR. This research attempts to address the required controls and implementation
challenges and motives of the Regulation of which DHAs have to deal with. The results of the
13

research may be used as practices for DHAs to implement data protection controls and meet
the GDPR obligations, in order to take steps towards compliance.
In theoretical sense, this research is relevant in two ways. At first, a comprehensive review
of the GDPR, in comparison with the Wbp, contributes to the understanding of the legislation
by organizations and DHAs in particular. Second, the research is theoretically relevant,
because no empirical research to the GDPR within the context of DHAs has been conducted.
The case study findings provide in-‐depth knowledge about the data protection control
implementation, challenges and motives that might be generalizable to other organizations
or industries. The outcomes of the research can also be used to determine the Regulation’s
feasibility and effectiveness in a broader sense. This research combines theoretical and
emperical research to contribute to the knowledge gathering regarding information security,
data protection and compliance.

1.9 Thesis structure
Figure 1 visualizes the structure of the thesis.

FIGURE 1: THESIS STRUCTURE

14

2. Literature study
This chapter contains a review on the literature with regard to data protection. Paragraph 2.1
starts with a brief overview of the context of the Dutch housing association industry.
Paragraph 2.2 covers the concept of information security and its relationship with data
protection legislation. The chapter continues to paragraph 2.3 with a comparison between the
GDPR and Wbp including definitions, principles and objectives. Paragraph 2.6 identifies the
new GDPR obligations and paragraph 2.7 identifies the data protection controls. The chapter
ends with the discussion of four motives for control implementation in paragraph 2.8.

2.1 Dutch housing associations
Housing associations in the Netherlands are unique as they are positioned between the public
and private sector (Veenstra, Allers, & Koolma, 2013). In the 19th century the first DHAs were
established as voluntary and non-‐profit housing providing organizations of two different
types: associations for private interests by a common need and associations for public
interests. The Housing Act of 1901 turned the DHAs into public authorized institutions
enabling the associations to receive financial support from the central government as long
they served the public interest (Ouwehands & van Daalen, 2017, Priemus, 2003). In the second
half of the 20th century the subsidies were cut, which resulted in financial independent DHAs.
However, the government still supports the associations by providing low-‐interest loans
(Veenstra et al., 2013).
Nowadays, there are approximately 363 housing associations in the Netherlands.
Together they own 2.4 million rentable housing units, which is the most common way to
express the size of DHAs. DHAs strongly differ in size, varying from 50 to 80.000 and an
average from 6600 units (Rijksoverheid, 2014). The primary target group of DHAs are
households with incomes below 35.000 euro. Although DHAs perform a variety of business
processes, the administrative organization of the majority of DHAs are similar. Netwit (2013)
has translated the processes into a reference architecture which is widely accepted among
associations. Figure 2 and 3 visualize the reference architecture.
15

FIGURE 2: PRIMARY BUSINESS PROCESSES OF DUTCH HOUSING ASSOCIATIONS (NETWIT, 2013)

FIGURE 3: SUPPORTING PROCESSES (NETWITT, 2013)

DHAs are, to a large extent, information processing organizations. Performing the daily
operational management is impossible without the availability of information systems. Within
and between each process information is processed. A substantial part of these information
flows contains personal data.

2.2 Information security
The fundamental right to protect individuals in the personal sphere and to respect their
privacy, together with protecting the business assets, are the prime driver for the emergence
of information security. The objective of information security is to protect the information
16

systems against threats by implementing a set of controls. Information, in its widest sense,
refers to public or private information that may be sensitive or confidential. The most relevant
information to protect are business secrets and other confidential information and personal
data of customers and employees. Information security is part of the integral risk
management to minimize the exposure of risks (Overbeek et al, 2005). Effective information
security is built on three pillars:
• People: employees need to be aware of their role, required behavior and skills
• Process: organizations activities, roles and documentation usage and adaptation
• Technology: technical controls within information systems and infrastructure

The three pillars of information security are visualized below in figure 4.

FIGURE 4: THREE PILLARS OF INFORMATION SECURITY (ISO/IEC 27001)

Information security threats emerge in many varieties, such as software attacks, intellectual
property, equipment or information theft or identity theft. Threats can be categorized based
on the aspects of the CIA triad:
• Confidentiality: protection of information from disclosure or unauthorized access
• Integrity: protection of information from modification by unauthorized parties to
assure accuracy and completeness
• Availability: Ensuring accessibility of information when required by authorized parties.

2.2.1 Personal data protection
Personal data are a category of the information managed by organizations. Data protection is
part of information security and the three pillars of information security are the CIA triad are
also applicable to personal data protection. Moreover, without appropriate information
security controls, data cannot be protected. To a large extent, the quality of data protection
depends on the information security controls implemented within organizations.
17

2.2.2 Controls
A risk analysis assists on determining what security controls should be implemented in order
to warrant the reliability of the information systems and processes, which requires insights
into the effects of controls and relations between controls. The main risk regarding data
protection are data breaches. Criminals might abuse leaked or stolen information through
identity theft, which causes harm to individuals. Information security controls contribute to
protecting the confidentiality, integrity and availability of information (Overbeek, et al, 2005).
The controls aim for mitigating the risks and preventing incidents, such as data breaches.
Information security controls can be categorized according to their nature and the
organizational implementation level:
• Procedural controls
• Technical controls
• Physical controls
• Compliance controls

Procedural controls consist of approved written policies, procedures, standards and
guidelines. The procedural controls form the framework for performing day-‐to-‐day business
operations. They inform people on how to work. Some examples of procedural controls are
information security policies and incident response plans. The information security policy
functions as starting point for the selection and implementation of technical and physical
controls (Overbeek et al, 2005).

Technical controls are programmed in the organizations systems and architecture, such as
software and data, to monitor and control access to information. Examples of technical
controls are login authentication in operating systems, encryption of classified information
and network firewalls.

Physical controls consists of hardware or other material equipment that control and monitor
the environment and access of the work place and computing facilities, for instance doors,
locks, cameras and alarms.
18

Compliance controls are provisions to demonstrate compliance with the legislation such as
privacy statements.

To evaluate the effectiveness of the controls, organizations choose to conduct audits. Auditing
is used as a safeguard in order to improve and add value to businesses (Vroom & von Solms,
2004). IT-‐audits focus on the information systems security and involves independent
evaluation of an organization’s policies, procedures, standards, measures and practices for
safeguarding information loss, damage, disclosure or availability. However, one aspect that
auditing does not cover effectively is that of the behavior of the employee, which is crucial to
any organization’s security (Vroom & Von Solms, 2004). The behavior of employees is difficult
to measure and evaluate.

2.2.3 Information security awareness controls
Research has shown that the human factor is considered as the most vulnerable element in
information security (Katsikas, 2016). Many data breaches are due to employee negligence or
ignorance of security policies (Vroom & von Solms, 2004). To reduce risks and ensure
information security, organizations often rely on technical controls. Although this contributes
to information security, it is often not enough to eliminate the risk (Bulgurcu et al, 2010).
Traditionally, information security is concerned with technological and procedural aspects and
less with human aspects. This is also known as the mechanical perspective of information
security (Dhillon and Backhose, 2001). The building of robust systems and the stipulation of
policies is essential, however it is not enough to ensure employee’s compliance. If employees
are not keen or unwilling to follow the security policies or find ways to by-‐pass technical
controls, then these efforts are of no use. Policies may be detailed and crystal clear to
employees, however, compliance may be lacking (Vroom & von Solms, 2004). Employees may
decide not to comply with the information security policies for reasons of convenience in their
day-‐to-‐day routine, as the essence of compliance is not realized (Herath & Rao, 2009).
Albrechtsen (2007) argues that the main problem for employees to comply, is the lack of
motivation and knowledge regarding information security.
19

Herath & Rao (2009) identify in their research to security policy compliance the drivers
for favorable employee attitudes towards security policies and compliance intentions.
Understanding of the severity of a threat affects the employee’s concern regarding security
breaches has a positive effect on attitudes towards security policies. Also, if employees
perceive that their actions regarding compliance behaviors benefit the organization then
attitudes towards security policies are affected positively. It is critical that top-‐management
inform employees about the probability of information security incidents, such as data
breaches, and to convince employees that their actions make a difference in protecting
information. This will improve employee’s compliance intentions and behavior. In addition,
the availability and accessibility of information security policies and security awareness
reading materials, positively affect intentions to comply with policies. The researchers found
that social influence, deterrence and organizational commitment also play a role in employee
security behavior. Creating and maintaining a security climate by managers who actively
involve employees also improves compliance intentions and behavior. This may be achieved
by enhancing the employee’s perception of the likelihood getting caught if they violate the
security policies. However, penalties have a counter effect. Therefore, a detection mechanism
is favorable over sanctioning.
Within the context of the information security, the four traditional controls address
the process-‐ and technology pillars. The information security awareness actions act as
‘controls’ that address the people pillar. As such, the different controls can be categorized by
the three pillars. Hereinafter, the security awareness actions are referred to as people-‐focused
controls, procedural and compliance controls are referred as process-‐based controls and the
technical controls and physical controls are referend as technology-‐based controls. The
categorization is visualized in figure 5.

20

FIGURE 5: INFORMATION SECURITY CONTROLS CATEGORIZED

2.2.4 Assessment and implementation of information security controls
Empirical research of Merete Hagen, Albrechtsen and Hovden (2008) on the implementation
and effectiveness of controls clarifies how organizations assess the importance of four main
categories of controls: (1) security policies, (2) procedures, (3) tools and methods and (4)
awareness creation. The researchers have identified an inverse relationship between the
implementation of information security controls and how the effectiveness of the controls is
assessed. To illustrate, controls to improve security awareness are assessed to be most
effective of all controls and the technical-‐organizational controls are assessed to be the least
effective by the participating organizations. Meanwhile, the participating organizations have
widely implemented the technical-‐organizational controls and security awareness controls are
much less applied. Reasons for this can be found in the extent of resource demand.
Implementing technical-‐organizational controls, like formulating security policies, are less
resource demanding compared to security awareness controls, like trainings and education
sessions on a regular basis. Other reasons for the lack of attention to the people-‐focused
controls can be none or little top-‐management engagement and the traditional positioning of
information security at the IT domain, resulting in more technical controls (Merete Hagen et
al., 2008).
The security awareness controls are considered as a logical follow-‐up to the
technology-‐based and process-‐based controls. Organizations start to invest in the human
aspect after the formal controls have been implemented, which functions as the foundation
of their information security system. Merete Hagen et al. (2008) conclude that the technical,
formal and human controls only have effect when these are built in combination, like a
21

staircase. The security controls are mutually depended on each other (Sundt, 2006). A
technological foundation for the information security must be in place to. Otherwise the
organizational controls would have been useless. Organizational (or process-‐based) controls,
on their turn, have no effect if people are not aware how to apply them in their daily jobs. The
information security staircase demonstrate the mutually dependencies between the controls,
which is visualized in figure 6.

FIGURE 6: INFORMATION SECURITY STAIRCASE BASED ON MERETE HAGEN ET AL. (2008)
1
PROCESS-‐BASED CONTROLS

2.2.5 Information security and data protection standards
Organizations may implement standards for their information security management.

Standards emphasize the importance of IT in organizations, which makes IT management
crucial to maintain IT services. They contribute to information security in a broader sense. The
most applicable and widely used such standards are ISO 27000 series, COBIT and ITIL
(Shahibudin et al, 2008).
COBIT and ITIL are more general IT management standards that have incorporated
security as a component, hence it is not as comprehensive as the ISO 27k security standards.
The DHA industry is most familiar with the ISO 27k standards, upon which the information
security policies are based often. The ISO 27k series is known as a framework for implementing
an Information Security Management System (ISMS) and has a broad scope, being applicable
to organizations of all sizes. The series consists of 45 standards addressing technical,
administrative, organizational issues regarding information security, data protection and
cybersecurity and other related topics. The ISO introduces new standards and updates new
ones from time to time.

22

ISO 27001 -‐ ISMS
The ISO 27001 standard can be implemented as a system to manage the information security
by providing the requirements for initiating, implementing, maintaining and continuously
improving of the management system. The implementation of the ISMS is an organizational
strategic choice affected by the objectives, security requirements, applied procedures and
organizational size-‐ and structure. The ISO 27001 framework aims for the protection of the
confidentiality, integrity and availability (CIA) of information and must be integrated
organization-‐wide to have effect. Therefore, the ISMS must be embedded into all business
processes, information systems and controls of an organization. The ISMS require
maintenance, as it is subjected to continual change.

ISO 27002 – information security code of practice
ISO 27002 is an information security code of practice, which is based on the ISO 27001,
attempting to protect the cyber environment of individuals and organizations. The best
practice lists security control objectives and recommends a range of specific security controls.
The ISO 27002 or Code of practice for information security management provides best
practice recommendations on information security management and the initiation,
implementation, maintaining and improving the ISMS. Within each section (appendix 1),
information security controls and the objectives are defined. The information security controls
are generally regarded as best practice means of achieving those objectives. For each of the
controls, implementation guidance is provided. The controls are not merely technology-‐
based, but also people-‐ and process-‐based controls are addressed.

ISO 27018 – data protection in public clouds code of practice
In 2014 the ISO 27018 code of practice for cloud data protection was introduced. This code
consists of specific guidelines, which encompasses the same sections as ISO 27002. The
guidelines provide detailed control objectives and controls for protecting personal data,
addressing mainly technology-‐based and process-‐based controls. The controls are in
accordance with the privacy principles from ISO 29100 standard. These privacy principles are,
on its turn, in in alignment with the GDPR data protection principles.

23

2.2.6 Relation to data protection
Data protection legislation such as the GDPR aim for protecting personal data of individuals.
In information security terms, personal data can be considered as critical information that all
organizations need to protect. Because of this, data protection and information security are
interrelated. Therefore, information security standards might be appreciated by data
protection. According to the analysis of Calder (2006), the ISO 27k standards enable
organizations to implement appropriate data protection controls that address the legal
requirements. A number of the GDPR requirements are similar to or covered by the ISO 27001
sections, the ISO 27018 contributes to concretize the data protection principles and GDPR
obligations and the ISO 29100’s principles are based on legislation. In addition, the GDPR
refers to implementing ‘appropriate’ controls for data protection. Without mentioning
explicitly, the Regulation refers to common information security controls that give shape to
the appropriateness of controls. ISO 27k standards, and the ISO 27018 framework in
particular, incorporates controls that address GDPR obligations specifically. Therefore, the ISO
27k standards enable organizations to implement appropriate data protection controls that
address the legal requirements (Calder, 2006).

2.3 GDPR principles, -‐objectives and -‐obligations
The replacement of the Wbp by the GDPR forces organizations to rethink information security
management and data protection controls. Although a number of the Wbp requirements are
preserved, the major part is redefined or elaborated and new obligations are introduced. The
changes affect both data controllers and data processors. To address the casuistry of Dutch
housing associations with regard to the Wbp and GDPR, the trade organization Aedes has
formulated a guideline in 2016. The guideline contains an overview of the requirements,
highlighting several controls and is used to outline the differences between the GDPR and
Wbp, addressed to DHAs. This section respectively identifies the GDPR principles, -‐objectives
and –obligations, which are compared with the Wbp. First the definitions of key concepts are
described. Here, no comparison is made since the key concepts are defined similarly in both
legislative texts. The section continues with the principles, objectives and new obligations.

24

2.3.1 Key concept definitions
Four key concepts of the GDPR are defined, retrieved from the legislative text. This gives a
concise overview what the concepts mean and how they are related in general.

2.3.1.1 Personal Data and data subject
The Regulation aims to protect personal data of EU citizens. The regulation defines personal
data in Article 4 as:

‘’any information relating to an identified or identifiable natural person (’data subject’); an
identifiable person is one who can be identified, directly or indirectly, in particular by reference
to an identification number or to one or more factors specific to his physical, physiological,
mental, economic, cultural or social identity.’’

The most common personal data refer to nominative data, within private and public IT
systems, for instance public registration number (BSN), names, addresses, health and financial
data. Nowadays, the use of certain technology enables profiling and also contacting people
regardless of any normative information. At that point, data processors do not need to know
who is the person behind such data to identify that person. Costa and Poullet (2012) clarify:
“it is enough to know his or her navigation habits through a cookie or an Internet protocol
number, or his or her movements through a tag linked with an object in his or her possession.
This means that it is possible to process particular, peculiar data about a person without the
need to reveal his or her nominative identity.”
The Commission has acknowledged the importance of broadening the definition of
personal data, which is done by referring to ‘any information relating to a data subject’.
According to the Regulation, data protection is applicable if someone can be distinguished by
any identifier. From that perspective, the Regulation is already more protective than the
Directive was (Costa & Poullet, 2012).

2.3.1.2 Special personal data
Some personal data can be categorized as special. This personal data is often sensitive to the
person and might assault its privacy. The special categories of personal data consist of racial
25

or ethnic origin, religion or philosophical beliefs and political opinions. In addition, genetic or
biometric data regarding health or sex life and orientation. These personal data require
stricter protection than ‘normal’ personal data. Organizations may only process special
personal data if the data subject has consented or if there are legal obligations. For Dutch
housing associations the copy of passport/ID, are the most common special category personal
data they process. The Regulation does not longer consider the personal identification
number, or burgerservicenummer (BSN), as a special category of personal data. However, the
sensitivity of the BSN is very high and additional rules are forthcoming. DHAs also may put
tenants onto ‘national black lists’ if they demonstrate infringing behavior, place a burden on
surroundings or when they are a risk for society or groups. The approval of the supervisory
authority is required to maintain black lists. The information, data or backgrounds on these
lists about the tenants, including judicial and medical, are extremely sensitive and must
therefore also be considered as special categories of personal data (Aedes, 2016).

2.3.1.3 Processing data
Organizations process personal data of its customers, employees or other stakeholders. The
activity of processing are operations performed upon personal data, such as collecting,
recording, structuring, storing, editing, destructing, consulting or using. Processing of personal
data is only lawful if organizations have a legal ground. According to the GDPR there are six
variances of legal grounds:
• Consent: personal data may be processed when the data subject consents.
• Contractual necessity: personal data may be processed when it is necessary to perform
a contract with the data subject
• Compliance with legal obligations: personal data may be processed when the
controller has a legal obligation
• Vital interest: personal data may be processed when it is necessary to protect the ‘vital
interest’ of the data subject (e.g. life-‐or-‐death situations)
• Public interest: personal data may be processed when it is necessary for the
performance of tasks carried out by a public authority.
26

• Legitimate interest: Personal data may be processed when the controller has a
legitimate interest in processing those data, provided that such legitimate interest is
not overridden by the rights or freedoms of the affected data subjects.

The most common legal bases for housing associations are consent, contractual necessity,
compliance with legal obligations and legitimate interest (Aedes, 2016).

Any organization that processes personal data, or data controller, inherently bear the main
responsibility for handling the information in line with the Regulation. A data controller is the
legal person or body, alone or jointly with others, that determines the purposes and means of
the processing of personal data. When the data controller decides to involve third-‐party for
outsourcing activities, a staff member of the third-‐party becomes a processor. A data
processor is a legal person or body which processes personal data on behalf of the controller.
In this case, the data controller is still responsible for accurate processing, however they
delegate responsibility to the third-‐party. Processing by a processor must be governed by a
contract or other legal act and is bound to the staff member(s) specifically mentioned in the
contract in order to protect the data subject.

2.3.2 Data protection principles and objectives
The data protection principles form the foundation of the GDPR obligations to organizations.
The principles provide the norms of processing activities of personal data. If an organization
is not able to satisfy the principles then processing will be unlawful. All data protection
principles addressed in the Wbp are also included in the GDPR, being: lawfulness, fairness and
transparency, purpose limitation, data minimization, accuracy, retention limitation, integrity
and confidentiality and the accountability principle. De Hert and Papakonstantinou (2016)
state that the transparency and accountability principles significantly differ from the Wbp
principles, since they reinforce the individual rights protection. At first, transparency is
formulated as follows by the researchers: “transparency creates a personal data processing
environment of trust and enables any interested party to enforce effectively data protection
rights and obligations, given that personal data processing is mostly conducted behind closed
doors.” This means that organizations are forced to inform individuals proactively about all
27

relevant information regarding the processing activities, the implemented security controls
and the rights of individuals.
Accountability of data controllers and processors was already endorsed in the Wbp,
however the GDPR stresses the principle in more detail. Under the GDPR, the controller is
obliged to demonstrate that its processing activities are compliant with the Data Protection
Principles. The accountability principle helps ensure that data controllers put in place effective
policies and mechanisms to ensure data minimization and compliance with data protection
rules (Alhadeff et al, 2012). This means that any obligation of the controller should be
implemented and if not, processing will be unlawful (De Hert & Papakonstantinou, 2016). The
notification requirement for processing data to the authority will be removed and, therefore
authorities do not need to record the data being processed anymore, nor making the list of
data controllers publicly accessible. The accountability for recording all relevant information
regarding data processing moves to the data controller completely, which has been a reason
for the Commission to strengthen the accountability principle (De Hert & Papakonstantinou,
2016).
The primary objectives of both the GDPR and Wbp are 1) protecting individuals against
unjustified collection, recording, use and dissemination of personal data, and 2) enabling free
flow of personal data between Member States. The GDPR strengthens the first objective to
give citizens back control over their personal data by introducing new rights to individuals,
which raises the minimum standards for protecting personal data. A new objective is to
simplify the regulatory environment for international businesses by reducing fragmentation
and enhancing consistency. This objective is covered well since the Regulation applies to all
organization doing business within the EU, which also contributes to the second objective.

2.4 New obligations
The Regulation has introduced significant changes to data protection compared with the Wbp.
Data controllers and processors are accommodated with new obligations. Organizations have
to adhere to the obligations in order to comply with the Regulation and information security
controls must be implemented to protect personal data. Non-‐compliance can lead to potential
harm under the GDPR, for both individuals and the organization. Individuals can be confronted
with discrimination or identify fraud, while organizations can be disadvantaged economically
28

or socially, in terms of financial loss, reputational damage and loss of confidentiality. The
following paragraphs identify the new obligations for data controllers and processors.

2.4.1 Informed consent
The mechanism of consent is a primary principle on which legal acts are constituted. Consent
is one of the legal bases for processing of personal data. It enables individuals to authorize
data controllers to process their personal data (Schermer et al, 2014). The Commission
extended the individual consent requirement by redefining it to ‘explicit’ consent, which:
“avoid confusing parallelism with ‘unambiguous’ consent and in order to have one single and
consistent definition of consent, ensuring the awareness of the data subject that, and to what,
he or she gives consent”. Organizations must collect consent from individuals, only if the it is
distinguishable presented in an intelligible and easily accessible form, using clear language. In
addition, the consent must not be unnecessarily disruptive to the use of the provided service.
The consent must also be easily withdrawable at any time.

2.4.2 Records of processing activities
In de past, the amount of data processed was calculable and the supervisory authority could
monitor the organizations. At that time, organizations were required notify their data
processing activities to the supervisory authority. Due to the enormous increase of data
processed, the authorities are not able to cope with all the notifications. The GDPR lies the
accountability and responsibility for the data housekeeping with the organizations. Therefore,
the notification requirement to the supervisory authority regarding data processing is
replaced by the obligation to keep detailed records of processing activities for both data
controllers and processors. This new obligation is at least applicable to organizations with
more than 250 employees. However, all organizations that collect data non-‐occasionally and
process special categories of personal data, under which DHAs, are subjected to this
obligation. The information that must be recorded contains at least the purpose, categories,
retention period and recipients. The introduction changes the obligation from an external
facing obligation to an internal obligation to keep records that may be inspected by the
authority (Kiss & Szőke, 2015). In addition, all data breaches must be recorded even if
notification to the supervisory authority is not necessary. The data breach notification
29

requirement is another GDPR obligation. However, the requirement was already introduced
in 2016 for organizations in the Netherlands by a separate act.

2.4.3 Data protection impact assessment (DPIA)
The Regulation prescribes the execution of a data protection impact assessment (DPIA). A
DPIA is used to identify and analyze risks for individuals because of the use of systems by an
organization and to accomplish compliance with the Regulation. The outcome of the DPIA are
used to implement appropriate preventative controls (Bieker et al, 2016). The predecessor of
the DPIA is the privacy impact assessment (PIA), which was already covered by Wbp. The
implementation of a DPIA is further embedded and is mandatory when:
1. Processing imposes higher risks to the rights and freedom of individuals
2. Personal data is used for profiling or automated decision-‐making
3. Special categories of personal data are processed on a large scale.
4. Public accessible areas are systematically monitored on a large scale.

The assessment contains at least a general description of the processing activities, an
assessment of the risks to individuals, the security controls, and mechanisms to ensure the
protection of personal data and to demonstrate compliance with the Regulation. The
outcomes of the DPIA can be consulted by the authority for justification.

2.4.4 Data protection by design and by default
Data protection by design and by design is the principle to design or build systems that take
data protection into account and of which the default settings enable data protection (Koops
& Leenes, 2014). The principles are not new, as they are derived from privacy by design and
by default concept. Although the concept are already addressed by the Wbp, the GDPR
emphasizes the importance by turning the principles into an obligation for data controllers
and processors. The GDPR forces data controllers “to implement appropriate technical and
organizational measures, which are designed to implement data protection principles, in an
effective manner and to integrate the necessary safeguards into the processing in order to
meet the requirements of this Regulation and protect the rights of data subjects.”

30

The controls, based on information security, must ensure ‘by default’ that personal data is
protected and prevented from data breaches. The Regulation gives five examples of controls:
• minimizing the processing of personal data
• Encryption of personal data if possible
• transparency regarding the processing
• enabling the data subject to monitor the processing
• enabling the controller to create and improve security features

2.4.5 Data protection officer
The appointment of a Data Protection Officer (DPO) for data controllers and processors is
another new obligation. A DPO must be appointed for all public authorities, and where the
processing operations of the controller require “regular and systematic monitoring of data
subjects on a large scale” or where the controller core activities conduct large-‐scale processing
of special categories of personal data. If an organization does not fall into one of the
categories, appointing a DPO is not mandatory, which is currently the case for DHAs. However,
considering privacy and data protection good practice, the appointment of a DPO is
encouraged (Determann, 2016; Aedes, 2016). The draft version of the GDPR required only
organizations with more than 250 employees to appoint a DPO, while in the final version such
constraints are dropped. Based on the professional qualities and expert knowledge of data
protection law and practices the DPO should be appointed. The DPO must have an
independent position within the organization to function as agent between the organization,
the supervisory authority and data subjects.

2.4.1 Agreement with data processors
The GDPR, similarly to the Wbp, obliged data controllers to close legal agreements with data
processors. The GDPR data processor-‐contracts require more detail than before. A controller
must only appoint processors if they can demonstrate to comply with the GDPR. The binding
written agreement states that the processor must, among others, only act upon instructions
of the controller, ensure confidentiality and implement appropriate controls. Also, data must
be returned or destructed at the end of the agreement.
31

2.4.2 Extra obligations to data processors
More than the Wbp, data processors fall within the scope of the GDPR obligations. Data
processors must implement similar controls to data controllers. To a large extent, the
accountability and responsibility of data protection has lied with data controllers. The GDPR
requires data processors to comply and individuals might take direct action and claim
damages against these organizations. Before, individuals were only able to exercise their
rights at the data controller. In addition, non-‐compliant processors will be sanctioned the
same as controllers.

2.4.3 Rights to data subjects
The GDPR lists a set of rights to data subjects. The rights contribute to one of the GDPR
objectives to give citizens back controls over their personal data. This is made explicit by
offering rights that might be exercised. Rights to individuals are not new. Several rights come
from the Wbp, such as the right to access, -‐rectify and -‐object. However, the GDPR introduces
new rights and updates to existing ones. The first right, the right to be informed, diverges from
others, as it is rather a duty for organizations. This right forces organizations to be transparent
about their data processing activities by publishing a privacy statement. This statement must
at least communicate what data is processed, for what purpose and how and when this is
done. In addition, the statement must mention the rights of the data subjects and how to
exercise them. The privacy statement must be written in clear and understandable language
and published on an easy accessible location. Other two new rights can be exercised by
individuals: the right to be forgotten and the right to data portability.
The right to be forgotten is a new right to individuals introduced by the Regulation, which
grants individuals the right to have their personal information deleted by data controllers if
specific conditions listed are met. One of the following grounds have to apply to do so:
• personal data is no longer necessary in relation to the purpose
• the data subject legitimate withdraws consent and there is no other legal ground for
processing
32

• the data subject objects to the processing pursuant and there are no overriding
legitimate grounds for processing
• personal data have been unlawfully processed
• erasure is obligated for legal compliance
• personal data have been collected in relation to the offer of information society
services

The right to data portability is an internet-‐specific new right afforded to individuals in the text
of the new Regulation. This right entails that individuals are free to move around their
personal data from controller to controller. The Regulation states that: ‘’the data subject shall
have the right to receive the personal data concerning him or her, which he or she has provided
to a controller, in a structured and commonly used and machine-‐readable format and have the
right to transmit those data to another controller without hindrance from the controller to
which the data have been provided”.
A final right to data subjects is the right not to be subject to a decision based solely on
automated processing, including profiling, which procures legal effect concerning the data
subject. This right is cannot be exercised by individuals. Similar to the right to be informed, it
must be performed by organizations. Profiling is a widely debated topic: data protection
proponents highlight its potential risks for individuals within the automated decision-‐making
context; controllers on the other hand insist that its merits by far outweigh its disadvantages
and that in any event it can be brought under strict regulatory controls in order to mitigate
risks (De Hert & Papakonstantinou, 2016). By now, the new rules do allow profiling operations
to take place even based on sensitive data under the general, but not always applicable,
condition that special measures for the protection of individuals have also been implemented.
The Aedes guideline (2016) describes the rights of data subjects in practice. Organizations
must design a process, if possible transparent to the data subject, for adequate settlement of
the request by taking the following steps into account: (1) intake, (2) self-‐service, (3)
collaboration with third parties, (4) identification, (5) complaints procedure.

33

2.5 Data protection controls
To ensure data protection and to assure compliance with the Regulation requires controls
implementation. The implementation of the data protection controls assists data controllers
and processors to minimize risks by preventing potential disruption. The GDPR states that data
controllers and processors should implement appropriate technical and organizational
controls to guarantee a security level in line with the potential risks concerning data
processing. The ‘security of processing’ provision of the GDPR emphasizes the necessity for
information security regarding data protection and defines four technical security controls
that should be implemented as appropriate: encryption, the ability to ensure the ongoing
information security (CIA triad) of processing systems and services, the ability to restore the
availability and access to personal data in a timely manner in the event of an incident and a
process of regularly testing, assessing and evaluating the controls.
Although four technical security controls are examined, the Regulation does not
describe the implementation of the controls in detail. In addition, people and process-‐based
controls are not addressed. Organizations must determine which controls are appropriate and
how to implement the controls. According to Calder (2006), the ISO 27001 information
security control framework may assist organizations to meet legal information security and
data protection requirements. The ISO standard contains the implementation of technology-‐
based, organizational-‐based and, in lesser extent, people-‐focused controls. Little attention is
paid to the human element, as the ISO 27001, 27002 and also the 27018 frameworks mention
only briefly the performance of information security awareness education and trainings.
Moreover, little explanation regarding the implementation is provided and the actions focus
merely on security requirements, legal responsibilities, business controls and trainings in
correct use of log-‐on procedures and use of software (ISO, 2013) and less on behavioral
change. Therefore, the theory of Herath and Rao (2009) is used to define a more
comprehensive set of people-‐focused controls regarding security awareness actions.
The following paragraphs identify new controls that organizations must implement to
become compliant. The addressed obligation or provision are also identified. The controls are
retrieved from ISO 27001 and ISO 27018 and Herath & Rao’s theory and divided into process-‐
based, technology-‐based and people-‐focused and categorized by the its organizational nature
(figure 7).
34

FIGURE 7: INFORMATION SECURITY CONTROLS CATEGORIZED
2.5.1 People-‐focused controls
The people-‐focused controls consist of a set of security awareness actions. According to the
Regulation, one of the DPO’s tasks is to create security awareness among employees. This is
the only place the Regulation mentions security awareness. Therefore, there is no explicit
relation between the GDPR obligations and security awareness. However, investing in security
awareness is a premise for effective performing data protection and information security
(Vroom & Von Solms, 2004; Merete Hagen et al, 2008). To give shape to the people element
of data protection, the security awareness actions identified by Herath and Rao (2009) are
regarded as people-‐focused controls. The actions contribute to improve awareness and
encourage compliance behavior of employees and consist of:
• Increase employee positive attitude towards policies
• Provide incentives for employees to increase compliance behavior
• Educate employees by strengthen their knowledge and motivation (‘why’-‐question)
• Train employee skills, competences and belief in self-‐efficacy (‘how’-‐question)
• Increase organizational commitment
• Availability of resources (online trainings, policies, promoting and support
mechanisms)
• Express beliefs and desirable behavior by influential superiors
• Enhance security climate by (top-‐) managers
• Detection mechanisms when violating security policies (e.g. penalties)
2.5.2 Process-‐based controls
The process-‐based controls are divided into procedural and compliance controls. In contrast
with the people-‐focused controls, the process-‐controls are related to several GDPR
35

obligations. The procedural controls consist of approved written policies, procedures,
standards and guidelines, which are available to the internal organization for performing
processes and activities. Compliance controls are provisions to demonstrate compliance to
the supervisory authority. Each process-‐based control contributes to the achievement of an
obligation for organizations.
Many of the procedural controls are related to the security of processing, acting as a
component or condition for appropriate protecting controls. The procedural controls are the
formal systems of the organization to protect information and personal data (Merete Hagen
et al, 2008). The formal systems are needed to secure the processing activities. The control to
appoint a DPO, to conduct a DPIA and to formulate a procedure for data access requests
address the alike named obligations. Table 1 lists all procedural controls together with the
related obligation or provision.

Process-‐based controls
Procedural control Related obligation or provision
Appointment of DPO Data Protection Officer
Process for identifying the need, Data Protection Impact Assessment
conducting and documenting DPIA’s
Information security policy and plan Security of processing provision
Formal procedures to allow personal data Security of processing provision
to be erased and blocked
Incident response plan Security of processing provision
Individual’s data access, rectification or Right of access by the data subject
erasure request process and procedure
Test procedures for security controls Security of processing provision
Data archiving and destruction procedures Security of processing provision
Data retention policies Security of processing provision
Authorization and access policies and lists Security of processing provision
Business continuity and data recovery Security of processing provision
plan
TABLE 1: PROCEDURAL CONTROLS
36

The compliance controls aim for demonstrating compliance and transparency towards data
subjects. The controls enabling demonstrating compliance are: recording all relevant
information of processing activities, maintaining a data breach register, notifying data
breaches to the authority and agreements with data processors and external audits. Applying
consenting correctly and informing individuals of the data processing are the controls to
enable transparency. Table 2 lists all compliance controls along with the related obligation or
provision.

Compliance control Related obligation or provision
Consent collection is distinguishable Informed consent
presented in an intelligible, easily
accessible and undisruptive form, using
clear and plain language.
Collection is given by a clear affirmative Informed consent
act
Notify or inform individuals of processing Right to be informed
Publish an easily accessible and Right to be informed
understandable privacy statement
Inform individuals about their right to Right to be informed
demand erasure of their personal data
Include all (new) stipulated terms in Agreement with processors
processor contracts
Maintain data processing records Records of processing activities
Maintain data breach records Records of data breaches
Report data breaches Notification of data breach to authority (and
data subject)
External audits Security of processing provision
TABLE 2: COMPLIANCE CONTROLS

37

2.5.3 Technology-‐based controls
The technical controls are programmed into the organizations systems and architecture,
such as software and data, to monitor and control access to information. The majority of the
technical controls address the organization’s obligation to protect data by design-‐ an default
and to implement appropriate controls for the security of processing. Table 3 lists all
technical controls together with the related obligation or provision.

Technology-‐based controls
Technical control Related obligation or provision
Data protection by design and –default • Data protection by design and -‐default
strategies and patterns
Direct data encryption or anonymization if • Data protection by design – and default
possible • Security of processing provision
Archiving data • Security of processing provision
Measures to block or erase data • Data protection by design – and default
systematically • Security of processing provision
Access control Security of processing
Allocate authorizations Security of processing
Separation of data Security of processing
Register of processing activities records Records of processing activities
Cloud storage or DMS Security of processing
Store data in a structured and machine-‐ Right to data portability
readable format
Internal audits Security of processing
TABLE 3: TECHNOLOGY-‐BASED CONTROLS
2.6 Motives for control implementation
Organizations base their decisions whether to implement data protection controls on

different motives. Organizations may decide to invest or not to invest in data protection.
Assuming that organization make conscious choices, at least four motives are identifiable.
38

Organizations may invest in data protection controls for (1) ethical reasons, or (2) benefits are
weighed alongside the costs. Also, (3) the extent to what the enforcement of the supervisory
authority is adequate and consistent, and (4) the interpretation of ambiguous legal texts may
influence the decision-‐making.

2.6.1 Ethical reasoning
Ethical reasoning is based on the moral responsibilities of organizations, according to Culnan
and Williams (2009). Organizations are ought to do no harm in the treatment of their
customers’ personal data, since they are vulnerable. A manager must often balance between
the customer privacy and business interests. Customers give up control of the subsequent use
of their data in exchange of a product of service. They want to trust the organization the data
remains private. Misused information can easily result into harm to the customer. Therefore,
organizations have the moral responsibility to invest in information security controls to
protect data and prevent data breaches that cause potential harm. Organizations have also
business reasons to protect personal data. Problems occuring from a data breach can lead to
bad publicity and reputational damage. In addition, the fines and other costs to respond to
the breach have consequences for the business performance. The negative impacts may
threaten the shareholders fiduciary relationship with the organization. Ultimately,
organization that recognizes and act upon their moral responsibilities are better able to
acquire resources. Therefore, avoiding harm by protecting personal data is both ethical and
economic sustainable (Culnan & Williams, 2009).

2.6.2 Cost-‐benefits analysis
A cost-‐benefit analysis estimates the benefits and costs resulting from an event or
undertaking. The analysis may be a guidance for organizations to choose among alternatives
by weighing the benefits alongside the costs. The use of the analysis to invest in data
protection controls can be problematic, due to its assumptions (King & Schrems, 1978). The
cost-‐benefit analysis assumes that organizations know how to assign all costs and identify all
benefits. Often the costs are underestimated and benefits are overestimated. Organizations
have difficulties with controlling the project costs and achieving the benefits. In addition, the
analysis assumes that organizations are able to identify the complete set of alternatives, which
39

often is not possible. Other disturbers are social and political situations, such as
misunderstandings, conflicting interests and coercion (King & Schrems, 1978).

2.6.3 Authority enforcement
The authority enforcement motive is closely related to the motive based on a cost-‐benefit
analysis. Proactive approach of a supervisory authority may enforce organizations to make
compliance decisions. When enforcement lacks, organizations weigh their benefit to neglect
and their costs of detection regarding the control implementation. In this situation, increasing
the likelihood and costs of detection by monitoring and sanctioning are the best means to
enforce compliance and make non-‐compliance less attractive (Tallberg, 2002).

2.6.4 Interpretation of the legislative texts
The GDPR is principle-‐based and consists of open norms. The Regulation imposes
requirements that are unclear, resulting in difficulties for organizations to comply with (Culnan
& Williams, 2009). Jurisprudence is lacking, since the GDPR is not yet operative. Legislative
systems may be classified as principle-‐based or rule-‐based, according to Burgemeestre et al.
(2009). The GDPR corresponds with a principle-‐based legislation more than the rule-‐based
approach. The boundaries of the obligations are not settled yet, the requirements are
universal and abstract and the Regulation gives space for interpretation. The GDPR is clear
about what organizations must do to become compliant. However, how this may be achieved
has not been formulated. More practical knowledge about the Regulation is required to
implement the controls adequately. Social negotiations between organizations, trade
associations and regulators are useful to standardize norms in an understandable language
(Burgemeestre et al, 2009). This may contribute to more straight-‐forward interpretation and
implementation of the GDPR for organizations.

2.7 Literature review summary
Data protection is part of an organization’s information security. The Regulation forces

organizations to reconsider their data protection controls and, thus, information security
management. Successful information security leans on three pillars: people, process and
40

technology. The GDPR introduces new data protection principles, measures and objectives
into the Regulation. The control framework from the ISO 27001/2 and 27018 standards are
deemed to be useful for implementing the required technology-‐based and process-‐based
controls to comply with the GDPR. Implementing process-‐ or technology-‐based controls assist
to achieve compliance, although this will not be sufficient. The process-‐ and technology-‐based
controls have no effect when people-‐focused controls are neglected and when employees are
unaware and fail to demonstrate desired behavior. (Vroom & von Solms, 2004). The actions
identified by Herath & Rao (2009) contribute to improve security awareness of employees.
Furthermore, whether controls are implemented may be driven by different motives. The
primary motive and most common voiced by organization, is based on ethical reasoning.
However, organizations might have other motives, such as a cost-‐benefit analysis, (lack of)
supervisory authority enforcement and (issues with) interpretation of the legislative text.

41

3. Research method
This chapter explains the applied research method. The first paragraph describes the selected
method. The second paragraph describes the research design, of which the quality is discussed
in the third paragraph. The fourth paragraph describes the method of data collection and, at
last, the data analysis procedure is explained.

3.1 Method selection
Yin (2009) describes five research methods, which must be selected based on three
conditions. The conditions are:
1) type of the research question
2) the extent of control the researcher has over actual behavioral events
3) the degree of focus on contemporary as opposed to historical events

The type of research question is a “how”-‐question. This type of question is more justifiable for
explanatory research, dealing with operational links needing to be traced over time and being
an appropriate motivation for a case study research. The researcher has no control over actual
behavioral events and the focus is on contemporary events. The combination of the three
conditions indicate that a case study fits best as the research method.

3.2 Research design
The research design contains four components: (1) research questions, (2) units of analysis,
(3) the analytic technique and (4) the criteria of interpreting the findings. Paragraph 1.4
describes the research questions and the unit of analysis consists of three Dutch housing
associations. Pattern matching by cross-‐case synthesis is used to analyze the cases.

3.3 Quality of the research design
The quality of the research design can be judged by three logical tests based on certain criteria,
listed in table 4. A research design is chosen to contribute to find evidence that addresses the
42

research question. In order to test the research design on each criterion, several tactics are
applicable in each phase. To increase construct validity, multiple sources of evidence are used.
The study involves three housing associations. If practicable, interviews are done with two or
three participants with different organizational roles. The case protocol and interview
questions (appendix 2) reviewed by key informants. The external validity deals with the
generalization of a research beyond the case study, which is maximized by using replication
logic. The evidence from multiple-‐case studies is often considered as more compelling, and
being more robust (Herriot & Firestone, 1983). The designed research protocol enables the
researcher to repeat process for each case study, which contributes to uniformity, validity and
generalizability, and, improved reliability. The goal of reliability is to minimize errors and
biases in the study. A later researcher should arrive at the same results and findings as an
earlier researcher, if followed the same procedures.

Tests Case study tactics Phase of research

Construct validity • Use multiple sources of evidence Data collection and
• Establish chain of evidence data collection
• Have key informants review draft composition
case study report
Internal validity • Do pattern matching Data analysis
• Do explanation building
• Address rival explanations
• Use logic model
External validity • Use theory in single-‐case studies Research design
• Use replication logic in multiple-‐
case studies
Reliability • Use case study protocol Data collection
• Develop case study database
TABLE 4: CASE STUDY TACTICS FOR FOUR DESIGN TESTS (YIN, 2009)

43

3.4 Data collection
Several sources of data are used to conduct this study. For theory development both scientific
and branch literature was used. The semi structured interviews form the main data source for
the case study. Three housing associations are involved. The GDPR is applicable to all EU
organizations. Therefore, a sample of three housing associations that represent the industry
has been selected. All participating organizations have formulated an information security
policy, assuring that the respondents have certain knowledge level regarding information
security controls. This will contribute more to find interesting practices. The classification of
the industry is based on the organizational size. The size is retrieved from the number or units
that is rented out by housing associations. Table 5 visualizes the size classification, selected
sample of DHAs and the roles of the respondents. Appendix 3 contains the interview agenda.

Size Rentable units DHA Roles
Small 6.623 Woongoed Middelburg • Information manager

0 – 7.500
Medium 13.777 Wonen Zuid • Information manager
7.500 – 15.000 • Business controller
Large 19.766 AlleeWonen • Information manager

15.000 + • Business controller
• Privacy officer
TABLE 5: CASE STUDY SAMPLE
3.5 Data analysis
The semi-‐structured interviews contribute to put the findings in a preliminary order. The
findings from interviews are put into a matrix of categories based on the a priori coding. The
control implementation status is checked through assigning colors. A status can have the color
green (V), yellow (!) or red (X). The green color is assigned to controls that are fully
implemented, the yellow color is assigned to controls that are partially implemented and the
red color is assigned to controls that are not implemented. The observed patterns within cases
44

will be compared in a cross-‐case analysis to find similarities and differences when data is
viewed from different perspectives. Overlapping patterns indicate the strength of support,
thus possible generalization. The three domains of information security (people-‐, process-‐,
technology aspect) are used for analyzing the control implementation. A cross-‐case analysis is
executed on each domain separately. The implementation status on each control contributes
to tabulate the frequency of events and the findings contribute to find patterns and
explanations on the events.

45

4. Results
This chapter describes the case study findings per case and the analysis of the findings. The
first section describes the findings on each case regarding the control implementation on the
three information security domains (people, process, technology), including the
implementation challenges and motives. Section 4.2 consist of the data analysis by comparing
the cases side by side. Furthermore, the Wbp is compared with the GDPR and a comparison
between the theory and findings is made. The interview data is presented in appendix 4,5 and
6.

4.1 Case study findings
The findings per case are analyzed separately, based on the three domains of information
security: people, process, technology. The implementation challenges and motives regarding
the control implementation are analyzed jointly. First the case of Woongoed Middelburg is
analyzed, followed by Wonen Zuid and AlleeWonen. Each case analysis starts with a brief
introduction of the organization.

4.1.1 Case 1: Woongoed Middelburg
The origin of Woongoed Middelburg dates back to 1919 and was a continuation of
Woningbouwvereniging Middelburg. Woningbouwvereniging Middelburg had emerged from
a merger of three DHAs. Woongoed owns 6.323 rentable units and this number has been
stable since 2012. The workforce counts 39 fte. VVA-‐informatisering was chosen to guide the
information security policy and plan development.

People-‐focused controls
Woongoed Middelburg considers the people element as most important factor to become
GDPR compliant. The organization has no official DPO and has no intention to appoint one.
Woongoed believes in the professionality of its employees and the responsibility of the
managers. The organization is based on trust and employees must be able to consult all
personal data of tenants available, enabling optimal customer service. The non-‐disclosure
46

agreements between the organization and the employees should assurance careful handling
of personal data. The GDPR is a topic of high interest for the top-‐management. Woongoed
invests in security awareness in terms of training and educating employees, which is regarded
as effective. However, data protection will always be a side issue along the employee’s daily
jobs. Although the organization considers their employees as not-‐yet-‐ready for the GDPR, they
are confident to be on time.

The process-‐based controls are partially implemented. Woongoed wants to minimize
paperwork and bureaucracy. The more plans and procedures, the more frequent updates of
these documents are required. Instead of formulating plans and procedures, managers and
employee must know their responsibilities by mind and respond to incidents using common
sense and in consultation with colleagues. Although the organization has no experience with
conducting DPIAs and defers such assessment until a data breach has occurred, the
organization weighs the in concerns and risks of data processing for tenants and the
organization. The organization addresses the data protection principles by redesigning the
business processes in order to minimize data and apply purpose limitation. In addition,
Woongoed is currently developing a register for recording data processing activities. In the
past the organization collected as much as possible, without a clear purpose. Now the
organization aims for collecting the least possible and storing as brief as possible.
The organization has formulated information security policy and plans. In addition,
Woongoed has formulated a data breach procedure and authorization-‐ and access policies. A
procedure for data archiving and destruction has been formulated partially and a work
process for personal data access request of individuals lacks. Regarding an incident response
plan and a business continuity and data recovery plan the organization trusts on their
outsourcing parties.
Less attention is paid to the transparency towards tenants about data processing
activities. No privacy statement has been formulated yet. Tenants are informed only briefly
about Woongoed’s data processing activities when signing a rental agreement. Woongoed
demonstrates compliance to the authority through recording and notifying data breaches and
47

agreements with processors will be revised soon. External audits will be considered after
control implementation completion.

Data protection by design and by default principles have been a source of conflict for
Woongoed. Data protection by design and default are not in line with the trust-‐based
organization of Woongoed. If systems are installed with the highest protection configuration,
employees will feel hindered resulting in a less adequate customer service. The information
systems contribute to data protection through access controls and authorizations. Due to the
trust-‐based organization of Woongoed, controls to encrypt or to separate data are not
desired. On the contrary, controls to erase data and block modifications are implemented.
Furthermore, the respondent (information manager) added an interesting point of view.
Traditionally, DHAs are technological-‐ and process oriented. The human element has been
overlooked for a long time. The technological developments of the past decade assisted DHAs
in digitizing their business processes. At the same time, this development has affected the risk
and probability of data breaches increasingly. People are unaware, as they were not involved
with information security or data protection.

Implementation challenges and motives
Woongoed puts most effort in the people-‐focused controls. The organization believes that
security awareness and encouraging desired behavior is most important to become GDPR
compliant. At the same time, maintaining the awareness and alertness on such a level that
employees keep demonstrate compliance behavior is regarded as a major challenge.
Regarding the process-‐based controls, the amount of time required to formulate plans,
procedures, policies and a privacy statement has been the most challenging for Woongoed. In
addition, data protection is often considered as a side issue by employees. Another challenge
is to limit the technical controls to what is really necessary. The organization wants to stay
away from investing too much in technical controls, which effectiveness is doubtful. Systems
with high data protection levels only hinder employees and may be counterproductive.
Woongoed tries to solve security issues first with people-‐focused controls and followed by
procedural controls. The technology should have a supportive role.
48

The introduction of the GDPR is a trigger for Woongoed to invest in data protection. The
organization implements controls to prevent data breaches and avoid bad publicity. The moral
responsibility has been the motivator for most of the security control implementation.
However, not all required controls are implemented or planned. One reason for that can be
found in the trust-‐based organization. Woongoed deliberately chooses not to diminish this
approach and to have faith in their employees’ professionality and confidentiality. In addition,
processes must remain workable after control implementation. The organization tries to find
the balance between operational and compliance. The interpretation of the legislative texts
has also been a motive for Woongoed not to implement certain controls. The Regulation is
conflicting with other laws and the open-‐norms are not straight-‐forward. The organizations
waits for definite answers from the authority and jurisprudence. The last motive to implement
controls not exactly as required, can be found in the perceived tolerance of the supervisory
authority. As long as control implementation decisions can be explained and justified,
Woongoed believes that the authority will enforce less strict.

4.1.2 Case 2: Wonen Zuid
Wonen Zuid is a housing association in the region central-‐ and south Limburg and owns 13.777
rentable units. Wonen Zuid was founded in 2002 after a merger with five housing associations
from that same region. The association has an office in Roermond and Heerlen and counts 150
fte.

Wonen Zuid acknowledges the importance of implementing people-‐focused controls.
Although, improving security awareness of the employees has received limited attention so
far. The organization has implemented several controls to protect information and personal
data of tenants, mostly technology-‐ and process-‐based. The implementation of people-‐
focused controls are planned. Currently, employee interest regarding data protection is low.
Data protection and the GDPR are not in the people’s minds yet and a security awareness
climate lacks. The organization regards the GDPR as yet another law to comply with and
difficult to manage. Nonetheless, the management has started to identify the GDPR
49

obligations, since they feel the necessity. The organization assesses their employees to be
“incompetent aware”. To improve the security awareness the organization has planned to
introduce a chatbot, functioning as the body of knowledge. Employees can ask questions
related to data protection. Wonen Zuid has no DPO appointed yet, since this is not required.
The organization expects a DPO will be mandatory for housing association soon. For now, the
DPO’s tasks lie with the information manager.

To identify the categories, owner and location of personal data within the business processes,
a classification is under construction. The classification will contribute to minimize the data
collection, limit the purpose of the processing and limit retention. However, Wonen Zuid
possesses personal data in their business processes, of which the organization is not allowed
to have. This is due to the legacy of the systems. The organization attempts to comply with
the mandatory retention period and has planned a clean out of personal data in all
documenting systems, both logical and physical. However, the organization realizes that the
organization will not completely free of unlawful personal data in their systems at the GDPR
implementation date.
Wonen Zuid has implemented several procedural controls concerning information
security and data protection, such as an information security policy, incident response plans
and several procedures. A data breach procedure awaits for the top-‐management’s approval.
Although the organization has implemented several procedural controls, the importance is
not communicated throughout. Most employees do not understand the necessity of certain
controls, except of the IT department.
The development of the organization’s privacy statement to inform their tenants about
the processing activities is almost ready to publish. Wonen Zuid places transparency on a high
value. The transparency has been reflected by the notification of a data breach to the
supervisory authority, while the breach was not considered as required for notification.
Controls for the purpose of demonstrating compliance to the supervisory authority have been
developed less. Although the organization keeps records of data breaches, a register of all
processing activities and contracts with processors containing the new stipulated terms have
been missing.
50

Traditionally, Wonen Zuid has attached great importance to technology. The technical
controls within the self-‐managed systems are close to the optimal level. The access controls
and authorization are stringent and the organization has planned to narrow the authorizations
even further. Wonen Zuid actively controls and evaluates the authorization of each employee
on a regular basis in order to prevent unnecessary access to data. However, the organization
also makes use of supplied IT systems. The systems hardly ever meet the new GDPR
requirements. Therefore, Wonen Zuid collaborates with other housing associations to
formulate data protection by design and default strategies. The data protection by design and
default strategies form the new requirements for the supplied IT systems. The requirements
consist of data encryption and data archiving, blocking and erasure.

Wonen Zuid considers the improvement of security awareness as a major challenge. The
organization realizes implementing people-‐focused control will be crucial to become protect
personal data in accordance with the GDPR. Until recently, the organization relied mainly on
technical controls. Only the IT department was concerned with data protection, while the
remaining organization was and still is not aware. Although the process-‐based and technical
controls are well-‐developed in comparison with the people-‐focused controls, the organization
must implement extra controls to comply with the GDPR. The amount of work and time the
required procedural and compliance control bring are considered as most problematic. The
legacy of the collected data and the way it is stored in all systems creates problems today. The
legacy hinders the data minimization and Wonen Zuid will not be able to limit their data
processing to what is urgently necessary for performing the processes on 25 May 2018. In
addition, the supplied systems do not yet comply with the new requirements. To update the
systems in order to incorporate the GDPR requirements at short notice will also be a challenge
for Wonen Zuid.
The moral responsibility of Wonen Zuid towards its tenants and employees is the main
motives for implementing data protection controls. The organization places the privacy of
individuals on a high place wants to avoid bad publicity. Nonetheless, Wonen Zuid assumes
51

that enforcement of the supervisory authority will be less likely, since the authority has too
little capacity for proactive inspections. Moreover, Wonen Zuid believes that the authority will
be satisfied if the organization is able to show progress without being compliant. Another
motive of control implementation can be found in the ambiguity of the legislative texts.
Wonen Zuid criticizes the GDPR on his practicability and the lack of guidance provided.
4.1.3 Case 3: AlleeWonen
AlleeWonen is a housing association in Roosendaal and Breda and owns 19.766 rentable units.
The origin from the association dates back to 1916. AlleeWonen has emerged from a number
of mergers. In 2004 Arwon and WSJ beheer, both from Roosendaal, started collaborating. The
new association was called Aramis. Three years Aramis merged with Singelveste Breda and
AlleeWonen was founded. The association nowadays is located both in Roosendaal and Breda
and the workfoce has 186 fte. VVA-‐informatisering was chosen to guide the information
security policy and plan development.

AlleeWonen puts high value on security awareness. The organization invests in people-‐
focused controls to gain widespread support and to encourage desired behavior. A security
awareness-‐team has been composed with members from all different organizational layers.
The team stimulates employees to think and act as they should and to protect data of tenants
and employees. In addition, trainings and an educational road show have been offered. The
security team also rewards employees if they detect and report a potential data breach. The
actions have been effective for almost all departments. Although the organization invests in a
security team, support from top-‐management is not unanimous. Some managers call
decisions from the security team or privacy officer in doubt. The middle layer of the
organization is the driver to bring the attention of the GDPR and data protection among
employees. AlleeWonen did not appoint a DPO. The organization beliefs that a privacy officer
will be sufficient as long as a DPO is not mandatory.

52

AlleeWonen attempts to weigh the risks and concerns of the data subjects and the
organization thoughtfully. The organization pays much attention to avoid bad publicity.
Therefore, the organization evaluates for each process what data is really needed and what
the purpose is in order to justify their data processing. The organization has not yet find a
solution to reduce copying and storing data on multiple locations. DPIA’s are not conducted
by AlleeWonen. The assessments are planned to execute after the control implementation is
completed. The organization does feel the necessity to implement all required controls as
soon as possible. AlleeWonen does not consider themselves as data protection pioneers. The
organization follows carefully the mainstream and adapts to the GDPR step by step. Always
seeking for the balance between the legislative framework and organizational certainties.
Processes must be maintained practicable for the employees who perform the tasks.
AlleeWonen’s information security policy and plan was formulated in 2016. The
organization is putting effort in realizing all the plans. Other process-‐based controls that the
organization has implemented are: data breach procedure, procedure for data archiving and
destruction, access and authorization policy, partially test procedures and data archiving
procedure. In addition, the organization has incident response plans. The business continuity
and data recovery plan has been covered by the outsourcing party. As an extra, AlleeWonen
has a protocol to protect their customer service employees for unjustified recording and the
organization has a camera protocol.
The organization thrives to be transparent about their processing activities towards
tenants and other subjects. A privacy statement will be published soon. AlleeWonen
demonstrates accountability and compliance through a register of data processing records
and updated agreements with processors according to the new stipulated terms. Although
data breaches are recorded in together in maps, a register lacks. External audits will be
considered after evaluating the results from the DPIA and jurisprudence.

AlleeWonen appreciates the importance of data protection by design and by default. So far,
the organization has no strategy formulated. However, there are plans to standardize and to
select future suppliers by using the standards. The organization has implemented several
53

technical controls. A new archiving system has been launched and the register for data
processing activities has been finished. The organization performs several tests to evaluate
controls. However, the organization wants to perform tests and internal audits more frequent.
The organization does not separate or encrypt data. AlleeWonen waits for their IT suppliers
to introduce these kind of features.

AlleeWonen considers the employee involvement in the data protection activities and to
enhance their security awareness as most important to become GDPR compliant. To keep
employees aware and to avoid easing regarding their compliance behavior will be a
challenging task. In general, there is organizational-‐wide interest. However, some
departments are lagging. AlleeWonen must be persuasive to encourage desired behavior at
all departments. Regarding the process-‐based controls the organization finds it challenging to
standardize all processes and procedures throughout the organization. In addition, there are
no or little tools available on the market to simplify the processes or procedures. The
organization has also trouble with data storage procedures. A clear overview of where data
is stored, such as local devices or mailboxes, is lacking. To regain oversight will be a major task
for the organization. In the end the implementation of process-‐based controls take a lot of
time and effort of the organization, which makes it difficult to prioritize and manage. Not all
technical controls are implemented into the organization of AlleeWonen. The challenge for
them is to have all the technology in place that suits the GDPR requirements. Too often
existing systems do not take into account the new requirements. Although the organization is
confident that the technology will incorporate the required controls soon, AlleeWonen does
not want to overinvest in technical controls. Malicious people will always find the flaws in
systems, not matter the protection level. The organization believes that investing too much in
technical controls will frustrate their employees, who will seek for ways to by-‐pass the security
controls. This will have a counterproductive effect. Taking away responsibilities from
employees and putting all security controls onto the systems will make people lazy. In that
case, technical controls will undermine the security awareness and compliance behavior of
employees. Therefore, AlleeWonen believes that the most essential aspect to invest in are the
people-‐focused controls.
54

AlleeWonen puts high value on ethical behavior. The organization will take its moral
responsibility to avoid harm and a damaged reputation by protecting personal data of
subjects. Ethical reasoning is the prime motive for data protection implementations. Not all
controls are implemented at this moment, due to the fact that the organization follows the
mainstream. The organization prioritizes controls on necessity. In addition, the interpretation
of the Regulation has been difficult. AlleeWonen prefers to wait for more practical guidelines
and jurisprudence instead of starting to implement controls incorrectly. The organization
works closely together with lawyers and other experts to gain more knowledge about the
GDPR, in order to become compliant. Another control implementation motive emerges from
the assumption that the supervisory authority will be tolerant if controls are not yet
implemented.

4.2 Data analysis
In the data analysis the three cases are compared to each other in the cross-‐case analysis
(table 6), to find similarities that can be generalized to the context of the Dutch housing
associations industry. Based on the findings a comparison between the Wbp-‐ and the GDPR-‐
compliance of DHAs is made. Also, the findings are compared with the theory to find
similarities and differences.

4.2.1 Cross-‐case comparison
The three cases are compared side by side to find similarities and differences. The similarities
and differences may form patterns that can be generalized to a broader context. Table 6
visualizes the cross-‐case analysis, including the implementation status of each control. Several
similarities and differences across the cases are found. The similarities with regard to the
55

implementation and challenges are categorized per control domain, followed by the
identification of the motives.

Similarities
At first, all three organizations are traditionally technology-‐ and process driven. There has
been less focus on the human element. As a result that, the technology-‐ and process-‐based
controls are the most developed. All three housing associations have invested in technical
controls (measures in table) to build an imaginable protective wall between the internal
organization and external environment, such as authorizations and access control. However,
the organizations are dependent on the IT suppliers for including the new data protection
requirements into the systems. Nonetheless, the organizations wants to prevent data
breaches that may do harm to tenants and employees and cause reputational damage. The
organizations feel that they have a moral responsibility to protect personal data of individuals.
TABLE 6: CROSS-‐CASE ANALYSIS
Second, the organizations do have an information security policy, while other

procedures and plans are often not yet or partially formulated. The organizations are investing
substantial time in addressing the GDPR data protection principles of purpose limitation, data
minimization and retention limitation by identifying and classifying all data processed in each
business process. The retention limitation principle is considered as most challenging principle
to address. To erase data before or on the retention expiry date, requires the organizations to
56

have full oversight of where data is stored digitally, such as mailboxes or local devices and
physically, such as paperwork. This is difficult to examine. The data classification can be
considered as the starting point of the register of data processing activities obligation.
AlleeWonen has already completed the development of such register. Woongoed and Wonen
Zuid are still developing, while Woongoed has already started to redefine their business
processes in order to minimize data collection. Nonetheless, the organizations are confident
to complete the classification before the launch of the Regulation, but if all business processes
are redefined and free of unnecessary data collection by then is questionable. Regarding the
implementation of controls to demonstrate compliance to the supervisory authority, the
organizations made similar progress. If occurred, the organizations have notified data
breaches and records are kept. The organizations are working on updating the agreements
with processors.
Third, several similarities are found regarding the people control domain. The people-‐
focused controls are considered as most important to become compliant and at the same time
these controls are the least implemented. The organization consider their employees as not
ready for the GDPR at this moment. Nonetheless, in the meantime all organizations have
planned or started security awareness actions and the supporting sources for employees to
consult are readily-‐available. All three organizations conclude that improving and maintaining
the security awareness and compliance behavior of employees will be the most challenging
and require most effort, followed by the process-‐based controls. Another similarity is the
absence of a DPO. However, appointing one is not obligated yet.
Fourth, several similarities regarding the motives whether to implement controls are
identified. The interpretation of the GDPR has been troublesome for the organizations. The
open norms can be ambiguous and sometimes contradictive with other legislations,
complicating the implementation of required controls. The organizations hope for corrective
amendments or jurisprudence to provide better guidance. In addition, the organizations
assume that the supervisory authority will be tolerant if not all required controls are
implemented at the early stage. As long as they can explain their decisions and show progress
regarding the implementation of data protection controls, the organizations believe sanctions
will be mild or stay out. The organizations try to optimize their control implementation level.
The organizations are seeking for a balance between compliance and a workable situation for
57

employees. These considerations were decisive to determine the appropriateness of the
technical controls at all organizations, which they have done thoughtful. Although weighing
cost and benefits in this perspective could be helpful as a motive for implementation, none of
the organizations has actually performed cost-‐benefit analyses.

Differences
The housing associations differ to each other on several aspects. Regarding the people-‐
focused controls the differences on top-‐management interest between the organizations is
remarkable. The engagement from top-‐management at AlleeWonen is considered as not
optimal. The top-‐management does not show more interest in data protection than the
employees and some top-‐managers do not fully support control implementations, since they
think to know better or for political reasons. Wonen Zuid has not started with security
awareness actions. Although top-‐management realizes the need for responding to the GDPR
and potential actions have been discussed, practical plans have not been made yet. The top-‐
management of Woongoed is considered as most engaged of all organizations, since the
managers are provided with responsibilities regarding data protection. The data protection
tasks are divided among the managers, getting them easily involved with the GDPR. Also,
Woongoed’s employees are considered as most engaged, followed by AlleeWonen. The latter
has difficulties with involving one department. However, the overall employee interest of
AlleeWonen is considered as good. Wonen Zuid has concluded data protection is not in the
mind of their employees yet. Nonetheless, the employees are showing signs of better interest.
Different approaches to improve security awareness have been encountered.
Woongoed and AlleeWonen have similar approaches. They organize sessions with employees
for trainings and education and attempt to create a security awareness climate. Wonen Zuid
embraces a more technical approach, focusing on individuals. The organization uses a
software tool (chatbot) to get employees involved with the GDPR and data protection.
Although the chatbot might contribute less to the creation of a security awareness climate,
the sources and means employees may use to gain knowledge about data protection, are
available at any time on a central location. Wonen Zuid has historically invested most in
technical solutions. The organization put high trust on technology, like the use of a chatbot,
also for changing people’s behavior. Woongoed and AlleeWonen believe that the technology
58

should have a supporting role. Woongoed tries to find the solution first in people-‐ and process-‐
based controls, instead of introducing technical solutions. The organization trusts its
employees to do what is best concerning protecting data of tenants and wants to put less
restrictions to the employee’s jobs. AlleeWonen believes that too much focus on technology
will undermine the security awareness of employees, since the technical-‐based solutions will
take over the responsibilities of employees regarding data protection. Consequently,
employees will become less conscious and less alert.
Other differences have been found in the way procedural controls are implemented.
Woongoed does not believe in the effect of documenting everything or writing plans and
procedures for each process, while the other organizations have planned to formulate
processes in detail. Woongoed foresees no problems with not having formulated plans and
procedures for performing processes, since they consider their employees as self-‐sufficient
and competent to fulfill their tasks.

4.2.2 Comparison between Wbp and GDPR
The GDPR can be considered as a major upgrade of the Wbp. Organizations are faced with
much more obligations, which requires new controls to implement. The GDPR objectives are
not too different from the Wbp objectives. Both legislations aim for better data protection
and privacy for individuals. However, the Regulation attempts to give individuals more control
to protect their own personal data by providing them more rights. The introduction of the
Wbp dates back to 2001. For 16 years the Wbp has been applicable to all organizations located
in the Netherlands, which means that also DHAs must comply with the law. The findings from
the case study research show results that none of the cases actually complies with the Wbp.
Similar to the objectives, the data protection principles of the Wbp are taken over to the
GDPR. This means that organizations already have to address principles like purpose
limitation, data minimization and retention limitation. None of the three DHAs has acted in
accordance with the principles. The organizations have often collected as much data as
possible, since it may be convenient for their customer service. Purpose limitation and data
minimization have been neglected. In addition, all of the organizations have stored personal
data too long without considering the legal retention period. Apparently, the introduction of
the GDPR has forced the organization to rethink their data processing activities much more
59

than the Wbp did, while the Wbp had similar requirements. In that sense, the GDPR has
already been effective.

4.2.3 Comparison between theory and findings
The comparison between the theory and findings is performed on four aspects. The
similarities and differences between the theory and findings contribute to the shaping of new
perspectives to the theories of the privacy and data protection discipline. The four aspects
are: (1) mechanical approach to information security, (2) security awareness, (3)
implementation motives.

Mechanical approach to information security
The findings from the case study are similar to the findings from the empirical research from
Merete Hagen et al. (2008), regarding the implementation of information security controls.
The inverse relationship, between the implementation of information security controls and
how the effectiveness of the controls is assessed, has been observed at the three housing
associations. The technology-‐based controls are implemented most, followed by the process-‐
based controls, while the people-‐focused controls are the least implemented at the three
housing associations. At the same time, the organizations believe the people-‐focused controls
are most effective to become GDPR compliant. The focus on technology-‐ and process-‐based
controls above the people-‐focused controls is also known as the mechanical approach to
information security.
Merete Hagen et al. (2008) suggest three reasons for the lack of people-‐focused
controls in organizations: (1) resources demand, (2) positioning of information security, (3)
top-‐management engagement. The findings at Wonen Zuid demonstrate that the high
demand of resources for implementing people-‐focused controls has been a constraint for the
organization. The organization has not managed to organize security awareness trainings or
educations together with a group of employees, while has had no problems to manage.
Wonen Zuid was not able to set up such gathering, due to limited time and other priorities.
The IT-‐domain has traditionally been occupied with information security, which might be
another reason for a lack of people-‐focused controls. Until recently, this was the case at all
three housing associations, as the IT-‐professionals were the only employees concerned with
60

information security and data protection. Wonen Zuid seems to stick with this more than the
other organizations, as they introduce a technical solution to improve security awareness
(chatbot). In addition, the importance and benefit of a recently implemented control was not
communicated to all employees at Wonen Zuid, being understood only by the IT department.
The fact that the organizations have positioned information security at the IT department for
a long time, can be a reason for immature security awareness of employees today. The
absence of people-‐focused controls might also result from the lack of top-‐management
engagement. However, this was not supported in the case of AlleeWonen. Their top-‐
management engagement was considered as not optimal, while the organization has
implemented the most comprehensive security awareness actions of all. Nonetheless, top-‐
management engagement is considered as an important factor for security awareness
creation.
Based on the researchers’ empirical findings, Merete Hagen et al. (2008) have
developed a staircase of information security, visualized in figure 8. The staircase
encompasses the three essential domains to be addressed for information security and data
protection, including people-‐focused controls, and is considered as a response to the
mechanical approach on information security. Although the staircase involves people-‐focused
controls, the order of the stairs still indicate a mechanical approach at the first two steps: the
technical controls form the foundation on which the organizational or process-‐based controls
are built (mechanical). The security awareness controls are important for motivating people
to act in accordance with the organizational or process-‐based controls and understand the
benefit and necessity of technical controls. The people-‐focused controls add a new element
after the mechanical approach is applied at the first two steps, making the staircase approach
less mechanical.

FIGURE 8: INTERPRETATION OF THE INFORMATION SECURITY STAIRCASE (METERE HAGEN ET AL., 2008)
1
PROCESS-‐BASED CONTROLS
61

Based on the findings of Merete Hagen (2008) and the case study results a pattern on the
participating organizations has been identified. The observed organizations traditionally come
from a mechanical approach. This was the case for the sample of Merete Hagen et al. and for
the three DHAs participating in this case study research. The reasons for this approach and
the lack of people-‐focused controls are also related to the mechanical approach. The
positioning of information security at the IT-‐department in particular. In fact, the
organizations have followed the steps of the staircase in their past. However, the findings of
both case studies demonstrate that the organizations fall too short regarding security
awareness and educated employees. Now, the organizations have to make a major catch-‐up
effort. New organizations that want to implement controls for information security and data
protection purposes, and follow the steps on the staircase, will be confronted with similar
problems as the case study’s participating organizations. Meaning that the staircase does not
break the pattern of the mechanical approach identified from both case studies. The security
awareness controls will be implemented only after the implementation of the mechanical
controls, which requires a catch-‐up effort from these organizations, while knowing that the
security awareness controls are most resource demanding. Therefore, the staircase has
shortcomings to overcome, as it does not solve the problems of the mechanical approach
sufficiently.

Security awareness
Humans play a significant role in information security. Their role has been assessed to be most
important for adequate data protection. Herath and Rao (2009) have identified a complete
set of security awareness actions. The housing associations have performed several of these
actions, such as trainings, education and security awareness climate creation. AlleeWonen has
performed most of the actions, followed by Woongoed. Wonen Zuid has an approach that
differs from Herath & Rao’s actions. The organization starts using a chatbot to educate and
train their employees. A chatbot provides a solution to the availability of resources. Instead of
searching for answers to data protection issues in multiple documenting system, employees
can ask their question directly to the chatbot and start a conversation.
Apart from the diversity of the security actions applied by the three organizations, the
effectiveness of actions have been considered similarly. The organizations believe that
62

creating security awareness is most effective through experiential learning. Employees are
more willing to adjust their behavior when they are emotionally involved. Therefore, the
experiential learning approach can be complementing the education and training actions
mentioned by Herath & Rao (2009).

Implementation motives
Four motives for implementing controls have been identified in different theories: (1) ethical
reasoning, (2) cost-‐benefit analysis, (3) authority enforcement and (4) interpretation of the
legislative texts. All three housing associations have indicated to implement controls for
ethical reasons. They state that their moral responsibility towards individuals is the main
driver for becoming GDPR compliant. The lack of authority enforcement or the believe in
authority tolerance and having issues with the interpretation of the Regulation are motives to
desist from implementation so far for the housing associations. At all three cases those three
motives have been observed. None of the housing associations has conducted a cost-‐benefit
analysis. Although some implementation did require careful considerations, no serious cost-‐
benefit analysis were conducted.

4.2.4 Summary of results
The case study findings offer valuable insights regarding the data protection control
implementation of DHAs, useful for best practices. The cross-‐case analysis identifies several
similarities and differences among the cases. One clear pattern has been observed. The
organizations originate from a mechanical approach on information management, as they
traditionally are process-‐ and technology-‐oriented. People-‐focused controls are overlook for
a long time. The findings are in accordance with the theory of Merete Hagen et al. (2008). At
the same time, the findings also provide new perspectives to the same theory, which is
discussed in chapter 5.

63

5. Discussion
This chapter discusses the results from the previous chapter to formulate answers to the sub
questions and the main research question with the aim to deduce the aspects that must be
taken into account by DHAs responding to the GDPR. The response to the GDPR must be
interpreted in terms of implementing data protection controls to address the legal obligations.
The first sub question identifies in broad terms what the GDPR is about and why organizations,
and DHAs in particular, have to comply with the legislation. The second and third sub question
move on to ‘what’ controls should be implemented and ‘how’, for DHAs specific. The fourth
sub question addresses the practical challenges and motives of DHAs with regard to their
control implementation. This may other DHA assist to anticipate to similar issues related to
data protection.

1. What are the differences between the Wbp and GDPR in terms of principles, objectives
and obligations to data controllers and processors?

The GDPR replaces the Wbp on 25 May 2018. The GDPR builds on the Wbp and introduces
new obligations or adds extra requirements on existing obligations for data controllers and
processors. The GDPR principles are drawn from the Wbp, of which the principles were based
on the Directive 95/46/EC. Two principles have been made more explicit and are strongly
emphasized. Many of the new obligations are based on these two principles, being
transparency and accountability. These principles contribute to one of the objectives of the
Regulation, which aims for strenghtening data protection rights by giving individuals more
control over their personal data. This objective and the objective to unify the regulatory
system for all EU organizations and citizens are new in comparison with the Wbp. The Wbp
objectives to protect individuals against unjustified collection, recording, use and
dissemination of personal data, and to enable free flow of personal data between Member
States have remain unchanged in the GDPR.

The GDPR introduces a set of new obligations to data controllers and data processors. These
obligations mainly aim for increased accountability of organizations regarding their processing
64

activities and to enable more transparency towards data subjects, which applies to both data
controllers and data processors. At the same time the data subjects are provided with more
rights to protect their own personal data processed by these organizations. To address the
accountability principle, organizations must maintain a register with all information about
their data processing activities. Which is a new GDPR obligation. Other new obligations that
reinforce the accountability of organizations are the appointment of a DPO and the execution
of a DPIA. However, these obligations are only applicable to organizations that meet specific
conditions. To encourage more transparency towards individuals about data processing
activities, the GDPR obliged organizations to inform individuals about their data processing
activities through a privacy statement. When for any processing activity the mechanism of
consent functions as the legal ground, individuals must be well-‐informed in clear language. To
address the objective to give individuals control over their personal data, several new rights
are introduced. Rights to individuals are not new with the introduction of the GDPR. Existing
rights to individuals, such as the right to access, -‐rectify and -‐object, remain almost the same
except of some details. New rights are the right to be forgotten, which must ensure personal
data will be destructed after a valid request, and the right to data portability, enabling free
movement of an individual’s customer data from organization to organization.

2. What data protection controls are required to enable GDPR compliance?

To address the GDPR obligations and to protect personal data of individuals controls must be
implemented on three domains: technology, processes and people. The technology-‐based
controls consist of physical and technical controls. The process-‐based controls consist of
procedural and compliance controls and the people-‐focused controls consists of security
awareness actions. The identified technology-‐ and process-‐based controls are derived from
the ISO 27001-‐2 and 27018 information security standards (paragraph 2.7.2 and 2.7.3). The
identified people-‐focused controls are based on the security awareness framework of Herath
and Rao (paragraph 2.7.1). The effectiveness of the controls is related to the mutually
dependencies of the three control domains. According to the staircase of Merete Hagen et al.
(2008), the technology-‐based controls form the first step as being the foundation of
information security. The process-‐based controls – step 2 – are built upon the technology-‐
65

based controls and give shape to the formal systems, while the people-‐focused controls
enable the execution of the process-‐ and technical-‐based controls as intended. Withal, the
people, as step 3, give life to the process-‐based controls. The staircase was developed to
challenge the mechanical approach on information security. However, the staircase is still
based on the mechanical approach, since the first two steps are mechanical controls. To
discourage organizations from regarding information security as an IT matter and to prevent
them from resource demanding catch-‐up investments to brush up the security awareness and
knowledge of employees, the staircase must be reconsidered. Figure 9 visualizes the adjusted
staircase.

FIGURE 9: ADJUSTED INFORMATION SECURITY AWARENESS STAIRCASE OF METERE HAGEN ET AL. (2008)

Instead of the technology-‐based controls, the people-‐focused controls are considered as the
foundation for information security, hence data protection. Involving all employees will take
away data protection from the IT domain. Explaining why data protection is important and
informing employees what the benefits of technology-‐ and process-‐based controls are, at the
earliest implementation stage possible, saves organizations to make major catch-‐up efforts.
Moreover, the knowledge of employees might be used for contributing to the development
and implementation of controls, which is illustrated by the arrows in the figure. The
organizations create employee awareness and understanding and might gather valuable
knowledge from those employees at the same time. To implement the controls according the
adjusted staircase, it is assumable that several requirements must be met, which are derived
from Herath and Rao’s theory (2009). Top-‐management engagement supposes to be crucial
for two reasons. First, the resources such as time, locations and tools must be made available.
66

Second, the creation of a security awareness climate relies on top-‐management engagement.
Such security awareness climate is considered as a condition for the success of the people-‐
focuses controls as foundation of data protection. Other requirements are effective trainings
and education methods and readily-‐accessible sources for studying.

3. To what extent are the required controls implemented by the housing associations?

Based on the case study findings the overall implementation of the data protection controls
is at the initial phase. The findings indicated that several controls required to achieve
compliance with the Wbp have not been implemented at the organizations. This is
demonstrated by the fact that the organizations have been collecting and processing personal
data without a clear purpose. Until recently, the organizations traditionally have a mechanical
approach to information security, focusing on technical and formal systems rather than the
human element. The technology-‐based controls are developed most by the three participating
organizations. The internal organizations are shielded from the external environment and
security obstacles are set for to prevent data breaches. The process-‐based are less developed
than the technology-‐based controls, due to the demand of time and effort and some are new
and not yet implemented. All organizations have formulated an information security policy
and several procedures and plans. However, the required controls to become compliant are
not sufficiently implemented. The people-‐focused controls haven been overlooked for a long
time. Although the organizations appreciate security awareness actions more than the other
controls, implementation has fallen too short for a long time. The introduction of the GDPR
has forced organizations to start with security awareness actions to involve employees and to
encourage compliance behavior. Today the people-‐focused controls gain more attention,
since they have moved away from their mechanical approach to information security. The
DHAs have planned or implemented several controls to increase security awareness.

4. What are the implementation challenges and motives?

The findings from the case study imply that the housing associations are faced with
implementation challenges on each control domain. However, the major challenge comes
67

with the people-‐focused controls. It will take much effort to get all employees involved with
data protection and to improve their security awareness. However, improving knowledge
about the risks and changing people’s behavior Is essential for protecting data of individuals.
The organizations consider the improvement and maintenance of the security awareness
among employees as the most challenging task. Challenges regarding the process-‐based
controls are the time and effort to put in formulating the policies, procedures, plans and
protocols and to identify and classify the data in each business process. The identification and
classification is required to address the principles of purpose limitation, data minimization and
retention limitation, which are not or little taken into account at the DHAs. The technology-‐
based control implementation challenges are related to the dependence of third-‐parties. The
IT suppliers must update their systems with new features enabling data protection according
to the GDPR obligations and the DHAs are concerned if this will be executed adequately and
on time. Another challenge regarding the technology-‐based controls is related to the balance
between compliance and workability. The organizations want to comply with the legislation
through control implementation, realizing they have a moral responsibility to protect the data
of tenants and employees. However, this must not hinder the day to day jobs of employees
too much. This will frustrate them or even undermine their security awareness and willingness
to behave properly in accordance with the GDPR.
As suggested, the main motive for the DHAs to implement controls are based on ethical
reasons. However, one might decide not to implement controls motivated by the expected
severity of supervisory authority enforcement. The organizations believe that the authority
will be tolerant if not all required controls are implemented, as long as the organizations are
able to show progress regarding data protection. In addition, the open norms of the
Regulation might be ambiguous and contractive with other legislations. Because of this, the
lack of guidance from the Regulation might be perceived as a problem, being a motive not to
implement controls yet.

68

Main research question:

“How should Dutch housing associations respond to the General Data Protection Regulation?”

The combination of answers on the sub questions provide the answer on the main research
question. The answer on the first sub question provides a broad explanation of the GDPR in
comparison with the Wbp, addressing principles, objectives and the obligations that must be
accomplished. This contributes to the understanding of the legislation, to know what is asked
from DHAs regarding data protection. Based on the obligations, the required data protection
controls are identified and observed at three DHAs, which has resulted in an adjusted staircase
to implement data protection controls. Together this provides the answers to sub question 2
and 3. The fourth sub question, which addresses the challenges and motives may assist DHAs
to anticipate to issues related to data protection.

The research has identified the GDPR principles, objectives and obligation to organizations
and DHAs in particular. In addition, a control list is identified that encompasses the three
control domains that must be implemented for protecting personal data. DHAs will most likely
achieve compliance when the required controls are implemented. Yet, data protection
controls must be implemented adequately. In order to do so, DHAs must implement all three
control domains of information security, including people, and leave the mechanical approach
as being technology-‐ and process driven. The three domains are mutually dependent and have
only effect when all three control domains are implemented. This research suggests that the
implementation of mechanical data protection controls, being the technology-‐ and process-‐
based controls, must be in coherence with people-‐focused controls (figure 10). This control
domain is regarded as most effective to protect personal data of individuals by the DHAs and
other case studies. The people-‐focused controls must function as the foundation of the
controls in order to involve employees at the earliest stages to create security awareness and
understanding. At the same time, the employees’ thoughts and knowledge can be used as
input for the development and implementation of technology-‐ and process-‐based controls.

69

FIGURE 10: ADJUSTED INFORMATION SECURITY AWARENESS STAIRCASE OF METERE HAGEN ET AL. (2008)

To gain employee involvement to data protection and to improve their security awareness on
a continual basis is considered as most challenging. Security awareness requires resources,
engagement from top-‐management and maintenance. If the staircase is implemented as
suggested by the adjusted staircase, a security awareness strategy must be formulated in
order to launch a successful campaign.

70

6. Conclusion
In conclusion, the research explored how DHAs should respond to the GDPR. The results of
the research are threefold.

First, a list of required controls is identified by the means of a literature review. The list
contains a comprehensive set of controls on the three domains, people, process, technology,
that must be addressed to achieve compliance.

Second, the status of control implementations, the challenges and motives from the field of
the Dutch housing association industry are identified by conducting case study research. The
overall control implementation status is at the initial phase and substantial progress has to be
made for GDPR compliance. The DHAs are moved away from their traditional technology-‐ and
process driven organizations. However, the people-‐focused controls are still immature. The
main challenge comes with the implementation of those people-‐focused controls enabling
improving security awareness of employees. Nevertheless, the DHAs have demonstrated their
willingness to invest in the control implementation to become GDPR compliant. They are
motivated by their moral responsibility. However, the perceived lack of supervisory authority
enforcement and the ambiguity of the legislative texts might undermine the data protection
control implementation.

Finally, the research has contributed to the extension of the information security staircase of
Merete Hagen et al. (2008) by emphasizing the importance of the human aspect of the
organization regarding the protection of personal data and information security. The original
staircase of Merete Hagen et al. (2008) was developed to challenge the mechanical approach
to information security. However, foundation of the original staircase consists of technology-‐
based controls, still being rather mechanical. Therefore, an adjusted staircase with people-‐
focused controls as foundation on which the technology-‐ and process-‐based controls are built
has been proposed.

71

6.1 Academic value
The research adds value to both schools of the data protection-‐ and privacy principle.
However, the main contribution is made to the second school. The principles and open norms
of the Regulation are interpreted, in comparison with the Wbp, to identify the data protection
controls addressing the obligations. The interpretation has resulted in the identification of a
comprehensive list of controls, addressing the three control domains. Both the comparison
between the Wbp and GDPR as the control list might be useful for future research.

The research contributes also to the first school. The first school attempts to judge the GDPR
on its effectiveness. In order to do so, they are dependent on the practical research from the
second school. The first school is only able to assess the effectiveness by comparing the GDPR
control implementation of organizations against the number of data breaches and the
perceived privacy of individuals. The amount of evidence of research regarding the control
implementation of organizations conducted by the second school are, therefore, essential.
This research contributes to the creation of that evidence.

Furthermore, the research add value to the academic domain by extending the theory of
Merete Hagen et al. (2008). The staircase of information security has been adjusted, based on
the case study findings, to stronger emphasize the importance of the human element
regarding information security and data protection and to move away from the mechanical
approach on information security. The adjusted staircase replaces the technology-‐based
control foundation from the original staircase with a people-‐focused control foundation,
which has been assessed as the most effective control domain.

6.2 Practical recommendations

At first, the research focuses on the Dutch housing association industry. Most results and
conclusions from the research only applies to that industry. However, the outcomes, or parts
of it, can be of value for other organizations to implement data protection controls.
Eventually, all organizations established in the EU have to comply with the GDPR. The three
72

control domains require investments to protect personal data properly domains, being
present and relevant for almost all organizations. In particular, the people-‐focused controls
are advised to act as the foundation of data protection.

A second practical recommendation addresses the appliance of the proposed adjusted
staircase for organizations to implement information security and data protection controls. If
organizations decide to adopt the adjusted staircase, this will still demand substantial
resources. One might suggest that there are no differences between the original and the
adjusted staircase, regarding resources demand. Where before the resources were invested
in catch-‐up efforts to blush up the security awareness of employees, these resources
investments are now moved forward. This can be the truth. However, the learning curve of
employees during the control implementation projects might lower the need for security
awareness actions over time, which saves resources at the end. Nonetheless, to implement
people-‐focused controls as suggested by the adjusted staircase a security awareness strategy
is needed to launch a successful campaign, where change management practices might be
helpful. Furthermore, to give shape to the process-‐based controls the implementation of an
ISMS based on the ISO 27k standards might be helpful. The literature review has
demonstrated that the controls of the standard contribute to a substantial number of GDPR
obligations. To implement technology-‐based controls the formulation of a data protection by
design and by default strategy is recommended as a starting point, also for requirement
specification towards suppliers.

A third practical recommendation addresses the IT audit discipline. The data protection
controls are retrieved from the ISO 27k standards. Although the framework provides a
comprehensive set of controls that contribute to data protection, it does not address the three
control domains sufficiently. People-‐focused controls are mentioned too briefly. When audits
on data protection and GDPR compliance are conducted, the certifiable ISO 27001 works well
for assessing the technology-‐ and process-‐based controls. For the assessment of the people-‐
focused controls, additional actions must be undertaken. The actions might involve social
engineering, such as phishing mails, phone calls or company visit to get unauthorized access
73

to someone’s personal data. Assessing the security awareness and desirable behavior by
testing employees in their own entrusted environment can be a powerful tool.

A fourth practical recommendation applies to the internship company VVA-‐informatisering
and other consultancy firms. The case study demonstrated the demand for guidance to
implement the required controls on the people-‐focused and process-‐based controls and less
on the technical-‐based controls. VVA-‐informatisering already helps organizations to formulate
information security policies and plans. However, VVA-‐informatisering might be of value for
the DHAs when offering advice regarding the improvement of security awareness of
employees or guidance regarding the interpretation of the GDPR. Potential services to offer
might be a set of security awareness actions, such as social engineering (phishing or company
visits and phone calls by mystery guests), data breach simulation, optimizing password
workshops or the arrangement a complete security awareness campaign. VVA-‐informatisering
could also offer a course, including workshops, for DHAs or other organizations to guide them
towards GDPR compliance.

6.3 Limitations
The research has several limitations, because of time and resources constraints. A first
limitation is that the case study only involved three organizations. Because of this, the
generalization of findings might not apply to all other Dutch housing associations or to
organizations from other industries. A second limitation arises from the empirical research,
which only consists of conducting interviews. The findings are based on the answers provided
by the respondents. The topic of data protection and privacy might be perceived as sensitive
to the respondent or organization. The respondent could feel uncomfortable in answering
freely. Although triangulation was applied by conducting interviews with different people
from the same organization, the subjectivity and knowledge of the respondents could have
result in incomplete, overstated or understated answers regarding certain topics. Finally, this
research was conducted by one researcher. His interpretation may be subjective and findings
may differ when the research is done by other researchers.

74

6.4 Directions for future research
This research mainly contributes to the second school of the data protection and privacy
discipline. The assumption is made that correct implementation of the GDPR controls will
automatically result in the protection of personal data of individuals. To address the first
school, the effectiveness of the GDPR could be assessed based on the list of the required
technology-‐based, process-‐based and people-‐focused controls. The following research
questions might be asked: does the implementation of GDPR controls result in better
protection of personal data of individuals? Or in broader sense: Does the GDPR actually
achieve its objective to protect personal data of individuals and their privacy? Are there
shortcomings or does it go way beyond its objectives? Future research might also involve the
testing of the proposed adjusted staircase of information security on its effectiveness or
feasibility on a larger sample, possibly in a comparative research. Another direction for future
research is to apply this research’ case study to a larger sample to validate the effectiveness
and to overcome shortcomings, also in relation with the adjusted staircase. In addition,
organizations not having formulated an information security policy yet could be researched.
Furthermore, the research could be conducted in other industries to find out how
organizations respond to the GDPR, which might be used for comparative research.

75

7. Bibliography
Aedes (2016). Handreiking gegevensbescherming. Retrieved from

https://www.aedes.nl/artikelen/bedrijfsvoering/risicomanagement/gegevensbescherm
ing/aedes-‐handreiking-‐gegevensbescherming-‐beschikbaar.html on 21 March 2017
Albrechtsen, E. (2007). A qualitative study of users' view on information security. Computers
& security, 26(4), 276-‐289.
Alhadeff, J., Van Alsenoy, B., & Dumortier, J. (2012). The accountability principle in data
protection regulation: origin, development and future directions. Managing
Accountability through Privacy, 49-‐82.
BDO Netherlands (2016, 16 November). Code Oranje 'Corporaties, maak werk van
informatiebeveiliging' . Consulted on 10 March 2017, from https://www.bdo.nl/nl-‐
nl/perspectieven/bdo-‐informatiebeveiliging-‐woningcorporaties-‐ondermaats
Bieker, F., Friedewald, M., Hansen, M., Obersteller, H., & Rost, M. (2016). A Process for Data
Protection Impact Assessment Under the European General Data Protection Regulation.
In Independent Centre for Privacy Protection Schleswig-‐Holstein (pp. 21–27).
Burgemeestre, B., Hulstijn, J., & Tan, Y. H. (2009). Rule-‐based versus principle-‐based regulatory
compliance. In Frontiers in Artificial Intelligence and Applications (Vol. 205, pp. 37–46).
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an
empirical study of rationality-‐based beliefs and information security awareness. MIS
quarterly, 34(3), 523-‐548.
Calder, A. (2006). Information Security Based on ISO 27001/ISO 1779: A Management Guide.
Van Haren Publishing.
Costa, L., & Poullet, Y. (2012). Privacy and the regulation of 2012. Computer Law and Security
Review, 28(3), 254–262.
Culnan, M. J., & Williams, C. C. (2009). How ethics can enhance organizational privacy: lessons
from the choicepoint and TJX data breaches. Mis Quarterly, 673-‐687.
Directive 95/46/EC 1995. (1995, 24 October). Consulted on 21 March 2017, from http://eur-‐
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
De Hert, P., & Papakonstantinou, V. (2012). The proposed data protection Regulation
replacing Directive 95/46/EC: A sound system for the protection of individuals. Computer
76

Law and Security Review.
De Hert, P., & Papakonstantinou, V. (2016). The new General Data Protection Regulation: Still
a sound system for the protection of individuals? Computer Law and Security Review,
32(2), 179–194.
Dhillon, G., & Backhouse, J. (2001). Current directions in IS security research: towards socio-‐
organizational perspectives. Information Systems Journal, 11(2), 127-‐153.
European Commission. (2010). A comprehensive approach on personal data protection in the
European Union. Communication. Retrieved from
http://ec.europa.eu/health/data_collection/docs/com_2010_0609_en.pdf on 20 April
2017
General Data Protection Regulation 2016. (2016, 27 April). Consulted on 21 March 2017,
from http://eur-‐lex.europa.eu/legal-‐content/NL/TXT/?uri=CELEX%3A32016R0679
Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: a framework for
security policy compliance in organisations. European Journal of Information Systems,
18(2), 106-‐125.
Herriott, R. E., & Firestone, W. A. (1983). Multisite qualitative policy research: Optimizing
description and generalizability. Educational researcher, 12(2), 14-‐19.
ISO/IEC, (2013). ISO/IEC 27001:2013 Information technology. Security
techniques. Specification for an Information Security Management System.
Geneva, Switzerland: ISO/IEC.
ISO/IEC, (2013). ISO/IEC 27002:2013 Information technology. Security
techniques. Code of practice for information security management -‐ essentially a detailed
catalog of information security controls that might be managed through the ISMS
SO/IEC, (2014). ISO/IEC 27018:2014 Information technology. Security
techniques. Code of practice for protection of PII in public clouds as PII processors.
King, J. L., & Schrems, E. L. (1978). Cost-‐benefit analysis in information systems development
and operation. ACM Computing Surveys (CSUR), 10(1), 19-‐34.
Koops, B.-‐J. (2014). The trouble with European data protection law. International Data Privacy
Law , 4(4), 250–261.
77

Koops, B.-‐J., & Leenes, R. (2014). Privacy regulation cannot be hardcoded. A critical comment
on the “privacy by design” provision in data-‐protection law. International Review of Law,
Computers & Technology, 28(2), 159–171.
Lyons, D. (1999). Open Texture and the Possibility of Legal Interpretation. Law and Philosophy,
18(3), 297.
Merete Hagen, J., Albrechtsen, E., & Hovden, J. (2008). Implementation and effectiveness of
organizational information security measures. Information Management & Computer
Security, 16(4), 377-‐397.
PwC Netherlands (2017, January). Privacy Governance onderzoek Volwassenheid van
privacybeheersing binnen Nederlandse organisaties . Consulted on 10 March 2017, from
https://www.pwc.nl/nl/assets/documents/pwc-‐privacy-‐governance-‐onderzoek-‐
2017.pdf
Schermer, B. W., Custers, B., & van der Hof, S. (2014). The crisis of consent: How stronger legal
protection may lead to weaker consent in data protection. Ethics and Information
Technology, 16(2), 171–182.
Sundt, C. (2006). Information security and the law. Information Security Technical
Report, 11(1), 2-‐9.
Tallberg, J. (2002). Paths to compliance: Enforcement, management, and the European
Union. International Organization, 56(3), 609-‐643.
Veenstra, J., Allers, M. A., & Koolma, H. M. (2013). Grote verschillen in doelmatigheid
woningcorporaties. Economisch Statistische Berichten, 98(4668), 4.
Vroom, C., & Von Solms, R. (2004). Towards information security behavioural compliance.
Computers & Security, 23(3), 191-‐198.
Wet bescherming persoonsgegevens 2000. (2000, 6 July). Consulted on 21 March 2017, from
http://wetten.overheid.nl/BWBR0011468/2017-‐07-‐01
Yin, R. K. (2009). Case study research: Design and methods. Sage publications.

78

7.1 List of figures and tables
Figure 1: Thesis structure 14

Figure 2: Primary business processes of DHAs 16
Figure 3: Supporting business processes of DHAs 16
Figure 4: Three pillars of information security 17
Figure 5: Information security controls categorized 21
Figure 6: Information security staircase 22
Figure 7: Information security controls categorized 35
Figure 8: Information security staircase 61
Figure 9: Adjusted information security staircase 66
Figure 10: Adjusted information security staircase 70

Table 1: Procedural controls 36
Table 2: Compliance controls 37
Table 3: Technology-‐based controls 38
Table 4: Case study tactics 43
Table 5: Case study sample 44
Table 6: Cross-‐comparison analysis 56

79

Appendix 1: NEN-‐ISO/IEC 27002 sections

Appendix 2: Case protocol and interview questions
Section Contents
This protocol is used to guide the case study investigator through data
Introduction collection and analysis. The protocol is a standardized agenda and
contributes to the reliability of the research.
General An exploratory case study consisting three DHAs is used by the research.
The sample consists of three cases, selection has been based on size. The
sample is selected as representative for the industry, being the unit of
Procedures analysis. The Regulation provisions are applicable to all organizations
active within EU. Therefore, a sample that involves small, medium and
large housing associations are selected for collecting evidence, which
80

contributes to more robust results. Different organizational roles are
interviewed: privacy officer, information manager and/or controller.
The main research instrument are semi-‐structured interviews with open-‐

Research
ended questions. The interview contains three categories according the
instrument
pillars of information security and is coded a priori.
The case protocol is applied to all cases to uniform the interviews and
findings. Triangulation is applied by involving different roles from the same
Data analysis organization. Data analysis is executed by a cross-‐case analysis and
guidelines comparison between legislations and theory and findings to look for
patterns. Sources of data are scientific literature, DHA industry references
and interview data.

The semi-‐structured interview consists of open-‐ended questions. The supplementary ‘how-‐
questions’ after each question are not formulated. The open questions are asked in such a
way that the interviewee is stimulated to answer the question himself, without giving away
too much details by the investigator. Several questions contain checklists, which helps the
investigator to address all relevant topics and to guide the answers if necessary.

0 Introduction
What is your role in data protection and information security?
What is your opinion about the GDPR introduction?
Does the organization make demands regarding certification to suppliers?
What special categories of personal data are processed?
What are the organization’s high-‐risk information sources?
A People-‐based controls
1 Did the organization appoint a DPO? Is he approved by the authority? A1
2 To what extent is data protection a topic of interest for top-‐management? A2
81

3 To what extent is data protection a topic of interest for employees? A3
4 To what extent are employees ready for the GDPR? A4
5 How does the organization undertake actions to improve/maintain employee A5
compliance behavior?
Education (why)
Skills trainings (how)
Organization security climate (activities, promotion)
Incentives or disincentives
6 Are resources (online trainings, policies, procedures, promoting and A6
supporting mechanisms) available and easily accessible to employees?
7 What are the challenges for the organization to increase awareness? A7
8 What are the motives for the control implementation? A8
If implementation lacks:
Unawareness/ignorance
Cost/benefit/risk analysis
Authority enforcement/tolerance
B Process-‐based controls
9 How does the organization weigh risks for-‐ and interests of tenants and the B1
organization regarding personal data processing?
10 Does the organization conduct data protection impact assessments (DPIA)? B2
Why or why not?
11 How does the organization address the GDPR principles? B3
Purpose limitation
Data minimization
Retention limitation
12 To what extent has the organization formulated information security policies, B4
procedures and guidelines?
Information security policy and plan
Data breach procedure and guidance (when/what/how to report?)
Personal data access request process and procedures
82

Test procedures for security controls
Data archiving and destruction procedures
Data retention policies
Authorization and access policies and lists
Incident response plan
Business continuity and data recovery plan
13 How does the organization inform tenants about the data processing B5
activities?
Privacy statement
Direct notification
Consent mechanisms (affirmative act)
14 How does the organization demonstrate compliance to supervisory B6
authority?
Maintain data processing
Maintain data breach records
Report data breaches (also to data subject)
Conclude contracts with data processors including new stipulated
terms
External audits
15 What are the challenges for the organization to implement the process-‐based B7
controls?
16 What are the motives for control implementations? B8
Interpretation of open norms ambiguity
C Technical-‐based controls
17 To what extent has the organization formulated Privacy by design-‐ and default C1
strategies and patterns?
83

18 To what extent are technical measures implemented? C2
Pseudonymization / anonymization
Archiving data
Measures to block or erase data systematically
Access/authorization blocks
Separation of data
Record including all relevant information about the processing
Cloud storage or DMS (instead of local storage and e-‐mail exchange)
Store data in a structured, machine-‐readable format
Regularly testing, assessing, evaluating controls
Internal audit
19 How does the organization determine the appropriateness of controls? C3
20 What are the challenges for the organization to implement the technology-‐ C4
based controls?
21 What are the motives for control implementations? C5
Interpretation of open norms ambiguity

Appendix 3: Interview agenda
Date Respondents DHA Location

06-‐07-‐2017 Colette Kersten AlleeWonen Roosendaal
(privacy officer)
06-‐07-‐2017 Hans van Beelen AlleeWonen Roosendaal
(information manager)
06-‐07-‐2017 Peter Lambregts (controller) AlleeWonen Roosendaal
84

07-‐07-‐2017 Frans van der Ploeg Woongoed Middelburg Middelburg
(information manager)
20-‐07-‐2017 Albert van Heugten Wonen Zuid Roermond
(Information manager)
20-‐07-‐2017 Ruud van der Borgh Wonen Zuid Roermond
(controller)

• Permission to voice-‐recording the interviews was given by all respondents.
• Anonymization of the interview data was not required.

Appendix 4: Interview data Woongoed Middelburg
Woongoed
Middelburg Frans van der Ploeg
A. People-‐based
controls Code Question Answer Outcome
No DPO appointed according GDPR.
However, we have tried to assign the
DPO tasks to different roles into our
organization. Since we are all
responsible and have our accountability.
We as Woongoed always assure that we
are able to explain and clarify our
legislative intepretations and decisions,
such as control implementations. As long
as we can explain what, why and how
we took measures, the authority will be
A1 DPO more tolerant, we believe. X
Managers are responsible for their
process. These responsibilities forces
managers to take data protection
seriously. Managers are concerned with
what is allowed and what is not? We
always discuss with all managers what
and why are actions been undertaken?
Also, actions are approved by and
A2 Management interest reported to the board. V
There is. The employees pay more and
more attention to data protection and
are asking what is permitted and what
not? They have discussions with each
other and ask questions to me
(information manager) if their behavior
A3 Employee interest is compliant V
85

Not ready yet. However, we try to make
our employees alert on an atrractive
manner and step by step. I think we
A4 Employee readiness made serious progress. X
Security awareness
A5 actions
I believe in learning through experience.
Employees are not interested in legal
texts. That is why we organize
phishingmails and interactive sessions to
Education increase awareness V
Trainings Phishingmail was a big success V
We try to keep up the awareness and
desired behavior. This is achieved by
sharing experiences and lately
employees became active in detecting
data breaches or unjust requests of
Security climate personal data from other parties. !
Incentives and
disincentives X
Yes, central storage of data protection
tooling. Such as what are categories of
data (normal, special, sensitive) and are
we allowed to process? Also, employees
can come to me for support or other
A6 Souces availability issues related to data protection. V
Implementation
A7 challenges To keep all employees alert and aware.
Over the last years people realize that
housing assoctiations is a company that
is based on IT, which has some weak
spots. Woongoed does not want to have
bad publicity. The GDPR is a trigger for
us to really invest in data protection,
organization-‐wide and not technically.
Our organization is transforming its IT
landscape. Therefore, we try to
implement controls step by step without
confusing employees' daily tasks.
Otherwise it is too much at the same
A8 Rationale of investment time.
B. Process-‐based
controls
In the past, we had the belief to collect
as much data as we could, since it could
be useful once. Now we've started to ask
ourselves what do we really need? Only
collect, store and process what we really
need. All data we do not need and still
collect, brings unwanted risks and even
requires storage space. We save money
B1 Weighing risks not to collect more data then needed. V
86

We do not conduct DPIA's. We are not
ready for a DPIA, since we are still
drawing up our data processing register
including all partners we share data
with. It is hardly possible to conduct a
DPIA for all data sources and
combinations of data that could be
leaked. Therefore, we will conduct a
DPIA when we will be confronted with
B2 DPIA data breach(es). X
B3 Principles We pay attention to all of them.
We always define the legal ground and
Purpose limitation purpose of the processing
We minimalize data by collecting the
Data minimalization least possible
Where possible, we retain our data
Retention limitation limited
If you plan everything and formulate
procedures for all processes, possible
incidents etcetera, you have to update
the documents regularly. Woongoed
does not believe in documenting
everything. Keep it simple, have clear
responsibilities and always respond
Policies, procedures, based on common sense and in
B4 guidelines consultation with colleagues
Infosecurity policy and
plan We have both. V
Work process and procedure for data
breaches, also a incident-‐teams based
Data breach procedure on responsibilities V
Request process Not yet. X
We do not have test procedures or
protocols how to test our systems.
However, we do tests only in practice
Test procedures based on common sense. X
We made arrangement what do we
Archriving and collect and in what digital folders and for
destruction how long and when to erase. !
No policy, however we apply the Awr
Data retention policies legislation for our data retention !
Yes. Employees are related to roles.
Roles are related to an authorization
Authorization and level. Also we use personal tags for
access lists building access. V
No, we trust our IT partners to have
incident response plans if systems are
Incident response plan down X
We have outsourced this to our network
partner. They make back-‐ups on
BC&DR different levels X
B5 Information provision
Privacy statement We do not have one. X
87

No, we only have direct contact if there
would be a data breach that must be
Direct notification communicated X
We include our processing activities in
the agreements with tenants. Therefore,
Consent they are consenting. !
B6 Compliance
Register of processing Drawing up the register !
Register of data We record our data breaches in a
breaches register V
Report data breaches 1 data breach notified to authority V
Contracts with Working on it. Not all conform with the
processors GDPR !
Not yet. This can wait until we have
External audits implemented all controls. X
It takes a lot of time. Data protection will
always be a side issue that exists next to
Implementation the daily jobs of employees, since it is
B7 challenges not core business.
Costs/benefit/risk analysis: If it takes
too much time to implement controls
and when it can be done on differently
than the GDPR subsribes, we may decide
B8 Rationale of investment not to be fully compliant.
C. Technical-‐based
controls
No we do not have. Privacy by
design/default is a source of conflict for
our organization. We always have based
our organization on trust. All employees
have been allowed to consult all
personal data of tenants for optimal
customer service. Each employee must
sign a confidentiality agreement and we
believe that they are professionals. We
place a high value on customer service
and trust. Therefore, we did not have
privacy by design/default strategies and
patterns. However, we always take
privacy and data protection into account
regarding our processes. Ask always the
question: do we need this data? In
practice we apply privacy by design and
Privacy by design by default, but there are no strategies
C1 strategy formulated. X
C2 Technical measures
None of them. What is the added value?
When a tenant has a complaint, all
employees must be able to help them.
Therefore we do not pseudonymize
data. Only for statistical research we
Ano/Pseudonymization anonymize data. X
We start working with a new archiving
Archiving data system soon. !
88

Yes we do. Also employee data erasure
takes place within 2 days after
deemployment. Some fields are blocked
for edit or erasure. Also some data sets
Block/erase data are assigned to authorization levels and
systematically are therfore blocked V
Access control V
Authorizations V
Seperation of data Personal data is stored in 1 data base. X
Register of processing
activities Working on it !
Cloud storage No cloud, only server !
Data store in structured
format No X
Regularly
testing/evaluating
controls No not yet X
No, will start do that after completing
Internal audits implementation X
Appropriateness of
C3 measures V
To limit the technical controls to what
really is neceassary. You can invest in
very high technical security measures
against big costs. Also, if employees
cannot work with the system or the
security levels are an obstacle, the
controls will have counterproductive
Implementation effects. Technology should be
C4 challenges supportive.
Try to find the solution on the people
and organisational side first and then
C5 Rationale of investment move to technology.

Appendix 5: Interview data Wonen Zuid
Albert Van Heugten & Ruud van der

Wonen Zuid Borgh
A. People-‐based
controls Code Question Answer Outcome
No not yet. We know the
appointment of a DPO is advisable
for housing associations. As long as
the organization will not appoint a
official DPO, the I&A manager
(Albert) will execute the DPO's
A1 DPO tasks. X
The board is aware of the necessity.

A2 Management interest However, they trust on the middle-‐ !
89

management for implementing the
controls adequately
In the beginning stage of interest.

The employees feel the urgency of
handling personal data with care
and some have started adjusting
A3 Employee interest their behavior !
Not yet ready. The organization has
A4 Employee readiness been 'incompetent aware' so far. X
Introduction of a interacting chatbot
for our employees. All questions
regarding data protection and
information security can be asked to
the chatbot. In addition, the chatbot
can also push alerts to employees to
A5 Security awareness actions start a quiz with employees.
Through chatbot. Motivating
Education employees step by step. V
Trainings Throught chatbot !
We draw attention to news topics,
such as ransonware attacks and
Security climate phishingmails. !
The organization makes use of
disincentives by putting tresholds on
attached files. When an employee
wants to open a attached file always
a pop-‐up appears for confirmation.
This will put a barrier for employees
to open every file randomly and
Incentives and disincentives contributes to their awareness. !
A6 Souces availability Not yet, later through chatbot X
Relative new for people. Data
protection is not yet embedded in
the minds of people yet and they do
not perceive what the risks are. To
get employees involved is the major
challenge. At the moment the
environment of employees is
changing. To ask time from
employees to act on yet another
topic is difficult. Arranging an
employee-‐meeting with everyone
together in a classroom has not
A7 Implementation challenges been feasible so far.
90

We feel the urgency to comply with
the law. The moral responsbility is
our main driver. Furthermore, many
decisions regarding data protection
still have to been made. The
decision-‐making of the control
implementation lies with the
middle-‐management. The approval
of plans, procedures and policies lies
with the top-‐management. We
assume that the authority will be
satisfied and tolerant when the
organization is able to demonstrate
progress in becoming compliant,
such as procedures, assigned
responsibilities and other controls
and being transarent about
A8 Rationale of investment processing activities.
B. Process-‐based
controls
First the organization will classify
the data in our processes. Based on
the classification we will identify the
risks for individuals and the
B1 Weighing risks organization. !
Not yet. This will be a logical follow-‐
up to our data classification process
for evaluating. However, not ready
B2 DPIA for. X
B3 Principles In progress
Limiting the collecting of data we do
not need for a certain process and
make sure to know for each piece of
data why we need it. Our data
Purpose limitation classification will assist to this.
Minimize the data to the least form
Data minimalization possible.
We have to start to clean up our
history of personal data that has
Retention limitation expired the retention.
Policies, procedures,
B4 guidelines
Infosecurity policy and plan V
Data breach procedure Waiting for approval board !
Request process X
Test procedures V
Only for information management
Archriving and destruction system !
Only for information management
Data retention policies system !
Authorization and access lists Both physical as logical V
Incident response plan Data breach procedure V
BC&DR V
91

Drawing-‐up a new one conform the
Privacy statement AVG !
Direct notification X
Consent X
B6 Compliance
Register of processing Started with the data classification !
Register of data breaches V
One data breach. Although not
required, the organization has
Report data breaches notified the authority and detector. V
Contracts with processors Not yet X
External audits X
B7 Implementation challenges A lot of work and time.
The GDPR does not provide clear
B8 Rationale of investment guidelines, sometimes to abstract.
C. Technical-‐
based controls
Not yet. The organization has
started conversations with our ERP
and DMS supplier to upgrade the
systems in order to meet the data
C1 Privacy by design strategy protection requirements.
Ano/Pseudonymization New requirements for systems !
Archiving data New requirements for systems (ERP) !
We are looking for solution to block
bsn-‐numbers. Also systematically
Block/erase data destruction of data will be a new
systematically requirement for system !
More strict access controls planned.
2control-‐tool to control and
Access control evaluate authorizations V
Clear authorizations both technical
Authorizations and logical (VPN from home) V
Seperation of data No, ERP system has only 1 database. X
Register of processing Not yet, after we have classified our
activities data and listed processors. X
Server storage, disencourage local
Cloud storage storage !
Data store in structured
format PDF formats V
Not under discussion yet. Only for
Regularly testing/evaluating our information security, not data
controls protection in specific !
Audit plan has been made for our IT
processes, not yet data protection in
Internal audits specific !
Appropriate measures are focused
C3 Appropriateness of measures on compliance
92

The organization is dependent on
suppliers. If they supply the systems
with the required data protection
C4 Implementation challenges levels on time is challenging.
Our focus now is on the people-‐
based controls. The effectiveness of
information security is mainly based
on the awareness of people rather
than the technical aspect. Wonen
Zuid historically invested most in
technical controls and we are close
C5 Rationale of investment to the optimimal level.

Appendix 6: Interview data AlleeWonen
Hans van Beelen &

AlleeWonen Colette Kersten Peter Lambregts
A. People-‐
based
controls Code Question Answer Outcome Answer Outcome
H: Not yet. Since it it
not mandatory, we
Not yet and no need do not appoint one.
for according the We as AlleeWonen
GDPR. If a DPO are not pioneering
becomes obligated, organization. We
they will appoint one. are following the
The job requirements mainstream on this
are challenging to topic, however we
satisfy. For so far a take our
privacy officer will be responsibilities as
A1 DPO sufficient X we should. X
93

H: Present.
However, the drive
comes from the
middle-‐layer of the
organization and
No more than regular especially our
employees. The awareness team.
management should P:The team consists
express their interest of members from all
more to influence organizational
employees. In fact, disciplines:
there is more management,
resistance from technical,
management than communication,
A2 Management interest regular employees. X juridical, control. !
H: There is
organizational wide
interest, among
employees from all
Some departments different
do have interest and departments.
are active to adjust Everyone is very
their behavior, some consicous and we
have less (such as keep each other
HR). Which is alert. Employees
alarming, since they report suspiscous
process personal data emails directly, for
A3 Employee interest of all employees ! instance. V
Not yet, however
there is willingness
from major part of
the employees to
adjust their behavior Not ready. H: Only
and become for the current
compliant before 25 Wbp, not for the
A4 Employee readiness may X GDPR. X
Security awareness
A5 actions
Roadshows for all
employees, using
videos. Regularly
communicating about
why actions are
undertaken. Such as
the communicating
the importance of the H: A 45 minute
introduced presentation
confidentiality (roadshow) and a
Education agreement. V speaker V
Phishingmail to test
employees and train H: Phishingmail and
them how to how to recognize
Trainings recognize V them. V
94

H: Awareness-‐team
and we created a
organization-‐wide
security climate or
atmosphere that
Awareness-‐team for encourages
actions, promoting employees to keep
and notification the awareness in
Security climate (breaches or losses) V their mind. V
Incentive for
employees that notify H: Incentive for
losses or potential employees that
Incentives and breaches notify potential data
disincentives (encouraging) V breaches. V
Good availability of
the sources.
However, people
must have self-‐ H: Yes, the sources
interest. are available to
Nevertheless, the everyone and the
association does offer information is
enough sources to stored in a special
improve interest and map, including a
A6 Souces availability behavior V FAQ&A. V
How to execute
actions to enforce H: To keep everyone
desire behavior. How 'aware' and to avoid
to trigger each easing of employees
department (different regarding their
Implementation interests) to improve compliance
A7 challenges awareness. behavior.
Tolerance of
authority. Some
controls not
implemented yet,
because the
organization believes
that the authority
does not pay H: Our focus so far
attention too much has been on the
on the lack of these human perspective.
controls. AlleeWonen realizes
Benefits/cost/risk-‐ that we have to
analysis. High fee comply and to
(investment) for improve our data
security awareness protection and that
speaker. Effectiveness the adjustment of
is difficult to our employees'
Rationale of measure, which has behavior has our
A8 investment been a risk. priority.
B. Process-‐
based
controls
95

P: With everything
we do, we comply
We want no bad with the legislative
publicity. The frameworks. We
organization pays make
much attention to considerations
this. For each about what is the
processing activity justification for
has been evaluated collecting and
what data is needed processing personal
and for what goal and data? H: We try to
how long do we need find the balance
this? The black list we between our
use is not approved organizational
by the authority. certainties and the
However, we still use data protection
the list. We will use it legislation. How do
as long as complaints we keep it workable
B1 Weighing risks fail to happen. V according the law? V
Not yet, we want to
do it when we have Not yet according to
implemented more or the GDPR. We do
less all (basic) our assessment
controls to evaluate regarding data
or processing protection,
activities and governance and
B2 DPIA controls. ! audits X
We did not adopt
the principles so far.
Only for the BSN we
try to minimize and
apply the purpose
limitation. Other
data is not subject
Pay attention to all of to each of the
B3 Principles them principles yet.
For BSN we are
For each data we aware that we do
decide if we really no longer have a
need it and for what legal ground to
Purpose limitation purpose collect them.
We have planned a
No longer collection clean-‐up of our e-‐
of data that is content system to
convenient to have in get rid of all BSN's
place. We try not to and other data we
copy, however many do not longer need
copies are send by or of which the
mail and stored on rention period has
Data minimalization different places. expired.
Difficult, since we
store data on Technical not
different places. How achievable yet, also
to make sure data is planned but not yet
Retention limitation deleted, after done.
96

expiring, everywhere
it is stored?
Policies, procedures,
B4 guidelines
Dates from 2016,
we are working on it
to execute all
planned actions.
Infosecurity policy and However we have
plan V set the bar high. V
Data breach procedure V V
No work process for
Request process X the KCC-‐employees X
Test procedures ! Fragmentated. !
Archriving and
destruction Needs improvement ! We are on it now. !
We have a policy
regarding our DMS
system, but what is
stored local or on
the servers is not
Data retention policies Needs improvement ! mapped. !
On all systems. This
is done well. We
evaluate the need
for authorization of
each role/function
and narrow down
Authorization and the accessibility if
access lists V necessary V
We putted some
efforts in these
ones, including data
breach response
Incident response plan Needs improvement ! plans. V
This is included in
our partners and
BC&DR V our sourcing party V
Camera protocol V
Recording protocol for
customer service
employees V
Privacy statement Not yet, in progress ! !
Direct notification X X
Yes, for internal
purposes. Planned for
tenants when
updating their own
web portal account,
not sure yet how to
Consent implement this due to X
97

the diversity. For each
action/adjustment
consenting?
B6 Compliance
Developed to identify
all processors and
Register of processing data processed V V
No suitable software
for developing such
Register of data registers. Therefore
breaches not yet implemented ! !
No notifiable data
breaches so far.
Internal analysis
Report data breaches reporting
All done and AVG-‐
proof. All processors
receive the new
contracts for signing
soon. If contracts are
rejected, the
partner/supplier's
director has to sign
for the fact that there
Contracts with is not contract in
processors place. V V
Not yet, we wait for
implementation,
jurisprudence and our
External audits DPIA X X
Measures to block
data automatically.
To standardize all
processes and
Implementation procedures
B7 challenges organizaitonal-‐wide It is a lot of work.
There is awareness
and a clear
foundation for There is a necessity
investing in our data to comply with the
protection. Feeling GDPR. We do not
the urgency to want to have a
comply based on the damaged
GDPR and ethical. We reputation. There
decide ourselves has not been any
what is appropriate discussion or a lack
to implement, also of focus on the
Rationale of based on tolerance of requirements for
B8 investment the authority our organization.
C. Technical-‐
based
controls
98

Not yet formulated.
We know that we
Privacy by design No strategies or must standardize
C1 strategy patterns formulated this.
Not yet and not
planned. We wait
for our suppliers to
take
countermeasures
Ano/Pseudonymization Should be better X and we follow this X
New system for New system, workin
Archiving data archiving V on it !
Only manually.
Yes, some data is Some data is
Block/erase data blocked to change or blocked to change
systematically fill-‐in V or fill-‐in V
Physical control not
sufficient, since
anyone can enter and
walk through the
building. The
receptionists are not
Access control competent V V
Very strong new
authorizations for
data access. Which
may be annoying for
employees if
unattainable data is
required to fullfil
tasks. We've
decided to start
with a strict
authorization level
and after evaluating
we can decide to
loosen-‐up the
authorizations. We
think it is best to
start with a strict
level and to lower
the severity over
Could not answer the time, instead of the
Authorizations question other way around. V
Could not answer the
Seperation of data question X
Register of processing
activities V V
Not in the cloud,
only on premise. In
fact is everything
cloud or local since
Cloud storage Use of SharePoint V it is on a server X
99

Not done, however
Data store in it is simple. No
structured format V export available V
Authorization yes,
internal audits not
active enough. After
implemented the
set of controls, we
Regularly will plan tests and
testing/evaluating evaluations as well
controls V as internal audits !
Not yet, will be
Not yet, will be done done more often
more often later on later on after
after implementing implementing
Internal audits controls X controls X
Always take care of
the GDPR principles
before any activity of
data processing takes
place is our way to
implement Contextual and
appropriate situational. First we
measures. determine what is
Minimalizing your required at the
risks, so less data, less moment and then
storage and clear we make a decision
Appropriateness of purposes and align to implement
C3 measures controls to this. controls.
To find the
manpower and time
to execute actions
and implement
controls. Also a lack
of urgency, since as
long we do not
comply nothing
happens (until the
authority starts
investigating).
How to share However, the
documents safely? To instruments are
have all the available to take all
technology in place countermeasures
that suits the GDPR that are required.
requirements, for The main challenge
Implementation instance a register for is to prevent human
C4 challenges data breaches records flaws.
100

This is interesting,
since each
implemented
tecnical control
Toleranance of subverts the human
authority. Evaluate awareness and
the risks and the increases the
GDPR requirements laziness. Also, if
as rationale of your employees are
decisions. Also malicious and want
benefits/costs/risks, to do harm to the
is it necesseray to organizations or
implement it at this data subjects they
moment or can it be always find their
done later? Such as way to steal
data breach organizational
insurrance. What are information. Major
the benefits investments in
compared to the technical controls
costs? Do we really are not effective on
need it, how big is the that account.
risk? Decided not to Putting efforts on
take such insurrances, increasing
because we think it is awareness and
not necessary at this compliance
moment compared to behavior among
the costs. Also the employees all the
interpretation of the more. Also if the
norms. The legislation technical measures
is still changing, are considered as
therefore we wait-‐ annoying and the
and-‐see. We look to systems take over
the GDPR as the responsibilities
guidelines and we of employees, this
implement our will have a
Rationale of controls as good as counterproductive
C5 investment we can. effect.

101

file144864.M.W. - 291281

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

file144864.M.W. - 291281

Diunggah oleh

Hak Cipta:

Format Tersedia

EU GENERAL DATA PROTECTION REGULATION COMPLIANCE

Master of Information Management

Student: R.M.W. Swinkels

Drs. M.P.L. Videler

1.1 PROBLEM INDICATION 8

2.1 DUTCH HOUSING ASSOCIATIONS 15

3.1 METHOD SELECTION 42

4.1 CASE STUDY FINDINGS 46

6.1 ACADEMIC VALUE 72

7.1 LIST OF FIGURES AND TABLES 79

1.1 Problem indication

1.2 Research status

1.3 Problem statement

1.5 Research question

The following demarcations apply to this research:

1.8 Practical and theoretical relevance

1.9 Thesis structure

Figure 1 visualizes the structure of the thesis.

2.1 Dutch housing associations

2.2 Information security

2.2.5 Information security and data protection standards

Organizations may implement standards for their information security management.

2.3 GDPR principles, -­‐objectives and -­‐obligations

2.4 New obligations

2.5.1 People-­‐focused controls

2.6 Motives for control implementation

Organizations base their decisions whether to implement data protection controls on

2.7 Literature review summary

Data protection is part of an organization’s information security. The Regulation forces

3.1 Method selection

3.2 Research design

3.3 Quality of the research design

Tests Case study tactics Phase of research

Small 6.623 Woongoed Middelburg • Information manager

Large 19.766 AlleeWonen • Information manager

TABLE 5: CASE STUDY SAMPLE

3.5 Data analysis

4.1 Case study findings

4.1.3 Case 3: AlleeWonen

4.2 Data analysis

TABLE 6: CROSS-­‐CASE ANALYSIS

Second, the organizations do have an information security policy, while other

6.2 Practical recommendations

Aedes (2016). Handreiking gegevensbescherming. Retrieved from

Figure 1: Thesis structure 14

Appendix 2: Case protocol and interview questions

The main research instrument are semi-­‐structured interviews with open-­‐

Appendix 3: Interview agenda

Date Respondents DHA Location

Appendix 4: Interview data Woongoed Middelburg

Appendix 5: Interview data Wonen Zuid

Albert Van Heugten & Ruud van der

The board is aware of the necessity.

In the beginning stage of interest.

Appendix 6: Interview data AlleeWonen

Hans van Beelen &

Anda mungkin juga menyukai

2.3 GDPR principles, -‐objectives and -‐obligations

2.5.1 People-‐focused controls

TABLE 6: CROSS-‐CASE ANALYSIS

The main research instrument are semi-‐structured interviews with open-‐