Security of personal data

For a responsible handling of personal data, properly securing these data is of paramount importance. This is 1 of the 6 basic principles of the General Data Protection Regulation (GDPR) for a reason.

On this page

  1. General information

If the security has not been arranged properly, this may result in, for example, a data breach. Which entails a risk of, for example, identity fraud.

Security measures

Every organisation that processes personal data must ensure that the personal data have been properly secured. To this end, the organisation has to decide for itself which security measures are necessary. In addition, the security of personal data within the organisation must be a point of continuous attention.

Supervision by the Dutch DPA

The Dutch Data Protection Authority (Dutch DPA) monitors how organisations secure their personal data processing operations. If an organisation has not arranged the security properly, the Dutch DPA may intervene and conduct an investigation. This may result in, for example, imposing a fine.

Quick answers

What is multifactor authentication?

Multifactor authentication (also called MFA) is a technique that requires the use by a person or a system of a combination of at least 2 different types of authentication factors in order to gain access.

What is authentication?

Authentication is the security mechanism that regulates access control. It requires verification of the (digital) identity of a user or system through an authentication means.

Examples of multifactor authentication

Examples of multifactor authentication are:

  • the combination of a password and a one-time code (token) by text message;
  • the combination of a password and a smartcard;
  • the use of an app or hardware token that generates changing passwords in combination with a password or PIN code.

Authentication factors

The 3 most common authentication factors are:

  • Something (only) the user knows. For example, a password, a PIN code or another unique authentication code.
  • Something the user has. For example, a smartcard, a token or a key. A (mobile) telephone also belongs to this category and is often used for SMS tokens.
  • Something the user is. For example, biometric data, such as a fingerprint. This category also includes distinguishing products of acts, such as a signature or kinetic measurements of a keyboard.

Other authentication factors are:

  • Where the user is. This authentication factor is based on a geographic determination. For example, by using the IP address.
  • How the user behaves. This authentication factor is based on recognising behaviour. For example, by using a login time.

What is not a multifactor authentication?

A combination of the same type of authentication factor is not a multifactor authentication. For example, when multiple combinations of user names and passwords are necessary for gaining access. User names and passwords both fall within the ‘something the user knows’ type of authentication factor. As a result, these combinations do not qualify as multifactor authentication.

In general, the following examples are not authentication factors for the use of a computer or an application:

  • an access pass using which access can be gained to an area to which multiple people have access;
  • a unique telephone or unique computer (unless the mobile phone generates a temporary password or uses a built-in authentication factor);
  • a unique IP address.

More information

Do legacy systems also have to comply with the GDPR?

Yes. When processing personal data, you always must comply with the rules from the General Data Protection Regulation (GDPR). This also applies if you use a legacy system. The GDPR does not make an exception for such systems.

This means, among other things, that you:

  • Must sufficiently secure the personal data that you process in your legacy system. In doing so, you have to take the state of the art and current threats into account.
  • Must ensure that the people whose data you process can exercise their privacy rights. They may ask you, for example, to erase their personal data. You therefore have to make sure, among other things, that removing data from your legacy system is possible.
  • Must comply with the general principles from the GDPR, such as privacy by default.


Do you supply a legacy system as a processor? Then you will have to comply with these rules as well, insofar as appropriate given your sphere of influence. In addition, you also have to perform the processing in accordance with the arrangements in the processing agreement.

Risks when using legacy systems

A legacy system is an ICT facility that has been in use for a very long time. For example, legacy software or a legacy application. Often, legacy systems have been developed with the help of tools or techniques that are no longer common.

An accurate documented description of how exactly legacy systems work is also often missing. This makes it sometimes difficult to adjust a legacy system or to export or remove personal data from the system.

If you use a legacy system, you run the risk of not complying with the GDPR. For example, because the system uses outdated technology that leads to security risks. It is therefore necessary to adjust these outdated systems to the requirements of the GDPR.

Gerelateerde thema's en onderwerpen


Data breaches

It is important that organisations take immediate action if they have a data breach. And that they have proper security in place to prevent and mitigate the consequences of data breaches as much as possible.
Go to subject